Phishing researcher 'targets' the unsuspecting

Executes online attacks as part of experiments aimed at improving security

If he weren't so ethical, Markus Jakobsson could be a world-class online fraudster. In a way, he already is.

Jakobsson, a cybersecurity researcher and professor at Indiana University in Bloomington, spends much of his time perpetrating online attacks of unsuspecting Web surfers - without actually harming them, of course - to see what types of ruses people will fall for and to predict potential new techniques phishers might pursue.

The university that gave the world Alfred Kinsey, the famous sex researcher, is more than willing to tolerate experiments that might improve computer security, even if it annoys a few unwitting participants.

"They think everything that is not immoral or illegal is fine," Jakobsson joked Wednesday at the Usenix Security Symposium in Boston, while delivering a talk on the human factor in online fraud such as phishing, click fraud and crimeware. Victims of online attacks often give up personal information, such as bank account details, or have their computers controlled remotely by hackers.

Jakobsson's research subjects can't know they're being experimented upon, or the results would be meaningless. The typical procedure is to tell them about the research after they've unknowingly participated, which Jakobsson admits has led to some angry responses.

In one experiment, Jakobsson and his students sent e-mails to about 20 people directing them to a site authenticated only by a self-signed certificate, an identity certificate signed by its creator. Many people accepted the certificate even though anyone knowledgeable in computer security should not have.

"We were on four continents within a day with a starting point of 20 of these messages," Jakobsson said. "We could have put malware on computers."

In another study, Jakobsson found that while people often won't click on a suspicious link within an e-mail, they will go to the site if they are instructed to copy and paste the same URL into their browsers. The lesson Jakobsson took from the study - which involved an e-mail asking users to update their eBay accounts - is that public education efforts about the danger of online attacks are insufficient. People know they're not supposed to click on suspicious links, but they haven't been told not to copy and paste the same links into an address bar. A slight change in approach causes victims to let their guards down and pays dividends for bad guys.

Jakobsson also found a problem related to the practice of credit card companies identifying users by the last four digits of their account numbers, which are random. From his research, it turns out people are willing to respond to fraudulent e-mails if the attacker correctly identifies the first four digits of their account numbers, even though the first four are not random and are based on who issued the card.

"People think [the phrase] 'starting with' is just as good as 'ending with,' which of course is remarkable insight," he said.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Jon Brodkin

Network World
Show Comments

Cool Tech

Toys for Boys

Family Friendly

Stocking Stuffer

SmartLens - Clip on Phone Camera Lens Set of 3

Learn more >

Christmas Gift Guide

Click for more ›

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Aysha Strobbe

Microsoft Office 365/HP Spectre x360

Microsoft Office continues to make a student’s life that little bit easier by offering reliable, easy to use, time-saving functionality, while continuing to develop new features that further enhance what is already a formidable collection of applications

Michael Hargreaves

Microsoft Office 365/Dell XPS 15 2-in-1

I’d recommend a Dell XPS 15 2-in-1 and the new Windows 10 to anyone who needs to get serious work done (before you kick back on your couch with your favourite Netflix show.)

Maryellen Rose George

Brother PT-P750W

It’s useful for office tasks as well as pragmatic labelling of equipment and storage – just don’t get too excited and label everything in sight!

Cathy Giles

Brother MFC-L8900CDW

The Brother MFC-L8900CDW is an absolute stand out. I struggle to fault it.

Luke Hill

MSI GT75 TITAN

I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?