Forgot your password?
typodupeerror
Security Education The Internet

Phishing for Credit 218

Posted by Zonk
from the both-academic-and-financial dept.
An anonymous reader writes "Two graduate students at Indiana University conducted a phishing study to determine how readily students will give up personal information if the phishing emails appear to come from close friends. Using only publicly available information, they sent out emails to students asking them to click a link that required username/password information. Needless to say, the study has generated lots of attention on campus. The student newspaper has the story and the researchers have created a blog where the participants can vent."
This discussion has been archived. No new comments can be posted.

Phishing for Credit

Comments Filter:
  • Just watch (Score:5, Insightful)

    by hsmith (818216) on Tuesday April 26, 2005 @04:56PM (#12351792)
    They will be pressed with charges even though they had good intentions compared to hardly anyone getting caught with malicious intentions.
  • by daveschroeder (516195) * on Tuesday April 26, 2005 @04:57PM (#12351799)
    But some students are upset they were involved in the study without their consent or knowledge. Senior Rebecca Shakespeare did not even know she had been used as a sender until her friend notified her.

    "I was frustrated that I was hearing from a friend that my e-mail account was sending her things," Shakespeare said. "I had no idea where it was coming from. I was irritated because I was concerned that my home system was being abused."

    Shakespeare called University Information Technology Services, which said it could have been a virus and to not click on the link.

    "I've spent a lot of time keeping my (computer) secured," Shakespeare said. "I feel kind of used that it was the University that was making my friends think I had opened up my system to viruses."


    If that's really why they're concerned, well, maybe they'd be interested in knowing that the vast majority of virus/malware type things that send email in this fashion still don't originate from the computer of the person in question anyway...therefore, this whole rationale for worry is BS, since spoofed email can come from *anywhere*, and it's most often NOT your own computer.

    And - make no mistake, I really do see their point - but the IT resources belong to the university, and neither the university nor the researchers uses the person's account or any password or other credentials belonging to the person. It was simply a spoofed "from" address; nothing more. And if it's strictly "legal" for any random person to spoof a from address, it's just as legal for the purposes of research, whose findings may provide some level of insight on *protecting* people from malicious phishing.

    Now, I personally don't know whether any of this justifies doing the study in the way they did. That's a judgment call. If the university's IT organization proper is doing it, that's one thing, and I could see people being uncomfortable with the motivations. But grad students? I don't see any problem with that at all. In fact, they don't need anyone's permission to do what they did. However, in good faith, they did get the approval of the Human Subjects Committee.
  • Discpline?! (Score:1, Insightful)

    by PunkOfLinux (870955) <mewshi@mewshi.com> on Tuesday April 26, 2005 @05:00PM (#12351823) Homepage
    They did nothing wrong!!
  • by dmf415 (218827) * on Tuesday April 26, 2005 @05:00PM (#12351829)
    It seems those who conducted the experiment are going to get a bit more press then they expected.
  • I would imagine.. (Score:2, Insightful)

    by breakbeatninja (846922) <envescentNO@SPAMgmail.com> on Tuesday April 26, 2005 @05:01PM (#12351837) Homepage Journal
    That regardless of the intent, this sort of conduct is at the very least considered immoral and possibly bordering on illegality. It sounds like fraud to me. Simply posing as someone else to get certain private information seems innocent enough if the goal is to warn their fellow students of their vulnerability to social engineering, since the weakest link in computer security is the person. I would imagine they are going to feel some heat from the university at the very least for this, though.
  • Re:Just watch (Score:5, Insightful)

    by j!mmy v. (613784) on Tuesday April 26, 2005 @05:04PM (#12351869)
    Oh, naturally. The single fastest way to get people riled and after your ass is to make them look stupid. Publicly.

    Seriously, whatever happens, guys sharp enough to organize a phish study couldn't see it coming?
  • You would think... (Score:2, Insightful)

    by demondawn (840015) on Tuesday April 26, 2005 @05:05PM (#12351882) Journal
    That people would be a little more mature about this; viruses and other malicious software can (and often do) get sent from friends' email addresses (how many viruses are there that read someone's Outlook Address Book?) I think people are being a little naive.
  • a license? (Score:2, Insightful)

    by cryptoz (878581) <jns@jacobsheehy.com> on Tuesday April 26, 2005 @05:07PM (#12351901) Homepage Journal
    This reminds me of old debate about requiring a license to use the internet. The pros being obvious: stupid/ignorant people would not be allowed to open viruses any longer, etc. The cons being that the internet is currently a free, open medium with few restrictions on what can be said/shown.
  • by demondawn (840015) on Tuesday April 26, 2005 @05:09PM (#12351918) Journal
    Graah! Why is the solution to everyone's problem with academia "fire the professor"? Your analogy to robbing a bank is a false one; nothing was actuallly stolen in this project. I think you, and a lot of other people, are overreacting.
  • by John Seminal (698722) on Tuesday April 26, 2005 @05:10PM (#12351921) Journal
    If that's really why they're concerned, well, maybe they'd be interested in knowing that the vast majority of virus/malware type things that send email in this fashion still don't originate from the computer of the person in question anyway...therefore, this whole rationale for worry is BS, since spoofed email can come from *anywhere*, and it's most often NOT your own computer.

    And - make no mistake, I really do see their point - but the IT resources belong to the university, and neither the university nor the researchers uses the person's account or any password or other credentials belonging to the person. It was simply a spoofed "from" address; nothing more. And if it's strictly "legal" for any random person to spoof a from address, it's just as legal for the purposes of research, whose findings may provide some level of insight on *protecting* people from malicious phishing.

    So, what's the anwser? Is there something I can send with my emails that verifies it came from me, something that can't be spoofed. Is there some algorithm out there that a SERVER can use, attach as part of the header, that the recipient can then verify the origin?

    Headers can be forged, that is old news. But what has been done about it? How can we trust any email?

    The whole web was designed to be anonymous and trusted at the same time, two things that can not exists together. Either the web must evolve to a system where the sender is known, like a phone call. Just imagine if phone calls worked the way email works. You spoof your phone number, call someone else, and get their credit card number. That would land a person in jail.

  • Well done... (Score:5, Insightful)

    by Yaa 101 (664725) on Tuesday April 26, 2005 @05:10PM (#12351923) Journal
    I think it's good to let students (future scientists, decicion makers etc...) feel what it means to be part of socially constructed fraud... Mainly because this will get worse and worse over time, you see how many database leaks with high profile personal data have taken place lately. People have to learn ways around all this identity theft, the only way is to confront them with the consequenses of this all.
  • Ethics (Score:4, Insightful)

    by Datasage (214357) <Datasage@nospAm.theworldisgrey.com> on Tuesday April 26, 2005 @05:13PM (#12351945) Homepage Journal
    A lot of the comments on the blog, complained that the study was unethical because the participants didnt know they were part of the study.

    My two reasons why I think it couldnt have been done any other way.

    1. This study focuses on deception and how people react when they are decived.

    2. Telling the participants they were a part of a study or asking them to be part of it, would effect the behavior of the participants and therefore changing the study results.

    As long as the information was not used in any illegal way. Then I don't find a problem with how this expirement was conducted. Yes it sucks to get phished, but its better to be fished by these guys than the hundreds of other phishers who are out there to turn phising into finacial gain.
  • by Anonymous Coward on Tuesday April 26, 2005 @05:19PM (#12352000)
    I know this is going off topic, but this reminds me of the LSD studies the CIA did in the late 70's.

    Except there's a large line between giving someone chemicals that could very easily be toxic, or at least cause significant health problems, and seeing if people will input private data that the study authors won't use anyway.

    And disciplining the professor or the students in this instance is absolutely insane. The entire point of having an "Human Subjects Committee" oversight board is to allow the university to make these kinds of decisions. Furthermore, I'm still not clear what they did that would qualify as illegal. If spoofing email addresses is a serious crime, there's a lot more people that should be in jail (and it would be massively easier to convict spammers); it's likely that phishing for personal data is only illegal if you actually collect the data, which it appears they didn't (it did a check to see if it was valid, but they don't indicate that the password itself was saved).

    Do some students feel used? Sure... but there doesn't seem to be any real harm done, and it's impossible to actually get an idea of how to deal with the problem of real phishing attempts if you can't get a sense of how many normal people actually fall for what types of things.
  • Re:Just watch (Score:3, Insightful)

    by tomhudson (43916) <`moc.nosduh-arab ... `nosduh.arabrab'> on Tuesday April 26, 2005 @05:22PM (#12352031) Journal
    Seriously, whatever happens, guys sharp enough to organize a phish study couldn't see it coming?
    ... in their defence, they could say that it should have been obvious - after all, their server wasn't located in the .ru tld.

    Lesson # 1: Don't do phishing research in Amerika, because In Amerika, phishing does YOU!

    Lesson # 2: If you're going to do the time, at least make it worth your while. Make sure you have a buyer for any info you get.

    Lesson # 3: Remember to have a good agent for the TV movie and book deal lined up BEFORE you start your "research"

    Lesson # 4: Before publishing your results, make sure you use the password info to get enough data to be able to blackmail everyone into silence. Uploading kiddie porn to their accounts is a good way to start. It's like the WMDs, "We'll find them, even if we have to put them there ourselves".

    Time will tell - someone will get it right eventually.

  • by G4from128k (686170) on Tuesday April 26, 2005 @05:27PM (#12352087)
    Your analogy to robbing a bank is a false one; nothing was actuallly stolen in this project.

    Something was stolen from the unwitting student/participants. They lost their ignorance of the sad state of the internet's infrastructure. This "experiment" created a harsh wake-up call that e-mail is not a trustworthy medium.

    SMTP was never designed for an open environment with untrustworthy users. It was designed for collegial academic networks with funding from people that run closed military networks.

    Why is the solution to everyone's problem with academia "fire the professor"

    I agree 100%, but shooting the messenger is an age-old solution. People prefer a comforting falsehood (email is trustworthy) to a harsh reality.
  • by remahl (698283) on Tuesday April 26, 2005 @05:32PM (#12352134)

    That could easily be said for other experiments that have been challenged on ethical grounds. Sometimes experiments find things about ourselves we'd rather not know.

    For example, the Milgram experiement [wikipedia.org], where participants were mildly coerced by an authoritative person to administer strong electrical shocks to a subject (who was really an actor). A high proportion of the participants were willing to administer levels of shock that they believed to be lethal.

    Would you like to know that you would be capable of murder as long as someone else was there to take the responsibility/blame? Even if the person in the quoted blog post should feel foolish, that does not make the experiment ethical and non-offensive - quite the opposite.

  • I'm from Indiana (Score:4, Insightful)

    by Rocketboy (32971) on Tuesday April 26, 2005 @05:36PM (#12352178)
    and I object most strenuously to being associated with what sounds like the noisiest bunch of whining idiots in recent memory.

    Unethical? Possibly -- in the current "enlightened" academic environment where definition of terms is often left to whom screams loudest I suppose that one or more of these embarrassed campus inhabitants has enough functioning brain cells to come up with a completely irrelevant but intensely self-referrential definition which supports their childish outrage. It's highly delusional but they're obviously still children and I don't suppose we can expect actual coherent thought from them until they grow up.

    Invasion of privacy"? Drugs must be a significant problem at IU. It always was known as a party school, and this is just more evidence that the description contains some accuracy. And to think that these students are often described as the "best and brightest" and the next generation of leaders. Kinda provides some background for current events, doesn't it? :)

    Rb

  • by wernst (536414) on Tuesday April 26, 2005 @05:37PM (#12352190) Homepage
    Boy, if the whiners there are complaining like this about nothing more than losing their dignity due to BENIGN phishing, imagine how loud their whining will be when they've lost their banking information and social security information due to REAL phishing.

    It seems their primary complaint is that, GASP, "evil" email looked like it was coming from people they know. WAKE THE HELL UP PEOPLE!!! All the Slammer and Melissa viruses (and their mutated children) DO THE SAME THING: they scan through the address books of their victims, rewrite the "From" line to be one name in the address book, and then write the "To" line to be you (whose name is also in the address book) -- and then there's a good chance that you'll then know the person's name in the "From" line, which (it is hoped) makes you let your guard down and open the infected attachment.

    I'll bet $1028 that 90% of the whiners there have been infected by these viruses in the past, and probably still are. And now they've been fooled a second time the same way. How does that old expression go again?

    When I find some sympathy these whiners, I'll let them know...

  • Re:Just watch (Score:3, Insightful)

    by itistoday (602304) on Tuesday April 26, 2005 @05:38PM (#12352203) Homepage
    Reading the comments on their blog I stumbled upon this [indiana.edu]:

    I commend the actions of the two graduate students. For those of you here preaching, you might as well walk out and shoot the police officer who provides you with the security you need and desire. The problem is real and people need to be aware. I sit and read about student so sarcastically thanking these fellows for taking their identity, and aside from the sarcasm, everything they are saying is correct.

    One contributor states "I'm so sure this 'lesson' is going to make me think real hard the next time I really want to click on a random, suspicious looking, link."

    And he's completely correct. This sentence, spoken through the teeth of cynicism, simply sums up the success of this project. No injustice was committed and no wrongful actions have been taken.

    For those of you seeking legal action, your minds have more than likely been made and no amount of rebuttal will likely change your course. But I ask that you step back and take all measures of fully informing yourselves before your begin your battle. Go, speak to these gentlemen in person. Learn their truest intentions face to face. Written words can easily become harsh when the reader draws out what they want rather than what was intended.

    These men have taken drastic measures to exploit the faults of our system of knowledge. Great faults can only be overcome by even greater measures. If you take nothing from this experiment, understand that at the least, you can consider yourself informed.

    I do not attend IU or live in the city of Bloomington. I bring an unbiased opinion.
  • Angry students (Score:2, Insightful)

    by baadger (764884) on Tuesday April 26, 2005 @05:39PM (#12352212)
    The third comment down on the entry blog is the only one worth reading.


    Anonymous Says:
    April 25th, 2005 at 12:19 pm

    "An email could have gone out at the beginning of the semester asking for volunteers to receive a message at a late, unannounced time."


    Moral of the day: If you're going to emulate something evil in a research context you get the damn permission and cover your arse first

    Sneaky Solution: Slip an agreement into the campus network AUP that lets the "IT security office" carry out 'various surveys, tests and research to help improve campus security and promote awareness of security related issues that may effect students. All IT security office studies follow our strict <a href="PP-url-goes-here">privacy policy</a>'. Most students sign an AUP and if they don't read it, then that becomes their problem.
  • by TheIndefiniteArticle (878123) on Tuesday April 26, 2005 @05:46PM (#12352292)
    The article seems to indicate that only the FROM part of the emails were phony. The links actually point to the school's server, and no valuable information was recorded, i.e. the passwords were not recorded by some other server. They were given permission only to gain information that was already in the public circle, and they only gathered email addresses which are probably available to anyone from the school's website.
  • Re:Just watch (Score:2, Insightful)

    by rectifier (694418) on Tuesday April 26, 2005 @05:57PM (#12352407)
    That is impossible. They got approval from the Human Subjects committe, and no real information was gained, They just verified if the user/pass was a valid IU id. Getting approval is no easy task (i used to administer phone surveys for an IU affiliate) and basically the blame now lies upon the HSC if any further action is taken
  • Re:Just watch (Score:3, Insightful)

    by pclminion (145572) on Tuesday April 26, 2005 @06:26PM (#12352654)
    Publicly? Can you please give the URL to the page where they posted the names of the hapless victims? I'd like to see that.
  • by Anonymous Coward on Tuesday April 26, 2005 @07:40PM (#12353374)
    What the fuck are you talking about? Your post is entire void of arguments either against or in favor of the experiment, and you're complaining about other people whining! Lots of fancy sounding words might make you help fool Slashdot 13 years old non-American moderators into thinking you're saying something of value, but to the rest of us it just looks ridiculous.

    Add to the debate or stay out. Nobody wants to read your contentless nonsense.
  • by Anonymous Coward on Tuesday April 26, 2005 @07:44PM (#12353412)
    and I object most strenuously to being associated with what sounds like the noisiest bunch of whining idiots in recent memory.

    Not only don't you have anything to say, you also needlessly start throwing insults. If these people's criticism is valid can be debated, of course, but you do not engage in such a debate, you just spew a lot of hate speech seemingly directed at everyone and no one in particular.

    I'm sure people in Indiana don't particularly mind if you distance yourself from them. I sure wouldn't.
  • Re:No joke (Score:3, Insightful)

    by symbolic (11752) on Tuesday April 26, 2005 @08:11PM (#12353640)
    It is truly astonishing what is publicly available. We should all be more careful about what we let others know about us,

    He makes this extremely good point some ways into the article. People are so gullilble. They're like Pavlov's dogs who salivate every time they see or hear the word "free", or come across anything that has some kind of "deal" attached to it. After the "I got something for free" rush wears off, the actual cost can be quite substantial.

    I've managed to confound some people at a local specialty store- three times now they've offered me the opportunity to fill out a "deal" card, where they track your purchases. After a certain number, you get a small quantity of the same product for free. I've declined every time. It's just not worth it.
  • Re:Just watch (Score:3, Insightful)

    by jemenake (595948) on Tuesday April 26, 2005 @08:19PM (#12353701)
    They will be pressed with charges even though they had good intentions compared to hardly anyone getting caught with malicious intentions.
    If they wanted to protect themselves from possible legal hassle later, they could have just recorded how many click-throughs they got from the actual email. Then, they could have just had the actual web page at the address have something like "No, No, NO! Don't click on links asking you for your password!".

    I don't know why eBay doesn't do this already. They could send out emails to their users from bogus addresses, with links pointing to IP-only websites, etc. When the user actually clicked-through, it could be a page explaining all of the hints that they could have used to figure out that it was a phish. Even if they had people submit their login info, eBay couldn't be accused of tricking them out of information that ebay already had, right?

    On a slightly off-topic note, does anyone else here wonder if eBay is secretly "salting" real phishing sites with "marked" usernames? Like banks give robbers marked money, ebay could submit specially-marked username/password pairs to phish pages. These usernames wouldn't map to real users. Instead, they'd cause an alert to happen at eBay when someone used the account. eBay could pre-load the user with fake feedback... the whole shot. And "eBay honeypot", if you will.
  • It's not that easy (Score:2, Insightful)

    by mordejai (702496) on Wednesday April 27, 2005 @11:23AM (#12359571)
    Granted, you have to be a little stupid to actually enter your name/pwd in a site just because you received an e-mail.

    But what about pranks?
    It's easy to create an email that looks legitimate and send it as another person... You only need your regular email software. Even more if you actually know both people.

    For example, when I was studying (4 years ago), we used to email with some teachers.
    One guy sent a mail to another, posing as the teacher, telling him his test or assignment (I don't remember) was bad.

    Not everybody has the time to check mail headers and verify the identity of the sender (and even that can be spoofed). Until we move to an all-signed email world, we're stuck with this.

Theory is gray, but the golden tree of life is green. -- Goethe

Working...