Slashdot Mirror

← Back to Stories (view on slashdot.org)

Phishing for Credit

Posted by Zonk on from the both-academic-and-financial dept.

An anonymous reader writes "Two graduate students at Indiana University conducted a phishing study to determine how readily students will give up personal information if the phishing emails appear to come from close friends. Using only publicly available information, they sent out emails to students asking them to click a link that required username/password information. Needless to say, the study has generated lots of attention on campus. The student newspaper has the story and the researchers have created a blog where the participants can vent."

16 of 218 comments (clear)

  1. Dear Friend by fembots · · Score: 4, Funny

    Dear Friend,

    Can you please click on this link?

    Yours Truly Friendly,
    Close Friend

    --
    Rock that crushes, Paper & Scissors that don't matter.
  2. Just watch by hsmith · · Score: 5, Insightful

    They will be pressed with charges even though they had good intentions compared to hardly anyone getting caught with malicious intentions.

    1. Re:Just watch by j!mmy+v. · · Score: 5, Insightful

      Oh, naturally. The single fastest way to get people riled and after your ass is to make them look stupid. Publicly.

      Seriously, whatever happens, guys sharp enough to organize a phish study couldn't see it coming?

      --
      -- often wrong; never in doubt
  3. I see their point, but... by daveschroeder · · Score: 5, Insightful

    But some students are upset they were involved in the study without their consent or knowledge. Senior Rebecca Shakespeare did not even know she had been used as a sender until her friend notified her.

    "I was frustrated that I was hearing from a friend that my e-mail account was sending her things," Shakespeare said. "I had no idea where it was coming from. I was irritated because I was concerned that my home system was being abused."

    Shakespeare called University Information Technology Services, which said it could have been a virus and to not click on the link.

    "I've spent a lot of time keeping my (computer) secured," Shakespeare said. "I feel kind of used that it was the University that was making my friends think I had opened up my system to viruses."

    If that's really why they're concerned, well, maybe they'd be interested in knowing that the vast majority of virus/malware type things that send email in this fashion still don't originate from the computer of the person in question anyway...therefore, this whole rationale for worry is BS, since spoofed email can come from *anywhere*, and it's most often NOT your own computer.

    And - make no mistake, I really do see their point - but the IT resources belong to the university, and neither the university nor the researchers uses the person's account or any password or other credentials belonging to the person. It was simply a spoofed "from" address; nothing more. And if it's strictly "legal" for any random person to spoof a from address, it's just as legal for the purposes of research, whose findings may provide some level of insight on *protecting* people from malicious phishing.

    Now, I personally don't know whether any of this justifies doing the study in the way they did. That's a judgment call. If the university's IT organization proper is doing it, that's one thing, and I could see people being uncomfortable with the motivations. But grad students? I don't see any problem with that at all. In fact, they don't need anyone's permission to do what they did. However, in good faith, they did get the approval of the Human Subjects Committee.

    1. Re:I see their point, but... by swv3752 · · Score: 4, Interesting

      Secure email, PGP/GPG. Enigmail is an extension for Mozilla to use PGP to encrypt or just sign emails.

      --
      Just a Tuna in the Sea of Life
  4. Your slashdot session has expired by Anonymous Coward · · Score: 4, Funny

    please reply to this message with the following information:

    Nickname:
    Password:

  5. forged headers by doormat · · Score: 5, Informative

    "I was frustrated that I was hearing from a friend that my e-mail account was sending her things,"

    Spam can come from anyone - its not too hard to forge the "FROM" line on an email. I'd hardly call it abuse of your account when spammers do it all the time.

    --
    The Doormat

    If you're not outraged, then you're not paying attention.
  6. Heh by Otter · · Score: 4, Funny
    [T]he researchers have created a blog where the participants can vent.

    This would make a nice change from the usual celebrity-in-trouble "apologies", where they go on the Tonight Show, bite their lips and look downcast and assure us "I'm very, deeply, truly sorry..."

    Instead we can get, "Jay, I have created a blog where people can vent."

    --
    What I'm listening to now on Pandora...
  7. Study extension by Rosco+P.+Coltrane · · Score: 4, Funny

    Two graduate students at Indiana University conducted a phishing study to determine how readily students will give up personal information

    After such a successful research on phishing, our two friends have decided to tackle a new study: test how much load e-commerce sites can handle, and how much money ATMs can usually deliver on any given day.

    --
    "A door is what a dog is perpetually on the wrong side of" - Ogden Nash
  8. Well done... by Yaa+101 · · Score: 4, Insightful

    I think it's good to let students (future scientists, decicion makers etc...) feel what it means to be part of socially constructed fraud... Mainly because this will get worse and worse over time, you see how many database leaks with high profile personal data have taken place lately. People have to learn ways around all this identity theft, the only way is to confront them with the consequenses of this all.

  9. RTFA.... by YankeeInExile · · Score: 5, Informative

    ... to find that they did this experiment under the oversight of the university's Human Subjects Committee.

    If that doesn't sound like some sort of ethical guidelines I don't know what does.

    --
    How does the Slashdot Effect happen given that no slashdotters ever RTFA?
  10. study successful by BroadwayBlue · · Score: 4, Interesting
    "It's kind of ridiculous," she [Junior Lisa Aigner] said. "It's just the fact that a group supposedly affiliated with (the University) ... kind of took my trust and threw it out the window."

    Welcome to the internet; trust no one. I hope more people got the message.

  11. Re:The More Attention This Gets, The Better by pclminion · · Score: 4, Informative
    I think it's pretty clear to everyone that these students didn't follow proper procedure for research studies. When I did human experimental research, I had to have my research proposal approved by the Institutional Review Board at my college.

    That's precisely what they did. The whole thing was authorized from top to bottom. They even got the okay from campus IT to "abuse" the computer systems for their purposes. Try RTFA sometime.

  12. Re:Oh the brainsss! by remahl · · Score: 4, Insightful

    That could easily be said for other experiments that have been challenged on ethical grounds. Sometimes experiments find things about ourselves we'd rather not know.

    For example, the Milgram experiement, where participants were mildly coerced by an authoritative person to administer strong electrical shocks to a subject (who was really an actor). A high proportion of the participants were willing to administer levels of shock that they believed to be lethal.

    Would you like to know that you would be capable of murder as long as someone else was there to take the responsibility/blame? Even if the person in the quoted blog post should feel foolish, that does not make the experiment ethical and non-offensive - quite the opposite.

  13. Too easy? by stinky+wizzleteats · · Score: 4, Funny

    I notice that a lot of the complainants have posted their e-mail addresses in the blog to try to get together to organize action...

    Dear concerned student:
    I am a close friend writing to you about your recent experience with a phishing study in which deception was used. I have met with an attorney on this issue who is interested in pursuing a class action lawsuit on behalf of the victims of this study. To participate, please click the link below and provide the following personal information...

  14. Story from an IU employee by kismaty · · Score: 4, Interesting

    I feel like fueling the fire.

    Thursday, one of my co-workers at the IU campus helpdesk got the email and dismissed it after telling us it might be a potential source of many irate callers later on in the day.

    And so it was. I got a caller to send us the full headers of the message that appeared to be from his girlfriend. What do you know? The headers clearly showed the message was originating from whuffo@iu.edu!

    So, with our limited helpdesk lookup tools, I found that whuffo@iu.edu was indeed a valid e-mail account, but it was registered as a departmental account and we could not see who personally created the account.

    I wanted to get to the bottom of this so I went ahead and looked at the link in the email that it wants users to click on. What do you know? It redirects to a site called www.whuffo.com before asking for the user's credentials!

    While my co-workers were bitching about it, I decided to do some detective work (Not sure why my co-workers, normally very competent at problem solving skills, didn't think of this). I looked up the whois info on whuffo.com and what do you know? The domain is registered to Professor Markus Jakobssen, of the IU Informatics Department!

    So who's this Markus guy? I found his IU websites. And one of his research interests is 'phishing.' Hmmm. I take a look at the upper level classes he teaches. What do you know? His powerpoint lecture for I400 for this week is all about HOW TO PULL OFF A PHISHING SCAM. Wow, what's the connection here?

    Meanwhile, the helpdesk had made this an escalated incident and turned it over to the IT security office. We get a message back (from Tom Jagatic of the IT policy office) saying they are "mitigating the effects of the issue." I had to go look up mitigating in the dictionary before I realized this wasn't a typical response from ITSO. Normally they'd jump on something like this and put a stop to the emails right away.

    Giving ITSO the benefit of the doubt, I decide to use my new clues on who might be doing this. With this information in hand, I shot off an e-mail to Tom J. and ITSO and the whole rest of the day, I get no response at all. We continue taking calls from confused users and ask them all to change their passwords as it's all we can really tell them to do at this point.

    I go home and check all fucking weekend, and believe me I was watching all our e-mail accounts like a hawk. No response from Tom Jagatic or the IT security office.

    So on Monday I'm back at work and I check my mail to find that the whole scam has been put out in the open. In our email there were copies of several mass-emailed apologies to the users who got the phishy message, the users whose identities were spoofed, and to the support center and helpdesk staff. All these messages contained was an explanation of the "experiment" (which you can read in any news story about it) and their "sincere apologies."

    The rest is history. The blog that Tom and Markus setup, where people are commenting, has got lots of angry people angry at themselves for being duped. That's not why I'm angry.

    All I want from Tom and ITSO is an actual sincere apology for all the work and extra detective skills I/we put into trying to find the perpetrator, since at the time we weren't in on their little plan. No one seems to understand that in any other circumstance, if this were a real security threat, we'd all be getting pats on the back and compliments for figuring out who was behind it before ITSO did (as that's their job, normally.) But, no, since Tom, Markus, ITPO, and ITSO were all in on it, we just get a 'mitigated' effort at an apology from those guys.