Slashdot Mirror

← Back to Stories (view on slashdot.org)

Phishing for Credit

Posted by Zonk on from the both-academic-and-financial dept.

An anonymous reader writes "Two graduate students at Indiana University conducted a phishing study to determine how readily students will give up personal information if the phishing emails appear to come from close friends. Using only publicly available information, they sent out emails to students asking them to click a link that required username/password information. Needless to say, the study has generated lots of attention on campus. The student newspaper has the story and the researchers have created a blog where the participants can vent."

10 of 218 comments (clear)

  1. forged headers by doormat · · Score: 5, Informative

    "I was frustrated that I was hearing from a friend that my e-mail account was sending her things,"

    Spam can come from anyone - its not too hard to forge the "FROM" line on an email. I'd hardly call it abuse of your account when spammers do it all the time.

    --
    The Doormat

    If you're not outraged, then you're not paying attention.
  2. Re:5 bucks says... by Anonymous Coward · · Score: 2, Informative

    You lose. Their Ethics board cleared the experiment.

  3. RTFA.... by YankeeInExile · · Score: 5, Informative

    ... to find that they did this experiment under the oversight of the university's Human Subjects Committee.

    If that doesn't sound like some sort of ethical guidelines I don't know what does.

    --
    How does the Slashdot Effect happen given that no slashdotters ever RTFA?
  4. Re:I see their point, but... by Twanfox · · Score: 2, Informative

    Just to be known, if you have the proper equipment, you can indeed send out a spoofed Caller ID tag. The Caller ID tag is not guaronteed to be the exact number that the person is calling from. Large companies often mask their internal numbers with one main one that anyone receiving a call could use to reach the main operator. To do so for more nefarious purposes could be done, but the trick is that, in order to truely fool a person, they have to mimic a voice as well. This is what would typically trip up someone seeking to do phishing on that level, even though it is still done to acquire username/password information if you act official enough.

  5. reportphishing@antiphishing.org by jago25_98 · · Score: 2, Informative

    For reference, send phish email you've recieved to

    reportphishing@antiphishing.org

    ( from http://www.antiphishing.org/report_phishing.html )

    --
    A blog I run for the wealth
  6. Re:The More Attention This Gets, The Better by pclminion · · Score: 4, Informative
    I think it's pretty clear to everyone that these students didn't follow proper procedure for research studies. When I did human experimental research, I had to have my research proposal approved by the Institutional Review Board at my college.

    That's precisely what they did. The whole thing was authorized from top to bottom. They even got the okay from campus IT to "abuse" the computer systems for their purposes. Try RTFA sometime.

  7. Re:The More Attention This Gets, The Better by TIMxPx · · Score: 1, Informative

    It appears that the experimenters did have some clearance, after RTFA. Perhaps they didn't follow the plan, didn't disclose all of the information to the review board, or the board didn't understand the nature of the project?

    --
    There are 10 kinds of people in the world: That averages about 660,000,000 of each kind.
  8. Re:I see their point, but... by Foz · · Score: 2, Informative

    It's a hell of a lot easier to spoof a Caller ID tag than you are leading on. I routinely get fax blasters calling me from bogus numbers like "987-654-3210" (yeah, like THAT isn't obvious, sheesh). Requires no specialized equipment at all on your part.

    You have places like http://www.spooftel.com/ and http://www.covertcall.com/ (tons more can be found by googling) that easily allow this (caveat, I haven't actually TRIED any of the above, they may be completely bogus).

    -- Gary F.

  9. Re:shades of Randal Schwarz at Intel by Anonymous Coward · · Score: 2, Informative

    He was actually convicted of several charges; I believe he got probation. He had been working as a contractor at Intel at the time. And it had nothing to do with bidding on a project, nor with testing Intel's security.

  10. Re:I see their point, but... by Noonian · · Score: 2, Informative

    But grad students? I don't see any problem with that at all. In fact, they don't need anyone's permission to do what they did. However, in good faith, they did get the approval of the Human Subjects Committee.

    Actually, grad students are just as subject to IRB (Institute Research Board) human subjects approval as faculty. Any research involving human subjects and that is intended to ever be published must obtain IRB approval prior to conducting the research.

    As part of the IRB approval process, there are several criteria that the board looks for. The relevant criterion here is "informed consent." That is, are the participants given enough information about the study to make their own reasonable decisions about whether they wish to participate and consent to the research. For some studies, informed consent simply is not feasible (as in the case here). In such cases, the researchers must convince the IRB that a) the risk to the participants is not unreasonable, b) that there is a valid research contribution, c) that the deception is necessary to the study, and d) that the deception is revealed to the participants after the study and that the real reasons for the study are given, along with the opportunity for the participant to opt out from having his or her data included.

    It is the researcher's responsibility to make sure that the participants' rights are observed, and the IRB's responsibility to provide oversight to make sure the researchers are being responsible. That applies just as much to any researcher, whether an undergrad, a grad student, or a faculty member.