Phishing researcher 'targets' the unsuspecting

Executes online attacks as part of experiments aimed at improving security

If he weren't so ethical, Markus Jakobsson could be a world-class online fraudster. In a way, he already is.

Jakobsson, a cybersecurity researcher and professor at Indiana University in Bloomington, spends much of his time perpetrating online attacks of unsuspecting Web surfers - without actually harming them, of course - to see what types of ruses people will fall for and to predict potential new techniques phishers might pursue.

The university that gave the world Alfred Kinsey, the famous sex researcher, is more than willing to tolerate experiments that might improve computer security, even if it annoys a few unwitting participants.

"They think everything that is not immoral or illegal is fine," Jakobsson joked Wednesday at the Usenix Security Symposium in Boston, while delivering a talk on the human factor in online fraud such as phishing, click fraud and crimeware. Victims of online attacks often give up personal information, such as bank account details, or have their computers controlled remotely by hackers.

Jakobsson's research subjects can't know they're being experimented upon, or the results would be meaningless. The typical procedure is to tell them about the research after they've unknowingly participated, which Jakobsson admits has led to some angry responses.

In one experiment, Jakobsson and his students sent e-mails to about 20 people directing them to a site authenticated only by a self-signed certificate, an identity certificate signed by its creator. Many people accepted the certificate even though anyone knowledgeable in computer security should not have.

"We were on four continents within a day with a starting point of 20 of these messages," Jakobsson said. "We could have put malware on computers."

In another study, Jakobsson found that while people often won't click on a suspicious link within an e-mail, they will go to the site if they are instructed to copy and paste the same URL into their browsers. The lesson Jakobsson took from the study - which involved an e-mail asking users to update their eBay accounts - is that public education efforts about the danger of online attacks are insufficient. People know they're not supposed to click on suspicious links, but they haven't been told not to copy and paste the same links into an address bar. A slight change in approach causes victims to let their guards down and pays dividends for bad guys.

Jakobsson also found a problem related to the practice of credit card companies identifying users by the last four digits of their account numbers, which are random. From his research, it turns out people are willing to respond to fraudulent e-mails if the attacker correctly identifies the first four digits of their account numbers, even though the first four are not random and are based on who issued the card.

"People think [the phrase] 'starting with' is just as good as 'ending with,' which of course is remarkable insight," he said.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Jon Brodkin

Network World
Show Comments

Cool Tech

Breitling Superocean Heritage Chronographe 44

Learn more >

SanDisk MicroSDXC™ for Nintendo® Switch™

Learn more >

Toys for Boys

Family Friendly

Panasonic 4K UHD Blu-Ray Player and Full HD Recorder with Netflix - UBT1GL-K

Learn more >

Stocking Stuffer

Razer DeathAdder Expert Ergonomic Gaming Mouse

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?