Phishers can use social Web sites as bait to net victims

May 24, 2007

Internet sites such as MySpace and Facebook are popular ways for friends to stay in touch, but they also can be used by cyber sharks posing as "friends," enabling them to steal personal and financial information.

That's one of the conclusions found by researchers at the Indiana University School of Informatics. In their study, "Social Phishing," the scientists claim to have established for the first time a baseline for the success rate of individual phishing attacks, both traditional and with social context.

Phishing is duping someone into giving up private data -- such as credit card and Social Security numbers -- by masquerading as an authority. This is usually accomplished through e-mail or instant messaging, directing the recipient to a fraudulent Web site that appears legitimate.

"Phishing has become such a prevalent problem because of its huge profit margins, ease in launching an attack and the difficulty of identifying and prosecuting those who do it," said Filippo Menczer, associate professor of informatics and computer science. "Our study clearly shows that social networks can provide phishers with a wealth of information about unsuspecting victims."

Menczer was joined by Markus Jakobsson, associate professor of informatics, and computer science graduate students Tom Jagatic and Nathaniel Johnson. Their study is scheduled to appear in the October 2007 issue of Communications of the Association of Computing Machinery.

Their phishing expedition was spawned in April 2005 as a Web-mining student project at IU's Bloomington campus. It was approved in advance by the IU-Bloomington Human Subjects Committee, which is responsible for reviewing and approving research activities involving human subjects and data collection. The researchers also worked closely with the university's information technology policy and security offices.

"The attempt in performing such an experiment was to quantify -- in an ethical manner -- how reliable social context would increase the success of a phishing attack," Menczer said.

No personal information or any other sensitive data was collected from those who responded to the simulated phishing attack.

The researchers began by harvesting freely available information by crawling social network and blogging Web sites, allowing them to easily build a database with tens of thousands of relationships.

"This could be done using off-the-shelf crawling and parsing tools, accessible to anyone with introductory-level familiarity with Web scripting," said Jagatic. "For the purposes of our study, we focused on a subset of targets affiliated with IU by cross-correlating the data with IU's address book database."

Jagatic said this was done to guarantee that all subjects were IU students, which was part of the approval to perform the experiment on human subjects.

The experiment spoofed e-mail messages to two groups of students: One group received messages from senders they thought to be friends, while the other group received e-mail from strangers. Both groups were asked in their e-mails to visit an external Web site and enter their university ID and password.

Sixteen percent of students receiving e-mail from strangers took the bait, while 72 percent receiving e-mails from "friends" on their social networking sites gave up the information.

"We were astonished by that 72 percent response rate," Jakobsson said.

And for good reason: Surveys by the Gartner Group report that about 3 percent of adult Americans are successfully targeted by phishing attacks each year, an amount that might be conservative given that many are reluctant to report they have been victimized, or may even be unaware of it.

The study suggests that some countermeasures can be taken to thwart social phishing. Digitally signed e-mail could verify the identity of senders. A second line of defense might be a browser toolbar, alerting Web users about spoofing attempts. A third countermeasure would be improved spam filters that detect spoofed emails by analyzing the email path information. Finally, another technique might be to provide users with a secure path for entering passwords, alerting users that they are trying to authenticate to an unknown site.

"Our study also points to the need for extensive educational campaigns about phishing and other security threats," said Jakobsson. "Efforts such as SecurityCartoon.com aim to make typical Internet users less vulnerable by heightened awareness of the dangers of phishing, the importance of reporting attacks to which they fall victim, the ease of spoofing, and the possible uses -- and abuses -- of personal information posted on the Web."

Jakobsson and Steven Myers, assistant professor of informatics, are the co-editors of Phishing and Countermeasures, a 736-page tome exploring the sophisticated methods cyber crooks use to steal financial and other personal information from consumers, and to conduct corporate and military espionage.

Source: Indiana University

Explore further: Surveillance a part of everyday life

add to favorites email to friend print save as pdf

Related Stories

US hacking victims fell prey to mundane ruses

May 20, 2014

The hacking techniques the U.S. government says China used against American companies turned out to be disappointingly mundane, tricking employees into opening email attachments or clicking on innocent-looking ...

Hooking phishers of men and women

Nov 25, 2013

Phishing is a fraudulent attempt seeking to acquire money, confidential information or other gain such as usernames, passwords or credit card details from people by masquerading as a trustworthy entity such as a bank, service ...

Techies vs. NSA: Encryption arms race escalates

Nov 29, 2013

Encrypted email, secure instant messaging and other privacy services are booming in the wake of the National Security Agency's recently revealed surveillance programs. But the flood of new computer security services is of ...

Recommended for you

Surveillance a part of everyday life

13 minutes ago

Details of casual conversations and a comprehensive store of 'deleted' information were just some of what Victoria University of Wellington students found during a project to uncover what records companies ...

European Central Bank hit by data theft

43 minutes ago

(AP)—The European Central Bank said Thursday that email addresses and other contact information have been stolen from a database that serves its public website, though it stressed that no internal systems or market-sensitive ...

Twitter admits to diversity problem in workforce

3 hours ago

(AP)—Twitter acknowledged Wednesday that it has been hiring too many white and Asian men to fill high-paying technology jobs, just like several other major companies in Silicon Valley.

Social Security spent $300M on 'IT boondoggle'

14 hours ago

(AP)—Six years ago the Social Security Administration embarked on an aggressive plan to replace outdated computer systems overwhelmed by a growing flood of disability claims.

Six charged in global e-ticket hacking scheme

15 hours ago

Criminal charges were filed Wednesday against six people in what authorities said was a global cyber-crime ring that created fraudulent e-tickets for major concerts and sporting events.

User comments : 0