Forgot your password?
typodupeerror
Security Education The Internet

Phishing for Credit 218

Posted by Zonk
from the both-academic-and-financial dept.
An anonymous reader writes "Two graduate students at Indiana University conducted a phishing study to determine how readily students will give up personal information if the phishing emails appear to come from close friends. Using only publicly available information, they sent out emails to students asking them to click a link that required username/password information. Needless to say, the study has generated lots of attention on campus. The student newspaper has the story and the researchers have created a blog where the participants can vent."
This discussion has been archived. No new comments can be posted.

Phishing for Credit

Comments Filter:
  • Dear Friend (Score:4, Funny)

    by fembots (753724) on Tuesday April 26, 2005 @04:56PM (#12351790) Homepage
    Dear Friend,

    Can you please click on this link [nzbest.com]?

    Yours Truly Friendly,
    Close Friend
    • Classic. This humour is lost on non-NZers though. Your site is refering the the $1.95 MacD's ad right? If so, shouldn't it be the kid's father who should be selling him?
    • Can you also please click on this link [aqfl.net]? ;)

      Yours Truly Unfriendly,
      Close Fiend
    • Re:No joke (Score:3, Insightful)

      by symbolic (11752)
      It is truly astonishing what is publicly available. We should all be more careful about what we let others know about us,

      He makes this extremely good point some ways into the article. People are so gullilble. They're like Pavlov's dogs who salivate every time they see or hear the word "free", or come across anything that has some kind of "deal" attached to it. After the "I got something for free" rush wears off, the actual cost can be quite substantial.

      I've managed to confound some people at a local spec
      • People are so gullilble. They're like Pavlov's dogs who salivate every time they see or hear the word "free",

        And then there's the orthogonal cases, like if I were to make a link saying DO NOT CLICK HERE [zoy.org], Just like a sign saying "Do not look into this hole" or "Don't press that button".

        Congrats on not taking their "deal/fidelity/loyalty card". I hate those things. Just lower the price. It's as bad as those stupid mail-in rebates.

  • Just watch (Score:5, Insightful)

    by hsmith (818216) on Tuesday April 26, 2005 @04:56PM (#12351792)
    They will be pressed with charges even though they had good intentions compared to hardly anyone getting caught with malicious intentions.
    • Re:Just watch (Score:5, Insightful)

      by j!mmy v. (613784) on Tuesday April 26, 2005 @05:04PM (#12351869)
      Oh, naturally. The single fastest way to get people riled and after your ass is to make them look stupid. Publicly.

      Seriously, whatever happens, guys sharp enough to organize a phish study couldn't see it coming?
      • Re:Just watch (Score:3, Insightful)

        by tomhudson (43916)

        Seriously, whatever happens, guys sharp enough to organize a phish study couldn't see it coming?

        ... in their defence, they could say that it should have been obvious - after all, their server wasn't located in the .ru tld.

        Lesson # 1: Don't do phishing research in Amerika, because In Amerika, phishing does YOU!

        Lesson # 2: If you're going to do the time, at least make it worth your while. Make sure you have a buyer for any info you get.

        Lesson # 3: Remember to have a good agent for the TV movie and book d

      • Re:Just watch (Score:3, Insightful)

        by pclminion (145572)
        Publicly? Can you please give the URL to the page where they posted the names of the hapless victims? I'd like to see that.
    • That's the subject for their next study: life in a federal pen. Their assigned mentor teacher for their thesis is called Dr. Bubba...
    • Re:Just watch (Score:3, Insightful)

      by itistoday (602304)
      Reading the comments on their blog I stumbled upon this [indiana.edu]:

      I commend the actions of the two graduate students. For those of you here preaching, you might as well walk out and shoot the police officer who provides you with the security you need and desire. The problem is real and people need to be aware. I sit and read about student so sarcastically thanking these fellows for taking their identity, and aside from the sarcasm, everything they are saying is correct.

      One contributor states "I'm so sure this 'le

    • Re:Just watch (Score:2, Insightful)

      by rectifier (694418)
      That is impossible. They got approval from the Human Subjects committe, and no real information was gained, They just verified if the user/pass was a valid IU id. Getting approval is no easy task (i used to administer phone surveys for an IU affiliate) and basically the blame now lies upon the HSC if any further action is taken
    • Every university has an institutional review board [hhs.gov] that must approve any research that uses human beings as subjects. The IRB is an independent body that includes nonscientists and people with no affiliation with the university [hhs.gov], and it evaluates whether the potential benefits of research outweigh any harm. IRBs are usually very conservative about allowing deception -- you simply cannot do it unless you can demonstrate that you are gaining valuable knowledge that could not be obtained any other way.

      Accordin

    • Re:Just watch (Score:3, Insightful)

      by jemenake (595948)

      They will be pressed with charges even though they had good intentions compared to hardly anyone getting caught with malicious intentions.

      If they wanted to protect themselves from possible legal hassle later, they could have just recorded how many click-throughs they got from the actual email. Then, they could have just had the actual web page at the address have something like "No, No, NO! Don't click on links asking you for your password!".

      I don't know why eBay doesn't do this already. They could

  • by daveschroeder (516195) * on Tuesday April 26, 2005 @04:57PM (#12351799)
    But some students are upset they were involved in the study without their consent or knowledge. Senior Rebecca Shakespeare did not even know she had been used as a sender until her friend notified her.

    "I was frustrated that I was hearing from a friend that my e-mail account was sending her things," Shakespeare said. "I had no idea where it was coming from. I was irritated because I was concerned that my home system was being abused."

    Shakespeare called University Information Technology Services, which said it could have been a virus and to not click on the link.

    "I've spent a lot of time keeping my (computer) secured," Shakespeare said. "I feel kind of used that it was the University that was making my friends think I had opened up my system to viruses."


    If that's really why they're concerned, well, maybe they'd be interested in knowing that the vast majority of virus/malware type things that send email in this fashion still don't originate from the computer of the person in question anyway...therefore, this whole rationale for worry is BS, since spoofed email can come from *anywhere*, and it's most often NOT your own computer.

    And - make no mistake, I really do see their point - but the IT resources belong to the university, and neither the university nor the researchers uses the person's account or any password or other credentials belonging to the person. It was simply a spoofed "from" address; nothing more. And if it's strictly "legal" for any random person to spoof a from address, it's just as legal for the purposes of research, whose findings may provide some level of insight on *protecting* people from malicious phishing.

    Now, I personally don't know whether any of this justifies doing the study in the way they did. That's a judgment call. If the university's IT organization proper is doing it, that's one thing, and I could see people being uncomfortable with the motivations. But grad students? I don't see any problem with that at all. In fact, they don't need anyone's permission to do what they did. However, in good faith, they did get the approval of the Human Subjects Committee.
    • It seems those who conducted the experiment are going to get a bit more press then they expected.
    • If that's really why they're concerned, well, maybe they'd be interested in knowing that the vast majority of virus/malware type things that send email in this fashion still don't originate from the computer of the person in question anyway...therefore, this whole rationale for worry is BS, since spoofed email can come from *anywhere*, and it's most often NOT your own computer.

      And - make no mistake, I really do see their point - but the IT resources belong to the university, and neither the university nor

    • signed,
      George.W.Bush@whitehouse.gov
    • is apparently not as accepted as you think. Many places will mete out surprisingly harsh penalties to people who spoof email as a prank. In fact, whenever there's a computer involved, the authorities tend to crack down much harder on insignificant offenses. Suddenly, it's not a joke email, it's a "forged document", "computer misconduct", "violation of university policy", and second-degree mansla... Err, wait... nvm.... yeah... anyway, it's bad.
    • spoofed email can come from *anywhere*

      I am George W. Bush, and I approved this message...

    • But grad students? I don't see any problem with that at all. In fact, they don't need anyone's permission to do what they did. However, in good faith, they did get the approval of the Human Subjects Committee.


      Actually, grad students are just as subject to IRB (Institute Research Board) human subjects approval as faculty. Any research involving human subjects and that is intended to ever be published must obtain IRB approval prior to conducting the research.

      As part of the IRB approval process, there are
  • by Anonymous Coward on Tuesday April 26, 2005 @04:58PM (#12351810)
    please reply to this message with the following information:

    Nickname:
    Password:
  • forged headers (Score:5, Informative)

    by doormat (63648) on Tuesday April 26, 2005 @05:00PM (#12351824) Homepage Journal
    "I was frustrated that I was hearing from a friend that my e-mail account was sending her things,"

    Spam can come from anyone - its not too hard to forge the "FROM" line on an email. I'd hardly call it abuse of your account when spammers do it all the time.
    • That's true, but people typically expect academic research to have some sort of ethical guidelines which this study seems to have crossed.
      • RTFA.... (Score:5, Informative)

        by YankeeInExile (577704) * on Tuesday April 26, 2005 @05:22PM (#12352032) Homepage Journal

        ... to find that they did this experiment under the oversight of the university's Human Subjects Committee.

        If that doesn't sound like some sort of ethical guidelines I don't know what does.

      • That's true, but people typically expect academic research to have some sort of ethical guidelines which this study seems to have crossed.

        It was cleared by the research ethics body.

      • Read the article. They went to their ethics committee and had it cleared just like every other experiment with human subjects has to do.

        From the link:

        First off, Marcus didn't just up and decide to do the experiment. He got a green light from the human subjects committee here on campus to perform the experiment; a body of people whose job it is to say what is and is not ethical in experimentation. The fact of the matter is that there was no harm done and this experiment IS ETHICAL. Anyone whose tried to

  • That regardless of the intent, this sort of conduct is at the very least considered immoral and possibly bordering on illegality. It sounds like fraud to me. Simply posing as someone else to get certain private information seems innocent enough if the goal is to warn their fellow students of their vulnerability to social engineering, since the weakest link in computer security is the person. I would imagine they are going to feel some heat from the university at the very least for this, though.
    • "Simply posing as someone else to get certain private information..."

      Except that they're now posing as students doing research because they were caught phishing for information.

      Next time you break into a bank and get caught while inside the vault just tell the cops you were testing the security system without the banks knowledge, but intended to give a full report later on.
  • Heh (Score:5, Funny)

    by Otter (3800) on Tuesday April 26, 2005 @05:02PM (#12351849) Journal
    [T]he researchers have created a blog where the participants can vent.

    This would make a nice change from the usual celebrity-in-trouble "apologies", where they go on the Tonight Show, bite their lips and look downcast and assure us "I'm very, deeply, truly sorry..."

    Instead we can get, "Jay, I have created a blog where people can vent."

  • by Rosco P. Coltrane (209368) on Tuesday April 26, 2005 @05:02PM (#12351851)
    Two graduate students at Indiana University conducted a phishing study to determine how readily students will give up personal information

    After such a successful research on phishing, our two friends have decided to tackle a new study: test how much load e-commerce sites can handle, and how much money ATMs can usually deliver on any given day.
  • well (Score:2, Funny)

    by Anonymous Coward
    people are stupid. film at 11.
  • You would think... (Score:2, Insightful)

    by demondawn (840015)
    That people would be a little more mature about this; viruses and other malicious software can (and often do) get sent from friends' email addresses (how many viruses are there that read someone's Outlook Address Book?) I think people are being a little naive.
  • a license? (Score:2, Insightful)

    by cryptoz (878581)
    This reminds me of old debate about requiring a license to use the internet. The pros being obvious: stupid/ignorant people would not be allowed to open viruses any longer, etc. The cons being that the internet is currently a free, open medium with few restrictions on what can be said/shown.
  • Well done... (Score:5, Insightful)

    by Yaa 101 (664725) on Tuesday April 26, 2005 @05:10PM (#12351923) Journal
    I think it's good to let students (future scientists, decicion makers etc...) feel what it means to be part of socially constructed fraud... Mainly because this will get worse and worse over time, you see how many database leaks with high profile personal data have taken place lately. People have to learn ways around all this identity theft, the only way is to confront them with the consequenses of this all.
  • Ethics (Score:4, Insightful)

    by Datasage (214357) <Datasage@theworl ... com minus author> on Tuesday April 26, 2005 @05:13PM (#12351945) Homepage Journal
    A lot of the comments on the blog, complained that the study was unethical because the participants didnt know they were part of the study.

    My two reasons why I think it couldnt have been done any other way.

    1. This study focuses on deception and how people react when they are decived.

    2. Telling the participants they were a part of a study or asking them to be part of it, would effect the behavior of the participants and therefore changing the study results.

    As long as the information was not used in any illegal way. Then I don't find a problem with how this expirement was conducted. Yes it sucks to get phished, but its better to be fished by these guys than the hundreds of other phishers who are out there to turn phising into finacial gain.
  • This is exactly, 100%, the reason I don't have a facebook account. My friends can social interweb link themselves to everyone in the world to their hearts content, but if you want to track me down, I'm not going to unlock my door and put a huge sign on my lawn saying 'come on in and steal my TV.'
  • by Aumaden (598628) <Devon,C,Miller&gmail,com> on Tuesday April 26, 2005 @05:14PM (#12351953) Journal
    In other news [indiana.edu], Indiana University students found to be whiners.
  • by atari2600 (545988) on Tuesday April 26, 2005 @05:18PM (#12351994)
    "I feel betrayed and offended"

    Someone posted that on the blog. I think he/she should feel foolish rather than feel betrayed. Or that should be read as "I am so fucking dumb that i cannot believe i did what i did".
    • by remahl (698283) on Tuesday April 26, 2005 @05:32PM (#12352134)

      That could easily be said for other experiments that have been challenged on ethical grounds. Sometimes experiments find things about ourselves we'd rather not know.

      For example, the Milgram experiement [wikipedia.org], where participants were mildly coerced by an authoritative person to administer strong electrical shocks to a subject (who was really an actor). A high proportion of the participants were willing to administer levels of shock that they believed to be lethal.

      Would you like to know that you would be capable of murder as long as someone else was there to take the responsibility/blame? Even if the person in the quoted blog post should feel foolish, that does not make the experiment ethical and non-offensive - quite the opposite.

  • study successful (Score:4, Interesting)

    by BroadwayBlue (811404) on Tuesday April 26, 2005 @05:23PM (#12352037)
    "It's kind of ridiculous," she [Junior Lisa Aigner] said. "It's just the fact that a group supposedly affiliated with (the University) ... kind of took my trust and threw it out the window."

    Welcome to the internet; trust no one. I hope more people got the message.

  • by jago25_98 (566531) <jago25_98@NoSPAM.hotmail.com> on Tuesday April 26, 2005 @05:23PM (#12352055) Homepage Journal
    For reference, send phish email you've recieved to

    reportphishing@antiphishing.org

    ( from http://www.antiphishing.org/report_phishing.html )
  • the IRB Human Subjects form. This was a deception study, clearly. The fact that this was so is fine, but running things like this past IRB requires a strict and rigid understanding between the PIs and the IRB. Also, AFAIK, provisions must be made for "repairing" anyone who is damaged by the research - even if it is incidental (e.g. your research was only "the last straw").

    I'd like to see the IRB to determine how things are done at IU. Without seeing the form, I really cannot comment on weather what wa

    • D'oh - yup, they were filled out:

      So the Human Subjects Committee allowed the actual phishing attack to run without informed consent from the subjects.

      (from http://www.idsnews.com/subsite/story.php?id=29400)

      I still wonder, though, how they (Human Subjects Committee) provisioned for possible fall-out.

  • by TheIndefiniteArticle (878123) on Tuesday April 26, 2005 @05:34PM (#12352153)
    Any college age person who is fooled by an email of the described type deserves a swift kick in the ass.
  • I'm from Indiana (Score:4, Insightful)

    by Rocketboy (32971) on Tuesday April 26, 2005 @05:36PM (#12352178)
    and I object most strenuously to being associated with what sounds like the noisiest bunch of whining idiots in recent memory.

    Unethical? Possibly -- in the current "enlightened" academic environment where definition of terms is often left to whom screams loudest I suppose that one or more of these embarrassed campus inhabitants has enough functioning brain cells to come up with a completely irrelevant but intensely self-referrential definition which supports their childish outrage. It's highly delusional but they're obviously still children and I don't suppose we can expect actual coherent thought from them until they grow up.

    Invasion of privacy"? Drugs must be a significant problem at IU. It always was known as a party school, and this is just more evidence that the description contains some accuracy. And to think that these students are often described as the "best and brightest" and the next generation of leaders. Kinda provides some background for current events, doesn't it? :)

    Rb

  • by wernst (536414) on Tuesday April 26, 2005 @05:37PM (#12352190) Homepage
    Boy, if the whiners there are complaining like this about nothing more than losing their dignity due to BENIGN phishing, imagine how loud their whining will be when they've lost their banking information and social security information due to REAL phishing.

    It seems their primary complaint is that, GASP, "evil" email looked like it was coming from people they know. WAKE THE HELL UP PEOPLE!!! All the Slammer and Melissa viruses (and their mutated children) DO THE SAME THING: they scan through the address books of their victims, rewrite the "From" line to be one name in the address book, and then write the "To" line to be you (whose name is also in the address book) -- and then there's a good chance that you'll then know the person's name in the "From" line, which (it is hoped) makes you let your guard down and open the infected attachment.

    I'll bet $1028 that 90% of the whiners there have been infected by these viruses in the past, and probably still are. And now they've been fooled a second time the same way. How does that old expression go again?

    When I find some sympathy these whiners, I'll let them know...

  • Angry students (Score:2, Insightful)

    by baadger (764884)
    The third comment down on the entry blog is the only one worth reading.


    Anonymous Says:
    April 25th, 2005 at 12:19 pm

    "An email could have gone out at the beginning of the semester asking for volunteers to receive a message at a late, unannounced time."

    Moral of the day: If you're going to emulate something evil in a research context you get the damn permission and cover your arse first

    Sneaky Solution: Slip an agreement into the campus network AUP that lets the "IT security office" carry out 'various

  • by javaxman (705658) on Tuesday April 26, 2005 @05:42PM (#12352255) Journal
    I don't understand fully people being upset about this, other than uhem, people who gave up their passwords ( whoops! ). It sucks to have someone er, 'make you look stupid'. Of course, there is the potential that they are somehow/somewhere keeping copies of everyone's passwords, though it looks like they're claiming to delete the actual data.

    The only thing that really bothers me is that they've essentially shown phishers how to dramatically [indiana.edu] improve their results :

    About 70% of recipients fell victim to the attacks using contextual information from social networks; this is an increase by a factor of 23 compared to known phishing attacks, and by a factor of four compared to the case where the sender is unknown but appears to be in the same domain as the victim

    Er... this is sorta like doing research on how to make a better bomb, buddy. This is not socially responsible computer science research, is it? I'd be more interested in determining out how to create a social networking site ( like whatever this "facebook" thing is ) that _can't_ be exploited in such a manner. That sounds like a more productive and useful exercise, and one less likely to get everyone pissed off at you for showing them to be gullible. 70% is a lot, even if that's just an estimate.

    • Er... this is sorta like doing research on how to make a better bomb, buddy. This is not socially responsible computer science research, is it?

      So if we shut our eyes and stick our fingers in our ears, Everything Will Be Okay?

      I'd be more interested in determining out how to create a social networking site ( like whatever this "facebook" thing is ) that _can't_ be exploited in such a manner.

      How would anybody have known about this exploit if nobody has studied it? To use your bomb analogy, how could we

    • The social utility of the study is recognition that certain types of "publicly available" information really bloody shouldn't be. For example, on facebook to protect privacy they block my access to people at schools other than my alma mater who have not "opted in" as my friends. I can't see their sex, their major, their dorm room number (if they're silly enough to put that in -- honestly, what possible good is that going to do), their political leanings, or their hobbies. But I can see their name, schoo
  • Junior Lisa Aigner said although she understands the purpose of the study, she feels Jagatic and Johnson should have been more forthcoming about the e-mails.

    Ahh yes, we all know this study would have worked had it had the disclaimer "This is only a test"
  • A lot of the complaints from people who were sent these emails (whether fooled or not fooled) are ludicrous. I do have a little sympathy for the student whose from address was used to fool her friend, same as I do for the owners of from addresses used by spammers.

    I think the study was worthwhile but could have been conducted better.

    1. They might have obtained permission from the students whose identities were used in the from addresses, so that if the students who received the emails called and asked W

  • Too easy? (Score:5, Funny)

    by stinky wizzleteats (552063) on Tuesday April 26, 2005 @06:04PM (#12352464) Homepage Journal
    I notice that a lot of the complainants have posted their e-mail addresses in the blog to try to get together to organize action...

    Dear concerned student:
    I am a close friend writing to you about your recent experience with a phishing study in which deception was used. I have met with an attorney on this issue who is interested in pursuing a class action lawsuit on behalf of the victims of this study. To participate, please click the link below and provide the following personal information...
  • by kismaty (879191) on Tuesday April 26, 2005 @06:13PM (#12352528)
    I feel like fueling the fire.

    Thursday, one of my co-workers at the IU campus helpdesk got the email and dismissed it after telling us it might be a potential source of many irate callers later on in the day.

    And so it was. I got a caller to send us the full headers of the message that appeared to be from his girlfriend. What do you know? The headers clearly showed the message was originating from whuffo@iu.edu!

    So, with our limited helpdesk lookup tools, I found that whuffo@iu.edu was indeed a valid e-mail account, but it was registered as a departmental account and we could not see who personally created the account.

    I wanted to get to the bottom of this so I went ahead and looked at the link in the email that it wants users to click on. What do you know? It redirects to a site called www.whuffo.com before asking for the user's credentials!

    While my co-workers were bitching about it, I decided to do some detective work (Not sure why my co-workers, normally very competent at problem solving skills, didn't think of this). I looked up the whois info on whuffo.com and what do you know? The domain is registered to Professor Markus Jakobssen, of the IU Informatics Department!

    So who's this Markus guy? I found his IU websites. And one of his research interests is 'phishing.' Hmmm. I take a look at the upper level classes he teaches. What do you know? His powerpoint lecture for I400 for this week is all about HOW TO PULL OFF A PHISHING SCAM. Wow, what's the connection here?

    Meanwhile, the helpdesk had made this an escalated incident and turned it over to the IT security office. We get a message back (from Tom Jagatic of the IT policy office) saying they are "mitigating the effects of the issue." I had to go look up mitigating in the dictionary before I realized this wasn't a typical response from ITSO. Normally they'd jump on something like this and put a stop to the emails right away.

    Giving ITSO the benefit of the doubt, I decide to use my new clues on who might be doing this. With this information in hand, I shot off an e-mail to Tom J. and ITSO and the whole rest of the day, I get no response at all. We continue taking calls from confused users and ask them all to change their passwords as it's all we can really tell them to do at this point.

    I go home and check all fucking weekend, and believe me I was watching all our e-mail accounts like a hawk. No response from Tom Jagatic or the IT security office.

    So on Monday I'm back at work and I check my mail to find that the whole scam has been put out in the open. In our email there were copies of several mass-emailed apologies to the users who got the phishy message, the users whose identities were spoofed, and to the support center and helpdesk staff. All these messages contained was an explanation of the "experiment" (which you can read in any news story about it) and their "sincere apologies."

    The rest is history. The blog that Tom and Markus setup, where people are commenting, has got lots of angry people angry at themselves for being duped. That's not why I'm angry.

    All I want from Tom and ITSO is an actual sincere apology for all the work and extra detective skills I/we put into trying to find the perpetrator, since at the time we weren't in on their little plan. No one seems to understand that in any other circumstance, if this were a real security threat, we'd all be getting pats on the back and compliments for figuring out who was behind it before ITSO did (as that's their job, normally.) But, no, since Tom, Markus, ITPO, and ITSO were all in on it, we just get a 'mitigated' effort at an apology from those guys.
  • Isn't this illegal? I thought that research on human subjects-- even psychological research like this-- required consent.

    I don't *know* that, but I've heard people moan about the bureaucratic requirements for doing research involving human subjects in the past.
    • Oh, heh... an answer to my question, brought by the magic of RTFA. :-)

      Because of the ethical issues associated with deception, Jagatic and Johnson had to obtain permission from the Human Subjects Committee, which approves experiments on campus that involve humans and ensures studies are ethical and do not violate participants' privacy.

  • Here is a story that I heard from a friend of a friend...

    Some of you may recall that Redhat made a "Friends & Family" offer for 100 IPO shares to each person listed in the credits section of the linux kernel README file.

    Apparently, anyone residing outside of the USA was not elligible for this offer. So, an enterprising (devious?) fellow went through the list of foreign email addresses in the credits file that were dead - i.e. bouncing any incoming message and impersonated them with freemail accounts

If I have seen farther than others, it is because I was standing on the shoulders of giants. -- Isaac Newton

Working...