Phishing researcher 'targets' the unsuspecting

Executes online attacks as part of experiments aimed at improving security

Another experiment targeted Indiana University professors, prompting them to use their university-issued passwords to get onto a site that appeared to be hosted outside of the school. Most were duped.

"We sent them to a page that said 'service temporarily unavailable, please try again later.' That would stimulate people's interest and many people returned," he said. "It was nice to see computer scientists never fell for the experimental attack when it was sent by a stranger. ... It was a wakeup call that the people in the School of Education did not distinguish whether it was from a friend or someone unknown to them."

One finding could have been predicted by anyone: Men are more likely to click on a link sent to them by a female than by a male. But the study dug up some more surprising facts by targeting e-mail addresses from a social networking site that listed political affiliations.

"It was delightful for me to see that people on the far left and far right were much more vulnerable than people in the middle, which confirms to me that they're crazier than the rest of us," Jakobsson said.

In another study, Jakobsson and his wife exposed weaknesses in eBay's system that allows communication between buyers and sellers. A recipient of an e-mail sees a yellow button that says "respond now," but the button carries no information about the intended recipient. Jakobsson pasted the button onto a spoofed e-mail to a victim, making it appear to be a legitimate e-mail from an eBay user. Instead, the victim -- or, in this case, research subject -- is taken to a site with a URL that's similar to eBay's but was actually run by Jakobsson.

The researchers spoke with eBay after performing their experiment.

"Just a few months after we performed this experiment and told them the results, this attack started to happen in the wild, pretty big-scale too," he said. "We were terrified that we caused it to happen."

It turned out the same type of attack had already been occurring, but on a smaller scale, so Jakobsson was off the hook. He said eBay officials reacted positively to his research because it gives them information that can help improve security. For reasons related to public relations, eBay doesn't experiment on its own customers, he said.

There are several good reasons to perform such experiments, Jakobsson argues. They improve phishing countermeasures by discovering what works and what doesn't. Jakobsson said one experiment showed 400 subjects one of two AT&T links: one with the company name in the URL or one with the phrase "accountonline.com."

The accountonline.com link was the real one used by AT&T -- yet users deemed it less trustworthy than the one with AT&T's name in the URL. Phishers seem to know this already, as they tend to register domain names that look similar to the site they want people to think they are logging on to.

"Custom name attacks are remarkably successful," Jakobsson said.

Experiments can help researchers predict trends by discovering what human vulnerabilities haven't been exploited yet, Jakobsson said.

Although some argue users can't be taught to avoid online attacks, Jakobsson thinks his research can lead to better education methods. Some common advice is so vague that it's pretty much useless, he said, leaving lots of room for improvement.

"The technical component is important, but it's not all," Jakobsson said.

Join the PC World newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Jon Brodkin

Network World
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Matthew Stivala

HP OfficeJet 250 Mobile Printer

The HP OfficeJet 250 Mobile Printer is a great device that fits perfectly into my fast paced and mobile lifestyle. My first impression of the printer itself was how incredibly compact and sleek the device was.

Armand Abogado

HP OfficeJet 250 Mobile Printer

Wireless printing from my iPhone was also a handy feature, the whole experience was quick and seamless with no setup requirements - accessed through the default iOS printing menu options.

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?