Slashdot Mirror
Phishing for Credit
An anonymous reader writes "Two graduate students at Indiana University conducted a phishing study to
determine how readily students will give up personal information if
the phishing emails appear to come from close friends. Using only
publicly available
information, they sent out emails to students asking them to click a
link that required username/password information. Needless to say,
the study has generated lots of attention on campus. The student
newspaper has the story
and the researchers have created a blog where the participants can vent."
Dear Friend,
Can you please click on this link?
Yours Truly Friendly,
Close Friend
Rock that crushes, Paper & Scissors that don't matter.
They will be pressed with charges even though they had good intentions compared to hardly anyone getting caught with malicious intentions.
But some students are upset they were involved in the study without their consent or knowledge. Senior Rebecca Shakespeare did not even know she had been used as a sender until her friend notified her.
"I was frustrated that I was hearing from a friend that my e-mail account was sending her things," Shakespeare said. "I had no idea where it was coming from. I was irritated because I was concerned that my home system was being abused."
Shakespeare called University Information Technology Services, which said it could have been a virus and to not click on the link.
"I've spent a lot of time keeping my (computer) secured," Shakespeare said. "I feel kind of used that it was the University that was making my friends think I had opened up my system to viruses."
If that's really why they're concerned, well, maybe they'd be interested in knowing that the vast majority of virus/malware type things that send email in this fashion still don't originate from the computer of the person in question anyway...therefore, this whole rationale for worry is BS, since spoofed email can come from *anywhere*, and it's most often NOT your own computer.
And - make no mistake, I really do see their point - but the IT resources belong to the university, and neither the university nor the researchers uses the person's account or any password or other credentials belonging to the person. It was simply a spoofed "from" address; nothing more. And if it's strictly "legal" for any random person to spoof a from address, it's just as legal for the purposes of research, whose findings may provide some level of insight on *protecting* people from malicious phishing.
Now, I personally don't know whether any of this justifies doing the study in the way they did. That's a judgment call. If the university's IT organization proper is doing it, that's one thing, and I could see people being uncomfortable with the motivations. But grad students? I don't see any problem with that at all. In fact, they don't need anyone's permission to do what they did. However, in good faith, they did get the approval of the Human Subjects Committee.
...the school throws a fit and disciplines them.
please reply to this message with the following information:
Nickname:
Password:
They did nothing wrong!!
Show this to your friends and family that don't know what a real hacker is
"I was frustrated that I was hearing from a friend that my e-mail account was sending her things,"
Spam can come from anyone - its not too hard to forge the "FROM" line on an email. I'd hardly call it abuse of your account when spammers do it all the time.
The Doormat
If you're not outraged, then you're not paying attention.
That regardless of the intent, this sort of conduct is at the very least considered immoral and possibly bordering on illegality. It sounds like fraud to me. Simply posing as someone else to get certain private information seems innocent enough if the goal is to warn their fellow students of their vulnerability to social engineering, since the weakest link in computer security is the person. I would imagine they are going to feel some heat from the university at the very least for this, though.
shop.envescent.com - Computer hardware and more.
This would make a nice change from the usual celebrity-in-trouble "apologies", where they go on the Tonight Show, bite their lips and look downcast and assure us "I'm very, deeply, truly sorry..."
Instead we can get, "Jay, I have created a blog where people can vent."
What I'm listening to now on Pandora...
Two graduate students at Indiana University conducted a phishing study to determine how readily students will give up personal information
After such a successful research on phishing, our two friends have decided to tackle a new study: test how much load e-commerce sites can handle, and how much money ATMs can usually deliver on any given day.
"A door is what a dog is perpetually on the wrong side of" - Ogden Nash
While teaching a course on Perl, the co-author of O'Reilly's "Learning Perl" book ran the Crack program on Intel's password files, hoping to use the info to bid on a contract. Instead, Intel turned him into the police and he spent years trying to clear his name.
One VP had the following password: Pre$ident.
people are stupid. film at 11.
It would have been interesting if they tried to "phish" a tech-savvy student who noticed the forged headers and reported the researchers to campus authorities as fraudsters. Would "we're only conducting a study" be accepted as a defense? (And if it was, would it be adopted by real phishers in the future?)
That people would be a little more mature about this; viruses and other malicious software can (and often do) get sent from friends' email addresses (how many viruses are there that read someone's Outlook Address Book?) I think people are being a little naive.
Going back to school for entry-level jobs?
You can't take this article seriously when the main persn they interviewed was named "Shakespeare"....
This reminds me of old debate about requiring a license to use the internet. The pros being obvious: stupid/ignorant people would not be allowed to open viruses any longer, etc. The cons being that the internet is currently a free, open medium with few restrictions on what can be said/shown.
Are so scared of everything, they won't even give out their information so sign up a service like netflix. It's absurb.
Help me get a PSP! Who can afford s
Graah! Why is the solution to everyone's problem with academia "fire the professor"? Your analogy to robbing a bank is a false one; nothing was actuallly stolen in this project. I think you, and a lot of other people, are overreacting.
Going back to school for entry-level jobs?
I think it's good to let students (future scientists, decicion makers etc...) feel what it means to be part of socially constructed fraud... Mainly because this will get worse and worse over time, you see how many database leaks with high profile personal data have taken place lately. People have to learn ways around all this identity theft, the only way is to confront them with the consequenses of this all.
Extensions to email that use PKI to secure and encrypt it in an identifiable, trusted fashion
In a phishing attack there are a couple ways in which the user's identity is compromised. The first and most obvious is that the attacker, in this case a friendly IT worker, now has your credentials. The second way, is that now your credentials are quite possibly cached/stored somewhere that can be more easily hacked. How do they know someone didn't piggy-back off their hacked together phishing script and now they're planning something malicious. Once you tap into a secure channel you can create a lot of holes in no time. If nothing else, just the list of duped usernames could be extremely valuable.
A lot of the comments on the blog, complained that the study was unethical because the participants didnt know they were part of the study.
My two reasons why I think it couldnt have been done any other way.
1. This study focuses on deception and how people react when they are decived.
2. Telling the participants they were a part of a study or asking them to be part of it, would effect the behavior of the participants and therefore changing the study results.
As long as the information was not used in any illegal way. Then I don't find a problem with how this expirement was conducted. Yes it sucks to get phished, but its better to be fished by these guys than the hundreds of other phishers who are out there to turn phising into finacial gain.
In America we are imprisoned by our fear of them.
This is exactly, 100%, the reason I don't have a facebook account. My friends can social interweb link themselves to everyone in the world to their hearts content, but if you want to track me down, I'm not going to unlock my door and put a huge sign on my lawn saying 'come on in and steal my TV.'
In other news, Indiana University students found to be whiners.
I doubt that sending an email with a spoofed "From" email address is illegal. It's not like your analogy at all, it's more like someone dressing up as your friend, meeting you at the bank and asking you for your card and your pin number to show you something "cool". Just because it could harm you, don't make it illegal. And your bit about privacy? Well, they obtained everyting from the public domain. They didn't do anything anyone else, who would could have actually exploited these people, couldn't have done. I think your silly for thinking the proffeser shoiuld be fired and the students prosecuted.
Oh wait.
"I feel betrayed and offended"
Someone posted that on the blog. I think he/she should feel foolish rather than feel betrayed. Or that should be read as "I am so fucking dumb that i cannot believe i did what i did".
Present a note to the bank teller saying you have a gun and do NOT want anything but for here to have a nice day. Even though you do not have a gun and have not stolen anything, you will find what happens next to be very interesting. Try it.
You don't need to steal anything or do anything in order to break the law. The fact that you posed a false threat is sufficient, in many circumstances, to entitle you to a thorough familiarization with a night stick and quite possibly a tazer.
I know this is going off topic, but this reminds me of the LSD studies the CIA did in the late 70's.
Except there's a large line between giving someone chemicals that could very easily be toxic, or at least cause significant health problems, and seeing if people will input private data that the study authors won't use anyway.
And disciplining the professor or the students in this instance is absolutely insane. The entire point of having an "Human Subjects Committee" oversight board is to allow the university to make these kinds of decisions. Furthermore, I'm still not clear what they did that would qualify as illegal. If spoofing email addresses is a serious crime, there's a lot more people that should be in jail (and it would be massively easier to convict spammers); it's likely that phishing for personal data is only illegal if you actually collect the data, which it appears they didn't (it did a check to see if it was valid, but they don't indicate that the password itself was saved).
Do some students feel used? Sure... but there doesn't seem to be any real harm done, and it's impossible to actually get an idea of how to deal with the problem of real phishing attempts if you can't get a sense of how many normal people actually fall for what types of things.
Can you also please click on this link? ;)
Yours Truly Unfriendly,
Close Fiend
Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
If you're stupid enough to give out information without verifying who you're giving it to and why it's needed, that's your own damn fault. People want to bitch about making things like this illegal, but there's no right to government ass-wiping.
Let see...*RING RING*
"Hello?"
"Anonymous? Anonymous Coward??? Is that you? How the hell are you?!!! I haven't heard from you in a long time! This is Phred Phisher!"
"Hi Phred, great, how are you?? You sound a little different..."
"Yeah, I got a cold. Hey, can I have your account information?"
"Sure, no problem! Here you go!"
"Thanks, bye!"
".............."
If you think they should be arrested for my stupidity, you're missing a few cards.
... to find that they did this experiment under the oversight of the university's Human Subjects Committee.
If that doesn't sound like some sort of ethical guidelines I don't know what does.
How does the Slashdot Effect happen given that no slashdotters ever RTFA?
Welcome to the internet; trust no one. I hope more people got the message.
A closer reading reveals that these are not two rogue students, but supervised under faculty and had the consent of the human subjects comitee for the experiment. The students had their legal bases covered months before executing the experiment. Request Human Subject Study #05-9893, #05-9892 reports for details
For reference, send phish email you've recieved to
reportphishing@antiphishing.org
( from http://www.antiphishing.org/report_phishing.html )
A blog I run for the wealth
is apparently not as accepted as you think. Many places will mete out surprisingly harsh penalties to people who spoof email as a prank. In fact, whenever there's a computer involved, the authorities tend to crack down much harder on insignificant offenses. Suddenly, it's not a joke email, it's a "forged document", "computer misconduct", "violation of university policy", and second-degree mansla... Err, wait... nvm.... yeah... anyway, it's bad.
Your analogy to robbing a bank is a false one; nothing was actuallly stolen in this project.
Something was stolen from the unwitting student/participants. They lost their ignorance of the sad state of the internet's infrastructure. This "experiment" created a harsh wake-up call that e-mail is not a trustworthy medium.
SMTP was never designed for an open environment with untrustworthy users. It was designed for collegial academic networks with funding from people that run closed military networks.
Why is the solution to everyone's problem with academia "fire the professor"
I agree 100%, but shooting the messenger is an age-old solution. People prefer a comforting falsehood (email is trustworthy) to a harsh reality.
Two wrongs don't make a right, but three lefts do.
That's precisely what they did. The whole thing was authorized from top to bottom. They even got the okay from campus IT to "abuse" the computer systems for their purposes. Try RTFA sometime.
The funny thing about this story is I've been trying to sign up for Amazon's "book browse" service. Of course they want a valid credit card with all the info. e.g. billing, shipping, etc. Privacy violation plus if anyone hacks Amazon, well...
It appears that the experimenters did have some clearance, after RTFA. Perhaps they didn't follow the plan, didn't disclose all of the information to the review board, or the board didn't understand the nature of the project?
There are 10 kinds of people in the world: That averages about 660,000,000 of each kind.
the IRB Human Subjects form. This was a deception study, clearly. The fact that this was so is fine, but running things like this past IRB requires a strict and rigid understanding between the PIs and the IRB. Also, AFAIK, provisions must be made for "repairing" anyone who is damaged by the research - even if it is incidental (e.g. your research was only "the last straw").
I'd like to see the IRB to determine how things are done at IU. Without seeing the form, I really cannot comment on weather what was done was "ethical" or not. It is a blisteringly simple experiment, and if they can get a paper out of it, it'd be what we call "low-hanging fruit".
However, if no IRB approval was received, then this is an entirely different matter. IRB approval == crap hits IRB if things go horribly wrong. No IRB approval == crap hits PIs and all associated if things go horribly (or publicly) wrong.
Hopefully the forms were filled out.
Any college age person who is fooled by an email of the described type deserves a swift kick in the ass.
get a free laptop
and I object most strenuously to being associated with what sounds like the noisiest bunch of whining idiots in recent memory.
:)
Unethical? Possibly -- in the current "enlightened" academic environment where definition of terms is often left to whom screams loudest I suppose that one or more of these embarrassed campus inhabitants has enough functioning brain cells to come up with a completely irrelevant but intensely self-referrential definition which supports their childish outrage. It's highly delusional but they're obviously still children and I don't suppose we can expect actual coherent thought from them until they grow up.
Invasion of privacy"? Drugs must be a significant problem at IU. It always was known as a party school, and this is just more evidence that the description contains some accuracy. And to think that these students are often described as the "best and brightest" and the next generation of leaders. Kinda provides some background for current events, doesn't it?
Rb
i am lazy
was forging headers not made illegall by CAN-SPAM?
It seems their primary complaint is that, GASP, "evil" email looked like it was coming from people they know. WAKE THE HELL UP PEOPLE!!! All the Slammer and Melissa viruses (and their mutated children) DO THE SAME THING: they scan through the address books of their victims, rewrite the "From" line to be one name in the address book, and then write the "To" line to be you (whose name is also in the address book) -- and then there's a good chance that you'll then know the person's name in the "From" line, which (it is hoped) makes you let your guard down and open the infected attachment.
I'll bet $1028 that 90% of the whiners there have been infected by these viruses in the past, and probably still are. And now they've been fooled a second time the same way. How does that old expression go again?
When I find some sympathy these whiners, I'll let them know...
D'oh - yup, they were filled out:
(from http://www.idsnews.com/subsite/story.php?id=29400)
I still wonder, though, how they (Human Subjects Committee) provisioned for possible fall-out.
I can't wait to see the looks on those little Eichmanns' faces when they hear this crunchy groove!
Moral of the day: If you're going to emulate something evil in a research context you get the damn permission and cover your arse first
Sneaky Solution: Slip an agreement into the campus network AUP that lets the "IT security office" carry out 'various surveys, tests and research to help improve campus security and promote awareness of security related issues that may effect students. All IT security office studies follow our strict <a href="PP-url-goes-here">privacy policy</a>'. Most students sign an AUP and if they don't read it, then that becomes their problem.
RTFA, they were, as stated repeatedly on this site and the blog...
People are the problem, stop procreation now!
Jeez, did you see the whiny little responses by the nimrods who were hooked by the simulated phishing attack? I say that every admin ought to do these attacks on their users daily, and anybody who replies should get their access cut until they write on the blackboard 100 times "I'm a stupid dumbass for responding to a phishing email."
Nexsan Technologies SATA RAID
Just as an aside, LSD compared to most chemicals has No health problem causing potential (esp. compared to common chemicals such as paracetamol, nicotene or alcohol). It's definatly non-toxic (nobody's yet found the OD level for acid. ever.) It *DOES* cause serious mental rewiring which may or may not lead to a) latent mental problems becoming more severe b) dopamine pathways being funged, causing flashbacks c) a tendancy to concentrate on things that are generally good in life (such as nature, religion, art & love), and d) confrontation leading to solution of mental health problems.
Just my $0.02
Programming is an Art. I am an Artist. Does that mean I get to wear a daft hat?
"Because of the ethical issues associated with deception, Jagatic and Johnson had to obtain permission from the Human Subjects Committee, which approves experiments on campus that involve humans and ensures studies are ethical and do not violate participants' privacy. . . . But because the phishing study tests responses to e-mails from close friends or acquaintances -- what the study calls a person's "social network" -- it was important to keep an element of secrecy, Menczer said. So the Human Subjects Committee allowed the actual phishing attack to run without informed consent from the subjects."
The only thing that really bothers me is that they've essentially shown phishers how to dramatically improve their results :
Er... this is sorta like doing research on how to make a better bomb, buddy. This is not socially responsible computer science research, is it? I'd be more interested in determining out how to create a social networking site ( like whatever this "facebook" thing is ) that _can't_ be exploited in such a manner. That sounds like a more productive and useful exercise, and one less likely to get everyone pissed off at you for showing them to be gullible. 70% is a lot, even if that's just an estimate.
Foraging headers in commercial spam is illegal.
This was not commercial spam.
Junior Lisa Aigner said although she understands the purpose of the study, she feels Jagatic and Johnson should have been more forthcoming about the e-mails.
Ahh yes, we all know this study would have worked had it had the disclaimer "This is only a test"
I'll turn into a supernova and burn up everything. Well I'll turn into a black little hole and you'll turn into string.
I think the study was worthwhile but could have been conducted better.
1. They might have obtained permission from the students whose identities were used in the from addresses, so that if the students who received the emails called and asked WTF the 'sender' would be able to explain and it wouldn't need to go further. I don't think that would invalidate the results.
2. They might have obtained permission from all the students involved to do an 'email usage experiment' throughout the semester. They wouldn't be given details of exactly what it would entail, but they would agree to be a part of the experiment. Later, when they complain, the experimenters can point out that they volunteered...
3. Did the people who gave up their passwords for chocolate sue? Hell no! They ate their chocolate and were happy. The experimenters should have offered chocolate, which makes all things good.
Now I'm hungry. Dammit.
"Do not drill any holes in your cat - it will not like it."
-- Nick Davies
Right, I picked up on this and noted it in my response to myself - however, I am still curious as to what provisions have been made for fall-out. This is now between IRB and the subjects, if none were made and IRB signed off on it (at least, that's how I see it).
trust me, the human subjects committe is not a bunch of idiots. I used to administer phone surveys that they had to approve since we were an IU affiliate and we would often have to run test after test of our surveys and constantly make changes to get approval from the HSC
I notice that a lot of the complainants have posted their e-mail addresses in the blog to try to get together to organize action...
Dear concerned student:
I am a close friend writing to you about your recent experience with a phishing study in which deception was used. I have met with an attorney on this issue who is interested in pursuing a class action lawsuit on behalf of the victims of this study. To participate, please click the link below and provide the following personal information...
The Human Subjects Committee may be investigated, but the Prof, andstudents are in the clear. they followed proper procedures and got authorization from a higher Authority.
I mean really, if you have a new drug that you want to test on Humans, and the FDA approves the trial, who is at fault if there are some negative consequences? This assumes that you did not lie to get the approval.
Just a Tuna in the Sea of Life
You obviously didn't rtfa. They did
Actually, they did phish a few tech-savvy people here, and we did attempt to point them to the authorities. The "authorities" ignored us because they were playing along with the scam the whole time. Thursday, one of my co-workers at the IU campus helpdesk got the email and dismissed it after telling us it might be a potential source of many irate callers later on in the day. And so it was. I got a caller to send us the full headers of the message that appeared to be from his girlfriend. What do you know? The headers clearly showed the message was originating from whuffo@iu.edu! So, with our limited helpdesk lookup tools, I found that whuffo@iu.edu was indeed a valid e-mail account, but it was registered as a departmental account and we could not see who personally created the account. I wanted to get to the bottom of this so I went ahead and looked at the link in the email that it wants users to click on. What do you know? It redirects to a site called www.whuffo.com before asking for the user's credentials! While my co-workers were bitching about it, I decided to do some detective work (Not sure why my co-workers, normally very competent at problem solving skills, didn't think of this). I looked up the whois info on whuffo.com and what do you know? The domain is registered to Professor Markus Jakobssen, of the IU Informatics Department! So who's this Markus guy? I found his IU websites. And one of his research interests is 'phishing.' Hmmm. I take a look at the upper level classes he teaches. What do you know? His powerpoint lecture for I400 for this week is all about HOW TO PULL OFF A PHISHING SCAM. Wow, what's the connection here? Meanwhile, the helpdesk had made this an escalated incident and turned it over to the IT security office. We get a message back (from Tom Jagatic of the IT policy office) saying they are "mitigating the effects of the issue." I had to go look up mitigating in the dictionary before I realized this wasn't a typical response from ITSO. Normally they'd jump on something like this and put a stop to the emails right away. Giving ITSO the benefit of the doubt, I decide to use my new clues on who might be doing this. With this information in hand, I shot off an e-mail to Tom J. and ITSO and the whole rest of the day, I get no response at all. We continue taking calls from confused users and ask them all to change their passwords as it's all we can really tell them to do at this point. I go home and check all fucking weekend, and believe me I was watching all our e-mail accounts like a hawk. No response from Tom Jagatic or the IT security office. So on Monday I'm back at work and I check my mail to find that the whole scam has been put out in the open. In our email there were copies of several mass-emailed apologies to the users who got the phishy message, the users whose identities were spoofed, and to the support center and helpdesk staff. All these messages contained was an explanation of the "experiment" (which you can read in any news story about it) and their "sincere apologies." The rest is history. The blog that Tom and Markus setup, where people are commenting, has got lots of angry people angry at themselves for being duped. That's not why I'm angry. All I want from Tom and ITSO is an actual sincere apology for all the work and extra detective skills I/we put into trying to find the perpetrator, since at the time we weren't in on their little plan. No one seems to understand that in any other circumstance, if this were a real security threat, we'd all be getting pats on the back and compliments for figuring out who was behind it before ITSO did (as that's their job, normally.) But, no, since Tom, Markus, ITPO, and ITSO were all in on it, we just get a mitigated effort at an apology from those guys.
You might say that the Committee did something wrong, but not the students.
I think it's pretty clear to everyone that these students didn't follow proper procedure for research studies. When I did human experimental research, I had to have my research proposal approved by the Institutional Review Board at my college.
You obviously didn't rtfa. they did have explicit approval.
I feel like fueling the fire.
Thursday, one of my co-workers at the IU campus helpdesk got the email and dismissed it after telling us it might be a potential source of many irate callers later on in the day.
And so it was. I got a caller to send us the full headers of the message that appeared to be from his girlfriend. What do you know? The headers clearly showed the message was originating from whuffo@iu.edu!
So, with our limited helpdesk lookup tools, I found that whuffo@iu.edu was indeed a valid e-mail account, but it was registered as a departmental account and we could not see who personally created the account.
I wanted to get to the bottom of this so I went ahead and looked at the link in the email that it wants users to click on. What do you know? It redirects to a site called www.whuffo.com before asking for the user's credentials!
While my co-workers were bitching about it, I decided to do some detective work (Not sure why my co-workers, normally very competent at problem solving skills, didn't think of this). I looked up the whois info on whuffo.com and what do you know? The domain is registered to Professor Markus Jakobssen, of the IU Informatics Department!
So who's this Markus guy? I found his IU websites. And one of his research interests is 'phishing.' Hmmm. I take a look at the upper level classes he teaches. What do you know? His powerpoint lecture for I400 for this week is all about HOW TO PULL OFF A PHISHING SCAM. Wow, what's the connection here?
Meanwhile, the helpdesk had made this an escalated incident and turned it over to the IT security office. We get a message back (from Tom Jagatic of the IT policy office) saying they are "mitigating the effects of the issue." I had to go look up mitigating in the dictionary before I realized this wasn't a typical response from ITSO. Normally they'd jump on something like this and put a stop to the emails right away.
Giving ITSO the benefit of the doubt, I decide to use my new clues on who might be doing this. With this information in hand, I shot off an e-mail to Tom J. and ITSO and the whole rest of the day, I get no response at all. We continue taking calls from confused users and ask them all to change their passwords as it's all we can really tell them to do at this point.
I go home and check all fucking weekend, and believe me I was watching all our e-mail accounts like a hawk. No response from Tom Jagatic or the IT security office.
So on Monday I'm back at work and I check my mail to find that the whole scam has been put out in the open. In our email there were copies of several mass-emailed apologies to the users who got the phishy message, the users whose identities were spoofed, and to the support center and helpdesk staff. All these messages contained was an explanation of the "experiment" (which you can read in any news story about it) and their "sincere apologies."
The rest is history. The blog that Tom and Markus setup, where people are commenting, has got lots of angry people angry at themselves for being duped. That's not why I'm angry.
All I want from Tom and ITSO is an actual sincere apology for all the work and extra detective skills I/we put into trying to find the perpetrator, since at the time we weren't in on their little plan. No one seems to understand that in any other circumstance, if this were a real security threat, we'd all be getting pats on the back and compliments for figuring out who was behind it before ITSO did (as that's their job, normally.) But, no, since Tom, Markus, ITPO, and ITSO were all in on it, we just get a 'mitigated' effort at an apology from those guys.
Isn't this illegal? I thought that research on human subjects-- even psychological research like this-- required consent.
I don't *know* that, but I've heard people moan about the bureaucratic requirements for doing research involving human subjects in the past.
Anonymous Says:
April 25th, 2005 at 6:33 pm
The only problem I have with this is that I don't think it effectively teaches users how to identify a phishing scam. Most of the scams people fall for are spoofed emails from Ebay, Paypal, and various banks asking the user to confirm their account information.
Well, did you fall for it? Yes? There! You learned something! Congratulations!
The purpose of education is to give you a background of basic information to apply to real life. We're not here to spoon-feed you. User input (read: thought) should be required. Sure, you might be able to get by in life following the crowd, but it isn't likely to be the most interesting.
We always hear about phishing attacks and how easy they are to pull off. But, what can a web admin do to prevent them or at least try and protect their user base?
Oh come on, quit complaining. As an ex university helpdesk employee all I can say be proud you figured it out so easily, don't worry they noticed. Good posting though.
If anyone else does it, then it is fraud.
It is truly astonishing what is publicly available. We should all be more careful about what we let others know about us,
He makes this extremely good point some ways into the article. People are so gullilble. They're like Pavlov's dogs who salivate every time they see or hear the word "free", or come across anything that has some kind of "deal" attached to it. After the "I got something for free" rush wears off, the actual cost can be quite substantial.
I've managed to confound some people at a local specialty store- three times now they've offered me the opportunity to fill out a "deal" card, where they track your purchases. After a certain number, you get a small quantity of the same product for free. I've declined every time. It's just not worth it.
Sometimes I'll click on those links to "update my eBay" account and give them fake info for shiats and giggles. For example, supplying Bill Gates and a Visa card with a fake bank number.
This study argues in the strongest possible way that that design decision is a security risk. So if you go to facebook without this study and say "Hey guys, love the site, but I think the friends lists are abusable" and they say "They're pretty secure, people know who friends are in real life anyhow, there is no damage if the information is disclosed, and we think the remote possibility of abuse is outweighed by the benefit to our members", what do you do? Say "Alright, here is a proof-of-concept exploit which is empirically demonstrated to be a gaping security hole". Now, why do this without asking facebook first? Because there are hundreds of social networking sites out there and EVERY ONE which exposes relationship information to the outside world has the same design flaw. This adds to the public recognition that that flaw is actually a flaw, much like academic research has demonstrated that, say, web systems which rely on hash tables should salt their hashes or they can be DOSed by a single dialup modem producing intentional collisions and getting worst-case performance from the table. Now THATS socially valuable research.
This is completely aside from other valuable insights gained from the study in terms of human psychology and man-machine interfaces.
Help poke pirates in the eyepatch, arr.
let me say "ha ha"
lots of research in social science is based on deception or misdirection. they would screen us at purdue with tests that had nothing to do with the study.
i wish i could remember some of those tests, but right now a friend wants me to sign into something.
Congrats on not taking their "deal/fidelity/loyalty card". I hate those things. Just lower the price. It's as bad as those stupid mail-in rebates.
Here is a story that I heard from a friend of a friend...
Some of you may recall that Redhat made a "Friends & Family" offer for 100 IPO shares to each person listed in the credits section of the linux kernel README file.
Apparently, anyone residing outside of the USA was not elligible for this offer. So, an enterprising (devious?) fellow went through the list of foreign email addresses in the credits file that were dead - i.e. bouncing any incoming message and impersonated them with freemail accounts - for example if JohanJones@stutgart.de was listed and his address was bouncing this guy created a JohanJones@hotmail.com and told etrade (the broker handling the friends and family offer) that he was the guy behind that address (even though his real name did not match the "name" of the email address).
Apparently he was able to acquire over a thousand shares at pre-IPO prices that way, and flipped them all somewhere over $90 each. At least so goes the story. I've got no proof, but at least it sounds good.
And if it is true, it might just qualify as the first reverse-phishing exploit where a regular guy fooled a big bank (etrade) into thinking he was some other regular guy(s) based on phony but plausible email addresses.
When information is power, privacy is freedom.
"That's precisely what they did. The whole thing was authorized from top to bottom."
What's amusing is that the value assumption seems to be that the results could have been dismissed on the basis of authority, regardless of repeatability, falsifiability, documentation, testability, etc.
The ethical and bureaucratic considerations are a separate issue from the research goals and the scientific method.
-fb Everything not expressly forbidden is now mandatory.
Fraud is generally defined in the law as an intentional misrepresentation of material existing fact made by one person to another with knowledge of its falsity and for the purpose of inducing the other person to act, and upon which the other person relies with resulting injury or damage. reference
I would think that in order for this to be illegal, univerity oversight and any special rules notwithstanding, a phishee would simply have to show damage, if in fact any damage exists.
You guys are fucking idiots. I couldn't possibly begin to respond to all the stupid posts I've seen so far. You guys would be better of locking yourself in whatever IT space you have and never ever leave it. God forbid some other human being has to look upon your rat asses.
However, the study also falsely used innocent people's names, in forging the sending addresses. That is not justifiable. It is lying, and it libels the victims. Furthermore, the study could have been conducted without doing this, by contacting candidates and asking permission to use their names while swearing them to secrecy. Those who agreed to participate could have been given assistance in explaining the study to the email recipients after the study, and anybody the recipients could have been expected to contact, such as IT support departments, could have been briefed.
8-PP
Granted, you have to be a little stupid to actually enter your name/pwd in a site just because you received an e-mail.
But what about pranks?
It's easy to create an email that looks legitimate and send it as another person... You only need your regular email software. Even more if you actually know both people.
For example, when I was studying (4 years ago), we used to email with some teachers.
One guy sent a mail to another, posing as the teacher, telling him his test or assignment (I don't remember) was bad.
Not everybody has the time to check mail headers and verify the identity of the sender (and even that can be spoofed). Until we move to an all-signed email world, we're stuck with this.
...the complaints that these so-called "victims" were levying against the researchers for making them look dumb, when it is they who are at fault for actually providing the personal information in the first place.