Phishing Research @ IU

More and more people recognize the increasing threat of identity theft, where high-volume Internet based attacks (referred to as phishing) are the most commonly seen threat.

In contrast to what much of the current media coverage tells us, phishing is not only a threat to individuals and their personal savings, but also to society as a whole. One reason is that organized crime can use large number of accounts to perform money laundry — be it for drugs or to fund terrorism — simply by performing small payments to and from such accounts. Namely, if a criminal credits and debits accounts he controls by transferring money between them, he can move large sums of money in a way that is very hard to trace. More in particular, if each account has the same in-flow as out-flow of money (although not necessarily the same number of in and out transfers) then the account owners would not be financially affected by the attack, and may in fact not even notice that it takes place. However, as is well understood in theoretical computer science, the actual source and destination of funds would be very hard to trace, at least of several “hops” of payments are made, and a large number of accounts are involved.

Phishing is prominent today because of the low costs of performing it, the slim chances of detection, and the reasonable number of consumers that fall for the scams. However, it is commonly held that phishing will become an increasing problem if attacks become more convincing — by using information specific to the intended victims. One way would be to use supposedly private information in the emails — such as mother’s maiden names. In a recent study, it was shown that mother’s maiden names can be inferred from public databases with a very high success rate. (http://www.informatics.indiana.edu/markus/papers/mmn.pdf). Another approach is to infer personal relations and use these to target individuals — perhaps to download programs that appear to be innocuous screen savers, but which in reality log keystrokes. (A related experiment is described at http://www.indiana.edu/~phishing/social-network-experiment). As yet another example of this type of “context aware” attack, phishers would rarely be successful if sending consumers email notices appearing to come from banking institutions that the victims in question are not doing business with. The success rate would balloon if phishers could target victims better. As we show here, this is not difficult at all. All in all, context aware phishing (a term first coined in http://www.informatics.indiana.edu/markus/papers/phishing_jakobsson.pdf ) pose a serious threat.

It is important to understand these threats in order to better protect ourselves against them. While it is unlikely that there is any one protection technique (apart from unplugging one’s computer!) there may be a collection of these that, in coordination with each other, builds a better protection. Such techniques may involve a lesser reliance of “semi-secret” information; better technical constructions for alerting users of threats; stronger privacy laws; and a more unified defense by technology providers, corporations in general, and government agencies.

In a series of studies performed at Indiana University, we are investigating next-generation phishing threats, and developing countermeasures where applicable. If you are interested in learning more about either of these efforts. please contact us at phishing@indiana.edu. Please remember to specify what your background is, and how we best can help you.

Markus Jakobsson
Associate Professor of Informatics at IUB
Associate Director of CACR

Many of you are upset because you feel you were not asked for perminssion beforehand. I understand that this feels strange.

Now, imagine that we did ask you for permission. “Is it ok with you that we spoof an email from a person you trust, in order to make you go to a webpage that could have had stolen your password? We promise that we will not actually steal your credentials.”. Assuming you agreed, what are the chances that you would have actually followed the link in the email you received? It is easy to see that by informing participants of the experiment, we alter the outcome of the same. That makes the experiment useless.

Now, you may say that the experiment is useless, no matter what. I beg to disagree. The recent trend in the area of phishing (online identity theft) is rather shocking, and any information that can shed light on people’s reactions is important. This is particularly the case when one designs technical counter-measures to attacks, or attempts to craft educational campaigns to make computer users less likely to fall victim. (I am part of both types of efforts.)

The attack you have become aware of is of a type that we refer to as a “context aware” attack. You can read more about these attacks, and their counter-measures at www.markus-jakobsson.com/papers/phishing_jakobsson.pdf . In that publication, you can see how an experiment on eBay was used to assess the approximate threat of a context aware attack on eBay users. You can also find a description of proposed counter-measures. These suggestions were given to Howard Schmidt, chief security offficer at eBay; he later described them in a testimony to congress. The attack, therefore, can have an impact both on the security of eBay, and on political decisions made to secure our society. Similarly, the experiment you may have taken part in will hopefully have a positive impact on the security of our infrastructure.

The experiment you may have been a participant in was performed using only publicly available data. It is truly astonishing what is publicly available. We should all be more careful about what we let others know about us, lest we want to open ourselves up to attacks. In a recent paper, a student of mine and I show how one can obtain mother’s maiden names of a huge portion of the population, given only public records. If you are interested in this study, you can look it up at www.markus-jakobsson.com/papers/mmn.pdf

What can we learn from this? We must be careful not to make private information public. We must be cautious when receiving emails suggesting that we perform actions, such as logging in to various resources.

I hope that you will bring this up to discussion with friends and family, with administrators, faculty members, politicians, and journalists. This time, nobody was hurt (only the pride of those who felt taken advantage of was hurt). The next time, this may be for real. The next time, the victims may lose access to their bank accounts, or have somebody log in to their network account to install keyboard loggers, malware, or merely to snoop around. These attacks can be mounted from anywhere on earth, and by anybody. Let us not let that happen.

Markus Jakobsson
www.markus-jakobsson.com

[From slashdot (dated 03/16/2005):]

Treasury department auditors recently posed as network technicians and attempted to get IRS employees to reveal their usernames and passwords and/or change the password to one suggested by the “technician”. The result: over one-third shared their passwords. If there is any good news in the story it is that the 35% figure represents a substantial reduction from the 71% who fell for the ruse in 2001.”

[Slashdot link:]
http://it.slashdot.org/article.pl?sid=05/03/17/0145220&tid=172&tid=218

[US Department of the Treasury link:]
http://www.treas.gov/tigta/auditreports/2005reports/200520042fr.html

Most recently we have received a number of emails and blog postings concerning obtaining consent prior to the experiment. Unfortunately due to the inherent deception used in the experiment, this was not possible. The Human Subjects Committee granted a waiver of consent for this experiment.

The goal of the study is to raise user awareness of threats of this type, and to determine the likely success rate of an attack of this kind. Our findings clearly emphasize the need for defense mechanisms. Markus Jakobsson is part of a group of researchers that is developing practical defenses against this very type of attack; these defense mechanisms will hopefully soon be integrated in our shared communication infrastructure, and prevent abuse. We hope you will be cautious not to fall victim to real attacks, whose goals of course are to actually collect user credentials (we did not) .

Nate and Tom

Welcome,

We’ve created this blog to communicate information about our study and also encourage comment/discussion. All blog comments will be made anonymously.

Phishing is a growing threat. The fundamental purpose of this study was to study the effects of more advanced techniques in phishing using context. Receiving a message from a friend (or corroborated by friends), we hypothesized the credibility of the phishing attempt would be greater.

Phishing messages that appear to be sent by such trusted companies as eBay, Citibank and others are currently duping 3 percent of the people who receive them, according to a recent survey by Gartner Inc.

We have yet to do a detailed analysis of our data, however preliminary counts shows the attack success rate of our experiment much higher than that of a traditional phishing attack.

Please share your thoughts about our study. We appreciate the feedback! Any contact requiring a personal response and/or not appropriate for a public forum should be directed to phishing@indiana.edu.

Best Regards,

Tom N. Jagatic
Principal Investigator

Nathaniel A. Johnson
Co-Investigator