Featured Research

from universities, journals, and other organizations

More Internet Users May Be Taking Phishing Bait Than Thought

Date:
October 14, 2006
Source:
Indiana University
Summary:
A higher-than-expected percentage of Internet users are likely to fall victim to scam artists masquerading as trusted service providers, report researchers at the Indiana University School of Informatics. "Designing Ethical Phishing Experiments: A study of (ROT13) rOnl query features" simulated phishing tactics used to elicit online information from eBay customers. The online auction giant was selected because of its popularity among millions of users -- and because it is one of the most popular targets of phishing scams.

A higher-than-expected percentage of Internet users are likely to fall victim to scam artists masquerading as trusted service providers, report researchers at the Indiana University School of Informatics.

"Designing Ethical Phishing Experiments: A study of (ROT13) rOnl query features," published online, simulated phishing tactics used to elicit online information from eBay customers. The online auction giant was selected because of its popularity among millions of users-and because it is one of the most popular targets of phishing scams.

The study, one of the first of its kind, reveals that phishers may be netting responses from as much as 14 percent of the targeted populations per attack, as opposed to 3 percent per year.

Phishers send e-mail to Internet users, spoofing legitimate and well-known enterprises such as eBay, financial institutions and even government agencies in an attempt to dupe people into surrendering private information. Users are asked to click on a link where they are taken to a site appearing to be legitimate. Once there, they are asked to correct or update personal information such as bank, credit card and Social Security accounts numbers.

Surveys by the Gartner Group report that about 3 percent of adult Americans are successfully targeted by phishing attacks each year, an amount that might be conservative given that many are reluctant to report they have been victimized, or may even be unaware of it. Other surveys may result in overestimates of the risks because of misunderstanding of what constitutes identity theft.

In contrast, experiments such as the one conducted by IU researchers Markus Jakobsson and Jacob Ratkiewicz have the advantage of reporting actual numbers.

"Our goal was to determine the success rates of different types of phishing attacks, not only the types used today, but those that don't yet occur in the wild, too," said Jakobsson, associate professor of Informatics. Jakobsson also is an associate director of the IU Center for Applied Cybersecurity Research, which studies and develops countermeasures to Internet fraud.

Ratkiewicz and Jakobsson devised simulated attacks where users received an e-mail appearing to be legitimate and providing a link to eBay. If recipients clicked on the link they were in fact sent to the eBay site, but the researchers received a message letting them know the recipient had logged in. The researchers specifically designed the study so that all they received was notification that a login occurred, not the login information (such as the recipient's eBay password) itself-unlike a real phishing attack, which is designed to harvest passwords and other personal information.

The study was approved in advance by the IU Bloomington Human Subjects Committee, which is responsible for reviewing and approving research activities involving human subjects and data collection. The experiment was unusual in that it did not involve debriefing of subjects, given that this step was judged to be the one and only aspect of the experiment that could potentially pose harm to subjects, who might be embarrassed over having been phished or wrongly conclude that sensitive information had been harvested by the researchers.

"We wanted to proceed ethically and yet obtain accurate results," said Ratkiewicz, a computer science doctoral student.

One experiment they devised was to launch a "spear phishing" attack in which a phisher sends a personalized message to a user who might actually welcome or expect the message. In this approach, the phisher gleans personal information readily available over the Internet and incorporates it in the attack, potentially making the attack more believable.

The researchers used three types of approach statements: "Hi can you ship packages with insurance for an extra fee? Thanks" ... "HI CAN YOU DO OVERNIGHT SHIPPING? THANKS!" ... and "Hi, how soon after payment do you ship? Thanks!" In a large portion of the messages, the user's eBay username was included in the message to make it appear more similar to those eBay itself would send.

"We think spear phishing attacks will become more prevalent as phishers are more able to harvest publicly available information to personalize each attack," Ratkiewicz said. "And there's good reason to believe that this kind of attack will be more dangerous than what we're seeing today."

The results of the IU researchers' latest phishing study were shared with eBay officials.

Jakobsson was the author of a 2004 report which detailed worst-case phishing scenarios and attacks and possible ways to prevent them. It was cited positively by various information technology leaders, including those at eBay.

This research was supported internally by Indiana University.

For more information about anti-phishing research activities at IU, please visit http://www.indiana.edu/~phishing.


Story Source:

The above story is based on materials provided by Indiana University. Note: Materials may be edited for content and length.


Cite This Page:

Indiana University. "More Internet Users May Be Taking Phishing Bait Than Thought." ScienceDaily. ScienceDaily, 14 October 2006. <www.sciencedaily.com/releases/2006/10/061013201951.htm>.
Indiana University. (2006, October 14). More Internet Users May Be Taking Phishing Bait Than Thought. ScienceDaily. Retrieved October 21, 2014 from www.sciencedaily.com/releases/2006/10/061013201951.htm
Indiana University. "More Internet Users May Be Taking Phishing Bait Than Thought." ScienceDaily. www.sciencedaily.com/releases/2006/10/061013201951.htm (accessed October 21, 2014).

Share This



More Computers & Math News

Tuesday, October 21, 2014

Featured Research

from universities, journals, and other organizations


Featured Videos

from AP, Reuters, AFP, and other news services

Thanks, Marty McFly! Hoverboards Could Be Coming In 2015

Thanks, Marty McFly! Hoverboards Could Be Coming In 2015

Newsy (Oct. 21, 2014) If you've ever watched "Back to the Future Part II" and wanted to get your hands on a hoverboard, well, you might soon be in luck. Video provided by Newsy
Powered by NewsLook.com
Robots to Fly Planes Where Humans Can't

Robots to Fly Planes Where Humans Can't

Reuters - Innovations Video Online (Oct. 21, 2014) Researchers in South Korea are developing a robotic pilot that could potentially replace humans in the cockpit. Unlike drones and autopilot programs which are configured for specific aircraft, the robots' humanoid design will allow it to fly any type of plane with no additional sensors. Ben Gruber reports. Video provided by Reuters
Powered by NewsLook.com
Japanese Scientists Unveil Floating 3D Projection

Japanese Scientists Unveil Floating 3D Projection

Reuters - Innovations Video Online (Oct. 20, 2014) Scientists in Tokyo have demonstrated what they say is the world's first 3D projection that floats in mid air. A laser that fires a pulse up to a thousand times a second superheats molecules in the air, creating a spark which can be guided to certain points in the air to shape what the human eye perceives as an image. Matthew Stock reports. Video provided by Reuters
Powered by NewsLook.com
Apple Enters Mobile Payment Business

Apple Enters Mobile Payment Business

AP (Oct. 20, 2014) Apple is making a strategic bet with the launch of Apple Pay, the mobile pay service aimed at turning your iPhone into your wallet. (Oct. 20) Video provided by AP
Powered by NewsLook.com

Search ScienceDaily

Number of stories in archives: 140,361

Find with keyword(s):
Enter a keyword or phrase to search ScienceDaily for related topics and research stories.

Save/Print:
Share:

Breaking News:

Strange & Offbeat Stories


Space & Time

Matter & Energy

Computers & Math

In Other News

... from NewsDaily.com

Science News

Health News

Environment News

Technology News



Save/Print:
Share:

Free Subscriptions


Get the latest science news with ScienceDaily's free email newsletters, updated daily and weekly. Or view hourly updated newsfeeds in your RSS reader:

Get Social & Mobile


Keep up to date with the latest news from ScienceDaily via social networks and mobile apps:

Have Feedback?


Tell us what you think of ScienceDaily -- we welcome both positive and negative comments. Have any problems using the site? Questions?
Mobile: iPhone Android Web
Follow: Facebook Twitter Google+
Subscribe: RSS Feeds Email Newsletters
Latest Headlines Health & Medicine Mind & Brain Space & Time Matter & Energy Computers & Math Plants & Animals Earth & Climate Fossils & Ruins