Phishing researcher 'targets' the unsuspecting

Executes online attacks as part of experiments aimed at improving security

Another experiment targeted Indiana University professors, prompting them to use their university-issued passwords to get onto a site that appeared to be hosted outside of the school. Most were duped.

"We sent them to a page that said 'service temporarily unavailable, please try again later.' That would stimulate people's interest and many people returned," he said. "It was nice to see computer scientists never fell for the experimental attack when it was sent by a stranger. ... It was a wakeup call that the people in the School of Education did not distinguish whether it was from a friend or someone unknown to them."

One finding could have been predicted by anyone: Men are more likely to click on a link sent to them by a female than by a male. But the study dug up some more surprising facts by targeting e-mail addresses from a social networking site that listed political affiliations.

"It was delightful for me to see that people on the far left and far right were much more vulnerable than people in the middle, which confirms to me that they're crazier than the rest of us," Jakobsson said.

In another study, Jakobsson and his wife exposed weaknesses in eBay's system that allows communication between buyers and sellers. A recipient of an e-mail sees a yellow button that says "respond now," but the button carries no information about the intended recipient. Jakobsson pasted the button onto a spoofed e-mail to a victim, making it appear to be a legitimate e-mail from an eBay user. Instead, the victim -- or, in this case, research subject -- is taken to a site with a URL that's similar to eBay's but was actually run by Jakobsson.

The researchers spoke with eBay after performing their experiment.

"Just a few months after we performed this experiment and told them the results, this attack started to happen in the wild, pretty big-scale too," he said. "We were terrified that we caused it to happen."

It turned out the same type of attack had already been occurring, but on a smaller scale, so Jakobsson was off the hook. He said eBay officials reacted positively to his research because it gives them information that can help improve security. For reasons related to public relations, eBay doesn't experiment on its own customers, he said.

There are several good reasons to perform such experiments, Jakobsson argues. They improve phishing countermeasures by discovering what works and what doesn't. Jakobsson said one experiment showed 400 subjects one of two AT&T links: one with the company name in the URL or one with the phrase "accountonline.com."

The accountonline.com link was the real one used by AT&T -- yet users deemed it less trustworthy than the one with AT&T's name in the URL. Phishers seem to know this already, as they tend to register domain names that look similar to the site they want people to think they are logging on to.

"Custom name attacks are remarkably successful," Jakobsson said.

Experiments can help researchers predict trends by discovering what human vulnerabilities haven't been exploited yet, Jakobsson said.

Although some argue users can't be taught to avoid online attacks, Jakobsson thinks his research can lead to better education methods. Some common advice is so vague that it's pretty much useless, he said, leaving lots of room for improvement.

"The technical component is important, but it's not all," Jakobsson said.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Jon Brodkin

Network World
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?