Slashdot Mirror
Phishing for Credit
An anonymous reader writes "Two graduate students at Indiana University conducted a phishing study to
determine how readily students will give up personal information if
the phishing emails appear to come from close friends. Using only
publicly available
information, they sent out emails to students asking them to click a
link that required username/password information. Needless to say,
the study has generated lots of attention on campus. The student
newspaper has the story
and the researchers have created a blog where the participants can vent."
Welcome to the internet; trust no one. I hope more people got the message.
the IRB Human Subjects form. This was a deception study, clearly. The fact that this was so is fine, but running things like this past IRB requires a strict and rigid understanding between the PIs and the IRB. Also, AFAIK, provisions must be made for "repairing" anyone who is damaged by the research - even if it is incidental (e.g. your research was only "the last straw").
I'd like to see the IRB to determine how things are done at IU. Without seeing the form, I really cannot comment on weather what was done was "ethical" or not. It is a blisteringly simple experiment, and if they can get a paper out of it, it'd be what we call "low-hanging fruit".
However, if no IRB approval was received, then this is an entirely different matter. IRB approval == crap hits IRB if things go horribly wrong. No IRB approval == crap hits PIs and all associated if things go horribly (or publicly) wrong.
Hopefully the forms were filled out.
Secure email, PGP/GPG. Enigmail is an extension for Mozilla to use PGP to encrypt or just sign emails.
Just a Tuna in the Sea of Life
The only thing that really bothers me is that they've essentially shown phishers how to dramatically improve their results :
Er... this is sorta like doing research on how to make a better bomb, buddy. This is not socially responsible computer science research, is it? I'd be more interested in determining out how to create a social networking site ( like whatever this "facebook" thing is ) that _can't_ be exploited in such a manner. That sounds like a more productive and useful exercise, and one less likely to get everyone pissed off at you for showing them to be gullible. 70% is a lot, even if that's just an estimate.
Actually, they did phish a few tech-savvy people here, and we did attempt to point them to the authorities. The "authorities" ignored us because they were playing along with the scam the whole time. Thursday, one of my co-workers at the IU campus helpdesk got the email and dismissed it after telling us it might be a potential source of many irate callers later on in the day. And so it was. I got a caller to send us the full headers of the message that appeared to be from his girlfriend. What do you know? The headers clearly showed the message was originating from whuffo@iu.edu! So, with our limited helpdesk lookup tools, I found that whuffo@iu.edu was indeed a valid e-mail account, but it was registered as a departmental account and we could not see who personally created the account. I wanted to get to the bottom of this so I went ahead and looked at the link in the email that it wants users to click on. What do you know? It redirects to a site called www.whuffo.com before asking for the user's credentials! While my co-workers were bitching about it, I decided to do some detective work (Not sure why my co-workers, normally very competent at problem solving skills, didn't think of this). I looked up the whois info on whuffo.com and what do you know? The domain is registered to Professor Markus Jakobssen, of the IU Informatics Department! So who's this Markus guy? I found his IU websites. And one of his research interests is 'phishing.' Hmmm. I take a look at the upper level classes he teaches. What do you know? His powerpoint lecture for I400 for this week is all about HOW TO PULL OFF A PHISHING SCAM. Wow, what's the connection here? Meanwhile, the helpdesk had made this an escalated incident and turned it over to the IT security office. We get a message back (from Tom Jagatic of the IT policy office) saying they are "mitigating the effects of the issue." I had to go look up mitigating in the dictionary before I realized this wasn't a typical response from ITSO. Normally they'd jump on something like this and put a stop to the emails right away. Giving ITSO the benefit of the doubt, I decide to use my new clues on who might be doing this. With this information in hand, I shot off an e-mail to Tom J. and ITSO and the whole rest of the day, I get no response at all. We continue taking calls from confused users and ask them all to change their passwords as it's all we can really tell them to do at this point. I go home and check all fucking weekend, and believe me I was watching all our e-mail accounts like a hawk. No response from Tom Jagatic or the IT security office. So on Monday I'm back at work and I check my mail to find that the whole scam has been put out in the open. In our email there were copies of several mass-emailed apologies to the users who got the phishy message, the users whose identities were spoofed, and to the support center and helpdesk staff. All these messages contained was an explanation of the "experiment" (which you can read in any news story about it) and their "sincere apologies." The rest is history. The blog that Tom and Markus setup, where people are commenting, has got lots of angry people angry at themselves for being duped. That's not why I'm angry. All I want from Tom and ITSO is an actual sincere apology for all the work and extra detective skills I/we put into trying to find the perpetrator, since at the time we weren't in on their little plan. No one seems to understand that in any other circumstance, if this were a real security threat, we'd all be getting pats on the back and compliments for figuring out who was behind it before ITSO did (as that's their job, normally.) But, no, since Tom, Markus, ITPO, and ITSO were all in on it, we just get a mitigated effort at an apology from those guys.
I feel like fueling the fire.
Thursday, one of my co-workers at the IU campus helpdesk got the email and dismissed it after telling us it might be a potential source of many irate callers later on in the day.
And so it was. I got a caller to send us the full headers of the message that appeared to be from his girlfriend. What do you know? The headers clearly showed the message was originating from whuffo@iu.edu!
So, with our limited helpdesk lookup tools, I found that whuffo@iu.edu was indeed a valid e-mail account, but it was registered as a departmental account and we could not see who personally created the account.
I wanted to get to the bottom of this so I went ahead and looked at the link in the email that it wants users to click on. What do you know? It redirects to a site called www.whuffo.com before asking for the user's credentials!
While my co-workers were bitching about it, I decided to do some detective work (Not sure why my co-workers, normally very competent at problem solving skills, didn't think of this). I looked up the whois info on whuffo.com and what do you know? The domain is registered to Professor Markus Jakobssen, of the IU Informatics Department!
So who's this Markus guy? I found his IU websites. And one of his research interests is 'phishing.' Hmmm. I take a look at the upper level classes he teaches. What do you know? His powerpoint lecture for I400 for this week is all about HOW TO PULL OFF A PHISHING SCAM. Wow, what's the connection here?
Meanwhile, the helpdesk had made this an escalated incident and turned it over to the IT security office. We get a message back (from Tom Jagatic of the IT policy office) saying they are "mitigating the effects of the issue." I had to go look up mitigating in the dictionary before I realized this wasn't a typical response from ITSO. Normally they'd jump on something like this and put a stop to the emails right away.
Giving ITSO the benefit of the doubt, I decide to use my new clues on who might be doing this. With this information in hand, I shot off an e-mail to Tom J. and ITSO and the whole rest of the day, I get no response at all. We continue taking calls from confused users and ask them all to change their passwords as it's all we can really tell them to do at this point.
I go home and check all fucking weekend, and believe me I was watching all our e-mail accounts like a hawk. No response from Tom Jagatic or the IT security office.
So on Monday I'm back at work and I check my mail to find that the whole scam has been put out in the open. In our email there were copies of several mass-emailed apologies to the users who got the phishy message, the users whose identities were spoofed, and to the support center and helpdesk staff. All these messages contained was an explanation of the "experiment" (which you can read in any news story about it) and their "sincere apologies."
The rest is history. The blog that Tom and Markus setup, where people are commenting, has got lots of angry people angry at themselves for being duped. That's not why I'm angry.
All I want from Tom and ITSO is an actual sincere apology for all the work and extra detective skills I/we put into trying to find the perpetrator, since at the time we weren't in on their little plan. No one seems to understand that in any other circumstance, if this were a real security threat, we'd all be getting pats on the back and compliments for figuring out who was behind it before ITSO did (as that's their job, normally.) But, no, since Tom, Markus, ITPO, and ITSO were all in on it, we just get a 'mitigated' effort at an apology from those guys.