A forum for discussion
Welcome,
We’ve created this blog to communicate information about our study and also encourage comment/discussion. All blog comments will be made anonymously.
Phishing is a growing threat. The fundamental purpose of this study was to study the effects of more advanced techniques in phishing using context. Receiving a message from a friend (or corroborated by friends), we hypothesized the credibility of the phishing attempt would be greater.
Phishing messages that appear to be sent by such trusted companies as eBay, Citibank and others are currently duping 3 percent of the people who receive them, according to a recent survey by Gartner Inc.
We have yet to do a detailed analysis of our data, however preliminary counts shows the attack success rate of our experiment much higher than that of a traditional phishing attack.
Please share your thoughts about our study. We appreciate the feedback! Any contact requiring a personal response and/or not appropriate for a public forum should be directed to phishing@indiana.edu.
Best Regards,
Tom N. Jagatic
Principal Investigator
Nathaniel A. Johnson
Co-Investigator
April 24th, 2005 at 3:31 pm
That was really sneaky! I feel tricked but I’m glad I wasn’t really phished, that could have stunk.
April 24th, 2005 at 3:52 pm
why did you pick us, and where did you get our friends names to use as the senders?
April 24th, 2005 at 5:02 pm
why was i picked for this? i am contacting the university, i did not sign up for any study, and i feel that this is completely unethical and inappropriate.
April 24th, 2005 at 5:23 pm
I also feel that this experiment was unethical. I did not sign any waiver releasing my information nor did I agree to participate in any experiment. My email account was broken into without permission. I am also going to contact the university about this.
April 24th, 2005 at 6:30 pm
I am angry, I realized this could have stolen my password and changed it, but how do you know who my friends are explain that!
April 24th, 2005 at 6:32 pm
In the future, maybe you could send UITS something to tell all the angry callers…
:)=)
April 24th, 2005 at 8:06 pm
i wonder how i was picked for this study - and i’m NOT happy that it looked like i had sent others this message when i clearly did not. please don’t do this again!!!!
April 24th, 2005 at 8:33 pm
I am also VERY unhappy. I have already sent an email, but perhaps we should all get together and do something about it. Not to mention the fact that it was not a professional university undertaking, a freaking CLASS did this. So there are students out there who are doing this, so they have our information.
April 24th, 2005 at 8:49 pm
If anyone who was involved in this study, like me whould like to send the “investigators” an email showing how unprofessional this study was done here is one of their emails. tjagatic at indiana . edu
April 24th, 2005 at 9:04 pm
Actually, please direct any comments to phishing@indiana.edu. Others besides myself are responding to messages directed to that email address. We welcome your comments.
April 24th, 2005 at 9:08 pm
I am extremely angry about this and sent an email already to the “principal investigator.” Even though I did not click the link, I definitely feel this was an invasion of privacy [especially because it was through a third-party site]. I am wondering how they obtained e-mail addresses of friends of mine, one of which I have never e-mailed. None of the addresses were in my address book either. If we do not receive a reasonable response from anyone, we need to do something as a group.
April 24th, 2005 at 9:20 pm
This experiment was unethical - I agree with everyone that we were not told that we were participating and therefore should not have been chosen. Even facilitators and participants in a double-blind study at least know that they are doing a study. I do not agree with the spoofing of email addresses to do this either - it’s simply using someone else’s identity, and it’s not right.
April 24th, 2005 at 9:38 pm
Not only do I question the study itself, but I also question the integrity of the researchers. Especially since, now that everyone has found out about this completely ridiculous stunt, they are standing behind their fruadulant study and trying to justify it. Hm. I find it hard to believe that a study like this is going to accomplish its goal. Also, I have never in my LIFE heard of people trying to GET people do the thing they are trying to advocate AGAINST people doing. “We want you guys to not do (so and so), so we made an experiment where you do (so and so).” That’s completely and utterly ridiculous. Also, if these researchers had any kind of dignity or integrity… or any overall intelligence whatsoever, they would know that ethics plays a HUGE role in researching, and they in any valid study, one must ALWAYS HAVE KNOWING PARTICIPANTS. Very few researchers will conduct a study in which they have involuntary participants. And we have a word for those researchers: shit.
April 24th, 2005 at 9:42 pm
I think other commenters/unwilling “volunteers” have registered complaints because this experiment abused not only our assurance that email accounts we have taken care to secure (either by limiting our use of them or frequently changing our passwords) but also our time. Certainly, you have received data that a lot of your “subjects” do willingly give out their username and password to very disreputable looking sources, but, as the note from UITS mentions, many of us were worried that our systems had been corrupted. Although you seem to be treating this as a public service announcement, the people who fell victim are the people least likely to care, and those of us who do have been put through undue stress at a rather stressful time of the semester. If you seek to do repeat this experiment, be sure to hit the whole campus and let every student go through the fear that their computer is infected and allow people’s friends to blame them for spreading viruses. I am glad you gathered the information you wanted - kindly publicize in ways that do not deter from the academic use of academic email accounts.
April 24th, 2005 at 9:58 pm
I commented earlier, but I have another thing to say. I think it is extremely underhanded that you chose this time in the semester to do this. I can see you are banking on the fact that we have finals to study for and are too stressed to deal with this violation of privacy. You are sorely mistaken.
Also, I do not recall signing any agreement when I established my e-mail account at IU that authorized my unknowing participation in “experiments.” Correct me if I am wrong, but I believe it is unethical to impersonate others and use their e-mail accounts for said “study.”
April 24th, 2005 at 10:51 pm
To Whom It May Concern,
This is in response to the apparent “phishing study.” First of all, when did I give anyone permission to use my name or e-mail address in a university study? If you can please provide me a specific section or rule in the Federal Regulation 45 CFR 46 Protection of Human Subjects (The Common Rule) stating that the Human Subjects Committee has the the authority to waive consent for this type of experiment, then I would much appreciate it. Otherwise, I will seek legal counsel from professors
on campus to further investigate this and seek a case for research misconduct. Who would grant students in either undergraduate or graduate classes the access to my name, e-mail address, and that of my friends? This is absurd. I am outraged there was no chance to “opt out” of this experiment.
Currently, your own website states this:
“Deception should be employed only when there are no viable alternative
procedures. Where deception is a necessary part of an experiment, the
Committee will generally require that a preliminary consent be obtained, in which the investigator informs the subject that the experiment cannot be described fully in advance. After the experiment, the subject should be
informed of the deception and its purpose. We recognize that there are rare instances in which no consent can be obtained or debriefing done: e.g., if the researcher pretended to lie unconscious on a sidewalk and noted how many and what sorts of persons stopped, attempted assistance, or simply hurried past; or where debriefing would cause more harm to the subject than the deception itself.”
I received no preliminary consent that my name or e-mail address being used in this experiment nor after the experiment was over did I receive any description of the experiment or its purpose. The experiment also does not fall into any of the stated categories explaining why the committee would waive consent or debriefing. Thus, not only can I see no validity on how you can waive rights based on federal regulation, I also see no validity in how you can waive my right to informed consent based on the rules and language set forth on your own website.
P.S. If any students would like to take part in the action against this study and seek more information pertaining to federal regulations, informed consent, etc. please e-mail bchenry@indiana.edu.
P.P.S. I now willingly give out my e-mail address for your research pleasure. Thanks.
April 24th, 2005 at 11:13 pm
I wouldn’t go so far as to call this study unethical, but it certainly was deceptive. Apparently the investigators had to be deceptive in order to obtain their results, right?
I can see why people are angry about being unwilling participants. However, realistically, who would be a WILLING participant in a study like this? The study would only work if people were unaware of what was going on.
In the defense of the investigators, I would like to point out that there was no individual or group of individuals that gave the investigators our names, e-mail addresses, and those of our friends. As the Faculty Advisor Markus Jakobsson has stated, the investigators obtained this information from PUBLICLY AVAILABLE DATA.
April 24th, 2005 at 11:38 pm
No, I would not agree with the assumption that investigators had to be deceptive in order to obtain their results. And if this information is publicly available, then please explain to everyone how the information (which by the way was half wrong… investigators can’t even gather the right information). I’m going to assume this information was done by gathering people on your friends list from www.thefacebook.com and just randomly throwing a few people in the mix. Either that or they just f***ed up the experiment and didn’t get the e-mails on facebook right. Then, the e-mails could be spoofed using simple SMTP. However, although your assumptions may be right regarding PUBLICLY AVAILABLE DATA…spoofing e-mails addresses is still illegal based on federal regulations. If you can prove me wrong or explain the technique used to gather information that is different from my above assumption then please explain it to me. Would love to hear. I wonder if this board is anonymous or if you are logging our IP’s? haha hmmm.
April 25th, 2005 at 1:06 am
Although you seem to be treating this as a public service announcement, the people who fell victim are the people least likely to care, and those of us who do have been put through undue stress at a rather stressful time of the semester.
I would just like to second this statement. I’m not well-versed in experiments like this, but couldn’t at least the “senders” of the e-mails been privy to the experiment? Then they could at least later explain to their friends that their accounts weren’t tampered with when they inevitable asked them if they sent the e-mail/had a virus/etc. But then again I’m not a researcher and have no idea what I’m talking about. I just think there must have been a better way to do this.
April 25th, 2005 at 10:28 am
Tom is apart of ITPO (Information Technology Policy Office), the same department that is suppose to stop people from spamming the campus with useless email and to protect user’s computers. His job is to uphold IU’s Information Technology rules and regulations on campus, and now HE is sending out spam. This was a CLASS PROJECT, not a research project. He should be reprimanded for not following the rules and regulations his job requires. Nice that he feels its OK to make exceptions in the rules for himself.
April 25th, 2005 at 12:08 pm
This study was done very poorly, and the tactics used to gain the results were much less than ethical. And as far as it being okay that they did this to get these results, that too is completely absurd. They could have had us all sign up earlier, and then not told us what is was completely about. Then all these people wouldn’t be so p*ssed off. I’ve made a group on thefacebook, and anyone who wants to try and do something about this should join. That way we aren’t all annonymous, and we can all fight this together. The group is called: Hey check this out!!!
My name is Josh, and if anyone wants to contact me my email is jgrander@indiana.edu
April 25th, 2005 at 12:13 pm
Well said — these actions by Tom Jagatic represent a central problem within the overarching “policy” offices — zero forethought regarding the effects their selfish decisions will have on others. I hope he is terminated along with whoever else gave the green light at his office. His self-serving and condescending style has no place at a public university. He is a weasel and should be stomped.
April 25th, 2005 at 1:17 pm
Greetings,
It should also be noted, this research was not performed as a function of ITPO/ITSO. This was an academic effort as a graduate student, with ambitions of better understanding context-aware phishing attacks.
The effects of this work extend far beyond “a class project”. The contributions to education/awareness on campus and to the scientific community are considerable. In order to understand the problem, one has to study the problem. I’ve been working in close conjunction with Markus Jakobsson, a respected security expert and researcher in phishing. I highly encourage others to read his posting regarding the benefits of this work.
As for the undertaking of this research, this was not a unilateral effort. Much time and preparation was performed in working with the Human Subjects Committee, University Counsel, Informatics Faculty, and ITPO/ITSO.
Best Regards,
Tom N. Jagatic
April 25th, 2005 at 2:28 pm
So you used your position at ITSO to help you out with a school project, Tom? I’d be more willing to accept your “apologies” if this WAS a function of ITSO.
April 25th, 2005 at 2:38 pm
Let’s see…
What did we learn from this experiment?
That there is a percentage of people (probably around 50% or more) who fell for a phishing scam.
You can’t see it right now, but I’m rolling my eyes.
Tomorrow, I will dig a hole on one of the major walkways on campus. I will then disguise the hole with a paper mache covering (mimic’ing the concrete around it, but anyone who looks closely will realize it’s not concrete). I will then chalk each covering with words saying something like, “This is a trap”.
Those who disregard common sense and walk on it and fall into my hole, I will keep. I will present a report of my findings, basically just statistics of the amount of people who actively avoided it compared to how many people I caught.
Like the current study, the results produced are useless. It merely tells us that some people don’t pay attention and aren’t careful about where they’re going, while others take the time to notice inconsistencies.
April 25th, 2005 at 2:47 pm
the people who got “phished” are idiots.
and if you’re angry about this, you’re probably an idiot, too.
just consider yourself lucky that this wasn’t for real.
April 25th, 2005 at 2:52 pm
Some people are angry because we feel it’s a waste of resources.
I could care less about those who got phished. They’re on their own.
April 25th, 2005 at 2:54 pm
I actually think, although in some ways deceptive and unethical, this was a brilliant experiment that did produce some real, tangible, and useful data. I think everybody is overreacting because this study made them look stupid and gullible, so they want to get all worked up and threaten legal action to recover some dignity. Oops. Unfortunately, they’d recover more by saying “You know, this was inconsiderate, but i’m not going to be so dumb as to click a link in my email again.” But, oh well.
April 25th, 2005 at 2:57 pm
I knew better than to fall for the email, and I didn’t even get a copy. I was just trying to help out those who did. And I’m still irritated; it has nothing to do with my personal gullibility. It has everything to do with Tom J. convincing the ITSO to go along with some grad student project that uses people’s identities without their permission. I’d totally condone this if it was done by some researchers unrelated to IU, who chose us as their test subjects. But not in this case, where it’s our own professors and computer security experts selling us out to prove a point.
April 25th, 2005 at 3:15 pm
“So you used your position at ITSO to help you out with a school project, Tom?”
Tom is not a member of the ITSO.
April 25th, 2005 at 3:16 pm
> So you used your position at ITSO to help you out with a school project,
> Tom? I’d be more willing to accept your “apologies” if this WAS a
> function of ITSO.
I don’t think Tom is in the ITSO
April 25th, 2005 at 3:29 pm
So let’s say we put these results towards forming a program which educates users about computer security.
Who would want to attend a seminar if one was set up?
These kids have better things to do with their time (in their opinion) than learn about computer security. Even then, you can’t teach common sense.
So let’s say you find a way to produce funding for pamphlets or flyers that give people common tips for computer security. Majority of students won’t bother to read them. Those who do read them, I’m sure for a good amount it will be more like last minute bathroom literature.
The people who NEED to be educated about these things don’t WANT to be educated. They want their magic computer to keep on doing it’s magic without them having to pour too much thought into it. When they get an email from a “friend”, they don’t want to think “Hey, should I IM my friend first to make sure this is from them?” They want to click that link and see what their “friend” has to show them. If they fall for it enough times, maybe they’ll learn. Maybe.
I think the focus, at least for phishing scams, should be improved response times as well as improved communications between those involved in providing security for IU.
April 25th, 2005 at 3:41 pm
The data that was gained in this experiment can help ITSO devise ways to keep 3rd parties from using phishing tactics on IU affiliates. That way you get to trade being tricked by a legitimate group who will not actually steal your data with not getting tricked by someone who will use your data for bad purposes. Maybe it’s a trade off, but it’s a trade off that I would be willing to make.
April 25th, 2005 at 3:43 pm
Actually Tom J. is part of ITPO (the policy office)
http://www.itpo.iu.edu/about/staff/
April 25th, 2005 at 4:01 pm
>The data that was gained in this experiment can help ITSO
>devise ways to keep 3rd parties from using phishing tactics
>on IU affiliates. That way you get to trade being tricked
>by a legitimate group who will not actually steal your data
>with not getting tricked by someone who will use your data
>for bad purposes. Maybe it’s a trade off, but it’s a trade
>off that I would be willing to make.
Typically with phishing scams, there’s no prevention that can be done aside from educate users. What can ITSO do? Set up a server to scan every single email that comes in? What will they scan for exactly that will catch 40% of all phishing emails sent to people (a reasonable percentage to reach for the funding required for such a server, given that you have to pay for hardware, software, power, electricity, cooling, and upkeep by employee{s})?
The only thing ITSO can do that will be of any decent use of funding is improve response procedures and response times to such activity. If this were a real phishing scam, I would expect that ITSO would have blocked the site after the first few reports. Even if they had yet confirmed 100% that it was phishing for user information. If the site was legit, the minor inconvienience due to lack of access to the site would far outweigh the security implications if it did indeed turn out to be recording user info.
I congratulate you if you are able to come up with a working plan for email phishing prevention outside of educating users. The prevention mechanism must be financially easy on IU (for lack of a better word). It should also be effective as well. Personally, I can’t think of any system that would fit those requirements.
April 25th, 2005 at 4:10 pm
I’m not affiliated with this study at all, but based on what I’ve read and heard, I have a few things to share:
1. The subjects of the study were decieved. Yes, it sucks, but this deception was necessary to recreate a phishing scenario. Also, it is not as unethical as some might think — In order to get human subjects approval (as the researchers did) I’m sure that the construction of the experiment underwent incredible scrutany. The HSC policies state:
“We recognize that there are rare instances in which no consent can be obtained or debriefing done: e.g., if the researcher pretended to lie unconscious on a sidewalk and noted how many and what sorts of persons stopped, attempted assistance, or simply hurried past; or where debriefing would cause more harm to the subject than the deception itself.” (http://research.iu.edu/rschcomp/informed.html)
This suggests that for HSC approval, the possibility of harm (even given deception) must be zero. In no way did this research harm its subjects (except perhaps for their pride).
2. Your accounts were not hacked. The association information used in the experiment is publicly available to members of the service. This is the same situation as posting a personal web page with your email address — people don’t have to hack your computer to discern your email.
3. The information that was “phished” was definitely not maintained. That would be unethical and not allowed by HSC! Viewing private information (like a password for example) falls into this category too, so I’m sure there were mechanisms in place to ensure the passwords were not leaked.
4. There are many steps to solving societal problems, and unfortunately not all of them are “make a solution.” You first need to examine the patterns that cause the problem, and often times this means recreating an undesirable situation. In order to study the ill-effects of space travel, we need to send people into space! We can’t design a solution to a situation without examining it closely.
Yes you’ve been deceived, but no you have not been harmed. Think of the phishing as junk mail that came to your name and address telling you to come to a seminar where they will give away a trip to Hawaii. It’s just been a waste of your time.
April 25th, 2005 at 4:27 pm
This is hilarious. I wasn’t affected but I also know that no intelligent person logs onto a website and puts their username and password in it. I don’t know how many times they can tell you that they will not request your password via e-mail but the idiots always fall for it. Sue ‘em, threaten them, call them names, whatever. You’re the idiots that fell for it. This study just proves that there are a lot of people out there that do not pay attention to instructions. Instead of bitching maybe they should actually be thankful that someone didn’t really steal their information.
Morons.
April 25th, 2005 at 4:29 pm
When I first heard of this, I wasn’t sure I agreed with the study. But, the more I read, I believe it was done in the only correct manner that it could have been. Nobody’s information was stolen, and the researchers took all of the legal steps beforehand to ensure the study was valid. My only real complaint about it is the timing - they really could have picked a better time to set this off, rather than the last week of classes.
April 25th, 2005 at 4:43 pm
I would definitely like to know more about how we all got picked for the study.
April 25th, 2005 at 5:13 pm
Everyone should re-read this comment, because this pretty much hits the nail on the head exactly. I’m sorry for those who were legitimately upset by this, however I feel most of the outrage probably comes from personal embarrassment at getting duped. I think that’s further evidenced by the fact so many posters are quick to point out, “Oh, well *I* didn’t fall for it.”
Anonymous Says:
April 25th, 2005 at 4:10 pm
I’m not affiliated with this study at all, but based on what I’ve read and heard, I have a few things to share:
1. The subjects of the study were decieved. Yes, it sucks, but this deception was necessary to recreate a phishing scenario. Also, it is not as unethical as some might think — In order to get human subjects approval (as the researchers did) I’m sure that the construction of the experiment underwent incredible scrutany. The HSC policies state:
“We recognize that there are rare instances in which no consent can be obtained or debriefing done: e.g., if the researcher pretended to lie unconscious on a sidewalk and noted how many and what sorts of persons stopped, attempted assistance, or simply hurried past; or where debriefing would cause more harm to the subject than the deception itself.” (http://research.iu.edu/rschcomp/informed.html)
This suggests that for HSC approval, the possibility of harm (even given deception) must be zero. In no way did this research harm its subjects (except perhaps for their pride).
2. Your accounts were not hacked. The association information used in the experiment is publicly available to members of the service. This is the same situation as posting a personal web page with your email address — people don’t have to hack your computer to discern your email.
3. The information that was “phished” was definitely not maintained. That would be unethical and not allowed by HSC! Viewing private information (like a password for example) falls into this category too, so I’m sure there were mechanisms in place to ensure the passwords were not leaked.
4. There are many steps to solving societal problems, and unfortunately not all of them are “make a solution.” You first need to examine the patterns that cause the problem, and often times this means recreating an undesirable situation. In order to study the ill-effects of space travel, we need to send people into space! We can’t design a solution to a situation without examining it closely.
Yes you’ve been deceived, but no you have not been harmed. Think of the phishing as junk mail that came to your name and address telling you to come to a seminar where they will give away a trip to Hawaii. It’s just been a waste of your time.
April 25th, 2005 at 7:23 pm
First of all, this study could not and does not in any way provide a solution for the problem of phishing. The only information this experiment collected is how many people were dumb enough to click the link AND enter their correct IU username and password. I disagree with any point made regarding the inherent value this study provided. It was a blatent violation of the university’s computer usage policies. (http://www.itpo.iu.edu/policies/cupr.html). See ethical usage and also legal usage. I don’t believe intentional impersonation of another network user is allowed. I also disagree with IU staff members telling me this study could NOT have been done without a waiver of risk. At the beginning of the year when students sign the computer usage policies, students could be made aware that they may be subject to security or research experiments throughout the year. My problem with this entire study is that my e-mail address was used for this study to send out these “phishing messages” without my knowledge of this being done either before OR AFTER completion of the experiment. The only reason I found out about my e-mail address being used is because a friend was intelligent enough to realize something fishy was going on.
bchenry@indiana.edu
April 25th, 2005 at 7:56 pm
Yes, that was a pun. (”fishy”)
bchenry@indiana.edu
April 25th, 2005 at 9:04 pm
I think everyone needs to stop bitching about it so much. It’s their own fault if they’re so goddamn stupid as to be phished. I think it was an interesting little experiment.
April 25th, 2005 at 9:25 pm
This experiment was a public service: all angry little people, frustrated with their upcoming exams, get the opportunity to yell and cuss.
Now, take a good look in your inbox. See any other phishing emails? *Those* guys are trying to harm you. The participants in this study were not.
April 25th, 2005 at 9:37 pm
All,
Before you decide to take Tom out to hack him to death, please consider the following:
Tom did not use his position in order to perform this experiment. In fact, any one of you with a sufficient computer science background could probably pull this off. You could even do it without being ethical about it, without getting the proper permissions, and you could actually do it to steal credentials. That was, however, not what was done in this study.
If you would like to find scape-goats, why not one of the following instead:
1. The faculty advisors of this study
2. The people who offered jobs to the faculty advisors.
3. The parents and grandparents of the faculty advisors and of those who offered jobs to the faculty advisors.
4. Those who posted information about themselves — allowing themselves to be victimized. (Announcing your ATM PIN is known to be dumb ,,, we all know that … posting other private information on public places is not that much smarter, it turns out.)
5. Those who provided us all with network connectivity, email, etc.
What’s your pick?
Oh, Tom. I see.
April 25th, 2005 at 9:54 pm
The website’s documentation states that “By using an authenticator, there is no human review or storage of passwords.”
That’s actually not correct. It should have said something like:
“The authenticator that was used did not require human review or storage of passwords.”
By the way, when they say “human review or storage” they mean “We didn’t look at or save your passwords”. They need an editor, but that’s another gripe.
I assume that apache’s htaccess authentication mechanism was used in conjunction with mod_auth_kerb. I’m familiar with the technology. As soon as the username and password are entered by the user, they simply become apache environmental variables (in plain text) that one can do with whatever one wants. Just because an “authenticator” was used doesn’t mean that there was no “human review”.
Maybe posting *all* of the code that was running on https://www.whuffo.com/ could curb some of the paranoia.
April 25th, 2005 at 10:13 pm
“Maybe posting *all* of the code that was running on https://www.whuffo.com/ could curb some of the paranoia.”
You don’t trust them when they say they didn’t save your password - why should you accept that any code they post really came from whuffo.com? For all you know, they might make that up too!
Fact of the matter is that you typed your username and password into a site you had no good reason to trust. Just be glad nobody’s cleaning out your bursar account right now.
April 25th, 2005 at 11:35 pm
OK, honestly. Watch who you’re calling an idiot. I’m upset not because I clicked on the link, but because my friends were deceived, believing they had received an e-mail from me personally. Regardless of whether you hacked into our computers or not, emails were still sent out that looked as though they were from us. You had no concern for who the recipients were. I know a girl whose recipient was her ex-boyfriend whom she does not wish to have contact with. He believed he had an e-mail from her and tried to contact her. That’s just a nuisance. I’m mostly irritated not because I am “stupid” or “gullible” but because I was not informed beforehand, and I’m apparently paying the university thousands upon thousands of dollars to dupe me, as it were.
April 26th, 2005 at 12:26 am
If you clicked the link, you are an idiot. Plain and simple. Don’t get angry. There are plenty of ignorant, misinformed people in this world. Most are running our country. Maybe you can do that.
April 26th, 2005 at 2:54 am
I wasn’t part of this experiment, but if I was I’m pretty sure that I would be grateful that this was only an experiment. Don’t you see that by unwittingly participating you are probably never going to fall victom to a phishing attack again. You should be thanking Tom and his team because he has helped you. The fact of the matter is that no one made you give up your personal information but you yourself. It’s understandable if you feel violated, everyone that gave up their password is probably feeling the same way; just don’t blame Tom for your own gullibility.
P.S. In response to everyone that says they would have like to have been informed first, did you not read the front page? Would this really have worked as a study if you were notified beforehand? Also, for those that think they are paying the university thousands upon thousands of dollars for them to dupe them, they should be glad the university allowed this because if it had been and e-bay scam or other scam, they could be paying thousands upon thousands of dollars to an unknown person right now. Again, not to sound like a broken record but you should be thanking the university for the opportunity to participate in this learning experience instead of being mad at your own foolishness.
April 26th, 2005 at 7:54 am
Maybe people should be more concerned about the amount of personal information that can be gleaned from the public domain. That’s the scary part.
April 26th, 2005 at 8:42 am
If nothing else, this study has at least raised awareness of the dangers of phishing. I’d be willing to bet that those who were duped will not be so fast to supply personal information to similar sites in the future. They should consider themselves lucky for getting the “free” lesson. Others won’t be so lucky and will have information stolen from real “phishermen”.
It is scary how much information is publicly available. Generating controversy and discussion on this topic could actually turn out to be a good thing for everyone concerned. Identity theft is a huge problem. Becoming educated on the matter seems like a really smart thing to do.
This research clearly would not have worked if people had been informed that they were participants.
April 26th, 2005 at 9:25 am
Stop with the BITCHING AND MOANING. Get on with it. You clicked the link plain and simple. Deal with the results of doing so!!!
April 26th, 2005 at 9:46 am
You guys really need to get a basic understand of technology.
First, it’s VERY easy to fake an e-mail address. I can send an e-mail that looks like it came from bill gates, just modify the e-mail headers! I can send out e-mails that make it look like it came from your accounts in under 2 minutes.
Further, how did they get your e-mails and who your friends were? Well, some of you may have heard of the FaceBook and also course websites, etc, etc. It’s soooo easy to write a program to mine data on public websites. You put out the information publicly and then wonder where these guys got it? Comon now.
Last point I’ll make. This is important research, phishing is a huge problem related to identity theft and I hope that all of you who were “subjects” of the test take that with you. Never look at your e-mail the same way again and PLEASE be aware that not everything is as it seems in cyberspace.
That said, I never need to worry about job security because there will always be users out there clicking on whatever the hell shows up in their inbox.
April 26th, 2005 at 10:45 am
Some comments herein indicate that there wasn’t much value in the research conducted. That’s essentially wrong, in that the results will show how many of their subjects actually provided their IU passwords in response to something that should have been weird to them. If that was 2%, then that isn’t SO bad. If it was 50%, that is a bad sign.
But, forget that: with all of this hub-bub, the greatest value actually may not be in the results. The greater value may be that it’s now a hot topic! I have seen phishing warnings in the Monitor, and I doubt they had much impact. There have also been warnings posted to uits.iu.edu. Getting the IDS to print something essentially non-controversial isn’t easy to do, and they printed this on the front page. So, this has to be a boon to the folks in UITS who try to make these threats known and still see users taken in by them. A professor in my department was actually scammed out of some money on that E-Bay phishing email…and that was after a warning about it came out in the Monitor.
April 26th, 2005 at 11:10 am
I also wonder about whose “property” the usernames and passwords are. My guess is that the university owns this information, and can use it in any way they see fit.
April 26th, 2005 at 11:15 am
Everybody already knows what phishing is and that it is becoming a big problem. Performing an “experiment” to “phish” proves absolutely nothing. All you did was phish and called it an experiment. Anyone who falls for these scams is uninformed. This does not make it your duty to inform them. This is not a calling. A hacker is a hacker. Even if you hack into a computer network to be a watch dog and prove to society that there are problems does not mean you are in the right. Personally I do not want anybody touching any of my stuff for ANY REASON WHATSOEVER. If this happened to me and the “researcher” came up to me and told me he hacked into my webmail without my permission and sent out emails to all my friends, I would probably punch him in the face. Ok I wouldn’t do that because it would decrease my odds of winning in litigation.
April 26th, 2005 at 11:43 am
It should be reiterated that nobody “hacked” into anybody’s webmail. In fact, all they did was send email with altered headers that made it look like they were sent from someone else’s account. ANYBODY can do this, not just “hackers.” Nobody’s email was touched or snooped through.
April 26th, 2005 at 11:47 am
What the researchers may not understand:
Even though they have discarded the infromation they stole, had university blessings, etc., they have a boatload of angry people (though it will be dismissed as a few vocal outliers). If they want to continue this research track, they will need to deliver proper acknowledgement and respect to victims of their study. Otherwise the bad publicity alone will outweigh the universitiy’s interest in supporting this project. IU will shut them down in a heartbeat if this results in “dorm porn” like media coverage.
April 26th, 2005 at 11:51 am
1) Everyone does NOT know what phishing is. That’s a ridiculous assumption, based on what? And, then you say “Anyone who falls for these scams is uninformed” — exactly!
2) According to the study web site, no one “hacked” into anything, certainly not Webmail. The subjects’ friends were apparently identified through associations that they made public themselves, and any nefarious phisher or virus-disseminator could extract exactly the same information.
3) As far as I can see, the study had nothing to do with informing/educating, though I thought it was good that they did so after the fact. UITS should be informing, and, again, whether they are doing a good enough job there is something that can be debated.
4) By the way, could somebody post here a pointer to a Federal or Indiana State law that says spoofing email addresses is a crime?
April 26th, 2005 at 12:27 pm
I think it is sad that people would actually be foolish enough to type in their username and password from an email link. It is no wonder that spoofed emails are so popular. I get one every day with stuff such as “Order confirmation #” or “URGENT SECURITY UPDATE FROM MICROSOFT” or “PAYPAL ACCOUNT APPROVED! HURRY!”, etc. Microsoft and MSN do NOT send emails and you will never get a legitimate email asking for confirmation if you’ver never registered or joined the site in the first place! Do not click on links in emails, it really is that easy.
April 26th, 2005 at 1:40 pm
I don’t know about anyone else here, but assuming that they did use thefacebook.com, as their public information. The website states in their terms of service that: “Illegal and/or unauthorized uses of the Web site, including collecting email addresses or other contact information of members by electronic or other means for the purpose of sending unsolicited email and unauthorized framing of or linking to the Web site will be investigated, and appropriate legal action will be taken, including without limitation, civil, criminal, and injunctive redress. ”
Not only this, but it’s not public information. You have to have a name and password to access the information. Which also means that you have to be in college, since you have to use your email account. So, the information is not “public ” information as they state.
I would also like to add that, I was the person who apparently sent the email to my friend. I feel pissed, because I was never asked if they could use my name. Which I’m pretty fucking sure IU does not own.
April 26th, 2005 at 1:47 pm
IU owns the username and email account and your emails.
April 26th, 2005 at 2:07 pm
Also worth pointing out: you don’t own your own name. It’s OK for others to have the same name.
April 26th, 2005 at 4:03 pm
man, you people are such idiots. I just read this story on slashdot, and I come here to see what loosers like you say about it. I love that somebody did a study like this to prove that there is plenty of morons for this stuff to flurish and work. We will never beat fishing, spam, viruses etc, etc while people like you are using the computer. You should all be ashamed of yourselves, and you should not be threatning to these two guys for doing what amounts to scientific experiment. I hope you learned something from this.
April 26th, 2005 at 4:04 pm
Far too many people are not yet aware of the risks that revealing personal information online may have. None of those people will become aware of those risks and alter their behavior until they are 1) taken advantage of or 2) have a close call that gives them a good scare.
This experiment is valuable for several reasons. First and foremost, it has created a large discussion about phishing on this campus, including people who would previously have dismissed such a discussion as “boring” or “paranoid”. Second, it gives researchers and policy makers information with which they can better understand how much effort is needed to educate web users about personal information and ways in which “Bad People(tm)” are trying to use that information to steal from them.
For those who feel violated: you’ve learned a valuable lesson quite cheaply. Quit complaining. For those who are abstractly “annoyed” at the research topic or the researchers: grow up. The bad guys are real and the less time you spend harassing the good guys, the more time they can spend protecting you from the bad guys.
April 26th, 2005 at 4:09 pm
I think you’re all being a bunch of wusses here. If you’re dumb enough to click on a link to provide personal information from an email you don’t recognize, then you SHOULD be embarassed. Dummies.
April 26th, 2005 at 4:15 pm
If you gave your information out, it is your fault, no one elses. The information used to intise you was public and anyone can do the same in the future. Consider this study a learning lesson in your own stupidity for giving out your information. Next time you probably won’t be so dumb and therefore you are a more educated person for it. Stop whining and be glad this wasn’t a real phishing scam. Hooray to those who conducted the study. This will do much more good than harm in the long run with all the publicity it has been given. Cheers.
April 26th, 2005 at 4:16 pm
This is great entertainment, all the angry dumb phishing victims are bitching so loudly. Hahahah! When’s the next show? I mean experiment! Keep up the good work!
April 26th, 2005 at 4:20 pm
Does nobody understand that no harm was done here?? I hope the “victims” learned a lesson. It’s probably good for them in the long run because they now know not to email their credit card number to “ebay@hacker.com” when they get phished for real.
Keep up the good work, experimenters!!
April 26th, 2005 at 4:22 pm
Good job guys. So many people don’t understand that a “return address” on an e-mail can be as easily forged as a “return address” on a snail-mail. People like you help raise awareness so that fewer people are tricked by the real bad guys.
April 26th, 2005 at 4:22 pm
I am not part of the university or the study, but most of you people are ridiculous… the study clearly showed you that you are not paying attention to these types of scams, and now that you know that they exist you are better prepared for the time when someone on the net will try and steal your personal info for real!!!
Be lucky that these people had the sense to teach you this lesson. I hope you all realize that it is happening for real right now to many of you and you are giving your info away to the “bad” people of this world… so your bitching about privacy concerns is misdirected, and should be aimed at the people perpetrating these crimes for real instead of researchers since they are easier targets for you to vent on.
As a postscript, you all don’t seem to get so worked up about getting credit cards and putting your whole life on a piece of paper for them to store in their computers and sell to whomever they choose (which they call “affiliates” of course)… So all of you please wise up.
April 26th, 2005 at 4:24 pm
All the people coming here and throwing insults around to those who fell for the deceit to boost their own egos need to be silent. Especially the /. sheep. Those who fell for the deceit really should just be glad they learned their lesson in a mostly harmless way instead of through someone with more hurtful motives. That doesn’t negate your right to be angry about it, though.
April 26th, 2005 at 4:25 pm
This is definitely an unethical study. There is no excuse for not getting permission from would-be participants before running the experiment. Yes, the study would not have been the same without secrecy, but this does not mean that using secrecy is ethical. The researchers assumed that they knew how better to spend the unknowing participants’ time than the participants themselves. This is an offensive assumption.
The Human Subjects Committee failed in protecting subjects from harm. Given that this is a primary purpose of the HSC, this type of failure is inexcusable. And, yes, there most definitely was harm done. How many hours were wasted by unwilling participants reading the phishing emails, following the links, and worrying about their credentials being unsafe? How many friendships were strained by spoofed emails? The list goes on. Harm was done.
The faculty advisors failed in leading the graduate students in ethical research. It does not take a seasoned researcher to recognize the shortcomings of the experiment, so the advisors should have instantly identified the problem and helped find an ethical solution.
The kicker is, of course, that the results of the experiment will be uninteresting. It will be no great surprise to learn that people are more likely to enter sensitive information when prompted by a friend through email. The researchers probably did have good intentions (increasing public awareness about phishing attacks), but the negative effects of the study will definitely outweigh the benefits of the final results.
To the researchers: in the future do not perform experiments without prior consent. If you cannot think of a way to run your experiment without prior consent, then do not run the experiment at all.
To the Human Subjects Committee: be more careful in the future. Perhaps you need to reconsider your definition of “harm”. Wasting other people’s time without their consent IS doing harm.
April 26th, 2005 at 4:26 pm
Great idea. Those who are upset are clearly unhappy about having been “outed” as careless or easily duped..
April 26th, 2005 at 4:27 pm
To the morons who got deceived….You’d be foolish to sign up for online banking in the future. Every couple of days I get e-mail supposedly from my “bank” wanting me to verify all my account information. If I gave up the information my money would probably be drained into an overseas account….I bet you write your grocery lists on the back of your check carbon copies too…then throw it out in the grocery store trash can.
April 26th, 2005 at 4:30 pm
Hahaha look at all the uni snobs getting uppity. Your so-called sacred privacy is nothing more than an egoism in the real world. Get the fuck over it. Let’s get back to being piles of human waste together.
April 26th, 2005 at 4:30 pm
I am not a member of this University. That said, I think it is important for the “subjects” of this experiment that, upset as they may be, they will indeed be from now on more likely to think twice before releasing any information just like that. That in itself is a benefit of the experiment, not counting whatever additional information the experiment in itself provides. The “subjects” have the right to be upset, by all means be upset, but be honest enough to acknowledge that you are the first ones to benefit from all this. That is least you can do if you claim that the testers were not honest.
AQ
April 26th, 2005 at 4:31 pm
Interesting experiment… it’s unfortunate that the people “victims” of the experiment feel violated and deceived, but it’s definitely a good thing that it raises awareness of phishing and its consequences…
I think both those who are threatening the experimenters (after all, only publically available information was used), and those who insist that those who fell for it are total idiots and deserve whatever they get should cool down a tad, and try to learn from the experience
April 26th, 2005 at 4:32 pm
I agree with the above comment that you all are a bunch of wusses. However, as a person who was worried about what was going on, I realized and began thinking about how ethical this situation was. If you think back to www.thefacebook.com, and other such sites, you would realize that this information is available to anyone and anyperson who would like to steal your information.
YOU set your own selves up for this, it is not the universities fault by no means, a phisher wouldn’t ask your permission before they took your name and your e-mail address from the facebook and for no discrepencies in the experiment, the experimenters/researchers should not have had to ask your permission either. If they had, it would skew what they are trying to prove and thus make you guys more susceptible to phishing attacks in the future.
The only people to blame for this situation is yourself, the information is readily available on the IUB website through the Address book feature, on thefacebook.com and elsewhere. You all are looking for a reason which isn’t there to sue the school for incredulice and malacious reasons. There is no case, because in the court of law, your stance vs. the stance and the situation will not stand up and it should not, if it does, you are just being the smaller person in the end.
April 26th, 2005 at 4:36 pm
Unethical? Not at all. What is unethical is the users who blindly submit their personal information which gives phishers exactly what they are phishing for. This positive response from the naive information giver prompts the phisher to continue phishing for others information. Such is the case with spammers- If no one ever followed the ads in the spam email, then there would be NO MORE spam because sending it would be fruitless. Get the point? People like those who gave out their information in this study make it worse for the rest of us by making it profitable for phishers to continue trying for more information from other idiots. Stop being so dumb and we’ll all be better off for it. Those who conducted the study should be awarded for showing just how gullible the “educated” college students are. I myself am a college grad and know better than to give any information to a phisher. According to this study, I am in the minority due to the use of ‘common sense’ when it comes to my personal information.
April 26th, 2005 at 4:39 pm
Considering that you have paid thousands for an advanced education, shouldn’t this be considered just part of the package? You and your friends have been taught that publicly posting information that can be used against you is a bad idea. A lesson shown in a way that you will not forget. In addition to that you all will be more resistant to more phishing attacks. Definitely your money’s worth.
Consider it this way, how does society protect us from influenza. By introducing harmless “dead” flu bugs into our system, encouraging the body to increase its defences against it. Sounds to me it’s about time the student body got it’s shot, stings a bit tho doesn’t it?
April 26th, 2005 at 4:40 pm
I wonder how all these technology ignorant people would react if you told them their email was transmitted accross the internet in clear text. Would that too be a violation of their privacy because nobody informed them of this fact? Does everyone who was fooled expect that someone else is looking out for them?
April 26th, 2005 at 4:44 pm
I find it astonishing that people who were used in an experiment on phishing are actually using their energy to attack the people that performed the experiment, as opposed to activating and publishing to the world what a problem phishing is. One of these options is constructive. Wouldn’t it be better to put your “angry” energy into trying to affect legislation.
It is too bad there isn’t a sociology aspect to this experiment. One, they could study how easy it is for people to become irrational. Two, they could study how far a phishing scam effects personal relationships. This is obvious from the statements from friends that supposedly sent the email. I didn’t read the email, but it sounds like people were quick to judge about something they really know little about; viruses, networked computers, phishing scams, etc. Obviously, there were no emails actually sent from friends computers to other friends computers. But people still presumed much that they didn’t know. This isn’t suprising though; people are presumptious all the time. What is God, but a presumption on the understanding of everything?
April 26th, 2005 at 4:49 pm
ohh… you all act so surprised… ‘hey he pretended to be me!!’…. oh boo hoo… when will ppl learn to be more cautious… the only way to verify somebodys identity for sure is to meet them face to face and there is still an element of doubt… identity theft wouldnt be possible if ppl learned to verify identity before undertaking any kind of transaction. listen carefully ppl …. IDENTIFY IDENTIFY IDENTIFY
April 26th, 2005 at 4:49 pm
Everyone who has posted a comment whining that they were deceived or taken advantage of would do well to remember that your IGNORNACE, CARELESSNESS, and GULLIBILITY are precisely the reason that these sorts of studies are needed. Each time one of you gives out information to someone who will use it improperly, you are contributing to a problem that affects EVERYONE who uses a credit card, keeps money at a bank, shops online, or buys insurance. The financial fallout from poor decisions like your’s affects everyone when the result is actual theft, and you should be thanking those who ran this study for pointing out your weaknesses, before you learn of them in a less pleasant manner.
April 26th, 2005 at 4:50 pm
Did any of you read the article before you posted here? The researchers claim they didn’t collect any personal data.
April 26th, 2005 at 4:52 pm
To all of those who are whining and complaining because they got phished, you should be blaming YOURSELF for broadcasting your personal information on thefacebook.com. How stupid of you to knowingly victimize yourselves. And how can you be so naive as to expect malicious real phishers to ask for your consent before obtaining your information? Thick-heads like you are what keeps phishers/spammers in business.
April 26th, 2005 at 4:54 pm
Come on! Be GRATEFUL you’ve been taught this lesson painlessly.
And btw, your computer is infected.
April 26th, 2005 at 4:56 pm
You dumbass uni students couldn’t find your ass with both hands without your mommy holding you for comfort. Get over yourself. You fell for it, now LEARN FROM IT. Stop crying, and OWN IT.
April 26th, 2005 at 4:58 pm
I think that the responses are all very predictable. I find equally as fascinating that one of the solutions is to turn to the government to solve the problem of ignorance! Just what we need, another place for lawyers to make money?? And the government to monitor.
April 26th, 2005 at 4:58 pm
Please, get it right, all you whiners. AT NO POINT DID *ANYONE* USE YOUR E-MAIL ACCOUNTS. And if you keep whining that you didn’t give permission for your e-mail account to be used, please not that IT WAS NOT. What they did was simply spoof the “From” line. That’s the equivalent of me sending a letter with a wrong return address on it — I didn’t break into your house to write it. I just misinformed the recipient about where I sent it from. This is the EASIEST thing in the world to do, I could give you twenty links to internet sites that have simple forms you can fill out to send e-mails “from” any address in the world. On top of that, this type of spoofing isn’t currently even illegal.
So please, GET YOUR FACTS STRAIGHT before you play the victim about how poor little you was “misused.” If you think this was bad, wait until you’re at the hands of someone who counts on your ignorance to make thousands of dollars.
April 26th, 2005 at 5:00 pm
This was not unethical. I feel that most people here are violated, but they did not do anything malicious. I would be mad if they were malicious hackers and had stolen my information, and used it for other purposes. But they did nothing illegal, and used publicly avilable information such as www.thefacebook.com, etc.
If you are mad that someone calls you, and they obtained your phone number from such websites - then quit posting your home phone number, address, and email on the internet!
I personally am not mad, because I work in the computer and information security field, and am aware of many phishing scams. I am not trying to be condescending or be an ass, but I am not stupid enough to fall for those phishing scams. I feel that most people are mad, because they fell for it. And had these guys been real hackers, you would have been an easy target. This sort of wake-up call makes you realize how easy of a target you were (or weren’t), and this is what really bothers you.
As for spoofing emails fomr your friends or other familiar domains, this was practical, because that is what real hackers/scammers do. And all they did was say “Hey this is cool!”.
It’s not like they sent emails from your account, cussing out all your friends and family, trying to make you look bad. There was no real social sabotage or anything of the sort. This would have been unncessary for research purposes, but they did not do this.
I personally am glad that the did this, because being informed and educated about the topic is what protects you. I have had friends who have had this happen to them, who have had their identity stolen and credit cards made and used in their names. It is not something that I would want happening to anyone, because it really causes you problems.
Next time, don’t click on everything you recieve in emails! This is how people spread computer virii and infect themselves with trojans. Good, regular security practices such as this are the best ways to protect yourself.
April 26th, 2005 at 5:07 pm
Its very likely that every individual at one point in life will be subject to some sort of social engineering or phishing. This experiment is more important for those who participated in the study than the students who conducted the study.
It is important to understand how the technology is abused in order to learn to make smarter decisions when it comes to giving out personally identifiable information.
It would have done no good to inform all the participants ahead of time of the experiment as the results would have been skewed.
the truth is that people are by easily compromised by our trusting nature and we rarely ever check sources or question when we should.
This test was a wake up for all the participants and those who have learned from its outcome.
the most productive use of your time is to use this as a valuable learning experience and think twice about giving out personally identifiable information.
The cause of most of the identity fraud, virus and computer trojan propogation results when people dont question the sources of information they get. There is no going back.. from this point on, we are all vulnerable to these types of attacks and everyone must be more vigilant and smarter about giving out that information..
Those who complain here want to live in a safe world that doesnt exist. If people arent made aware of the dangers of phishing and information fraud, then we are all subject to its worst provisions.
S-
April 26th, 2005 at 5:09 pm
As an outsider, I must say that I agree with a lot of the posts towards the bottom. You guys should stop complaining, and be thankful that your information wasn’t used by a REAL scammer.
Guess what? It’s your own fault that your information was compromised. Look at this as a lesson learned.
If you DID get scammed for real, you’d blame the University for not protecting you. I guarantee you that everyone one of you, and your friends are smarter after this lesson.
//Anonymous
April 26th, 2005 at 5:11 pm
A wise man once said “a fool and their identity are soon parted…”
April 26th, 2005 at 5:13 pm
After reading most of these comments, I think it’s funny how many people got tricked and yet how many of them still can’t figure out how they were tricked (IE where the information came from). It’s a sad realization that some people will simply never “figure it out”.
April 26th, 2005 at 5:16 pm
There were two sets of victims: those who gave out passwords, and those whose email addresses were “used” to send the information. Most of these comments insult the first group. But the second group had the greatest concern. The first group could go to UITS, change their account information, and insure nothing was missing. The second group thought their computers had contracted an Outlook worm and were spamming all their friends. Consider all the horrible things a worm can do to the computer on which you write your thesis. In addition, spamming of this sort could be considered a criminal offense under CAN-SPAM. Here’s a quote from the article:
“Senior Rebecca Shakespeare did not even know she had been used as a sender until her friend notified her. ‘I was frustrated that I was hearing from a friend that my e-mail account was sending her things,’ Shakespeare said. ‘I had no idea where it was coming from. I was irritated because I was concerned that my home system was being abused.’ Shakespeare called University Information Technology Services, which said it could have been a virus and to not click on the link.”
The article unwittingly uncovers UITS’ complete failure of support. Rebecca never clicked any link to begin with. The tech, like every slashdork who commented above, just assumed she had brought this grief upon herself. That is the scoop right there, and properly written, it could have won author Colleen Corley great honors.
April 26th, 2005 at 5:18 pm
I am an attorney interested in representing victims of this study in a class action lawsuit. To participate, please click the link provided below and provide the following personal information…
http://meanderthal.typepad.com/sucker.jpg
April 26th, 2005 at 5:20 pm
What a bunch of whiners! ISPs should do this to their customers as a warning against being plain stupid. Stupid people could recieve an email telling them to change their passwords and get a clue. The Internet is dangerous people. D-A-N-G-E-R-O-U-S. Not because curious university researchers want to find out how stupid you all are (that’s S-T-U-P-I-D), but because people who want to actually rob you blind are doing the same thing. Learn the lesson, be less STUPID, and move on. Furthermore, you have helped us gain further understanding of how STUPID you all are, which makes for funny reading.
April 26th, 2005 at 5:22 pm
After reading most of these comments, I think it’s funny how many people got tricked and yet how many of them still can’t figure out how they were tricked (IE where the information came from). It’s a sad realization that some people will simply never “figure it out”.
I think it’s funny that you can’t read the timestamps and notice that the people who posted they were still confused about where the info came from posted on the same day the information about the experiment was being revealed and obviously know everything now.
April 26th, 2005 at 5:25 pm
I can understand how people would feel violated, but as another anon pointed out, they are certain to question any emails like this in the future.
What I’d like to see is for the researchers is to *repeat the experiment* in about a month. I’d be willing to bet that you will STILL have people that enter their information.
Heck, it should be part of University policy to use this every year on the incoming freshman class - just to show them how not to be owned.
I’d also bet that bchenry@indiana.edu has the amount of spam mail triple now that they’ve published their email address in yet *another* public forum. When will people learn?
April 26th, 2005 at 5:30 pm
another slashdotter for the greater flaming of society here, way to go, you fell for a phishing scam. you win the prize. maybe if you spent more time watching your back and less whining you wouldnt get phished. to all who claim they shouldn’t have used facebook, consider most of these scams will have someone in the university helping, so they will have access to facebook, facebook is not some secret site that no one uses. Studies are not supposed to help the participants, they are supposed to help prevent it from happening outside of a study. take a medical study for example. It is not designed to save you, it is designed to see if a treatment has an influence.
April 26th, 2005 at 5:36 pm
WAHHH WAHHH WAHHHHHHHHHHHHHHHHHHH! Who cares? If you’re dumb enough to fall for those scams, then you deserve it. Congratulations, you fail. And when you’re done basking in the glory of your ineptitude, go grab some No More Tears shampoo.
April 26th, 2005 at 5:39 pm
I’m not here to fling mud at anyone. Insults are not productive to the discussion. But one would be wise to consider the common adages:
“Don’t give private information to strangers (or strange web sites, etc.).”
“If it sounds too good to be true, it is.”
“Fool me once, shame on you. Fool me twice, shame on me.”
I just received this very day a bogus email supposedly from paypal. Did I fall for it? No. Am I special? No. But I’ve over time become a bit of a security Nazi these days. Naivete is no longer an option for using the Internet, cell phones, etc.
I now have a habit of using abandonable mail addresses for any web site that wants an email address. Even “professional” or “business” web sites. You should too. Keep your “real” email address in a very close group (who understand computer security), who *know* how to send emails that don’t broadcast everyone else’s email address in the group to the rest, etc. (BCC is your friend).
For your information, I *always* leave header display mode on with all my email clients (programs that read/send emails), and have learned how to do basic cross-checking for spoofed addresses and mismatched URLs as clickable links.
These techniques are ones everyone should learn how to take advantage of.
You have been warned. Use that college education you’re paying for to:
Learn how to learn.
Figure out what is important to learn first.
Be very discriminating as to what information you give to any company or leave on any web site you visit, regardless of the apparent gain to you it provides.
April 26th, 2005 at 5:44 pm
So here I am . . . one of the /. sheep so kindly referred to above. I’ll try not to repeat the same stuff everybody else has posted.
“The goal of the study is to raise user awareness of threats of this type, and to determine the likely success rate of an attack of this kind.”
Quoted from the article that lead me to this blog. Is this really the only goal of the experiment? Seems like kind of a waste. As one who is VERY interested in internet security, I’m wondering if any documentation was made anywhere of the techniques used to create this scam. That’s IMMENSELY valuable information, and it seems to me the TRUE goal of the study should be the collection of that kind of information.
Knowing HOW to create these kinds of scams is important. Limiting, tracking or altogether removing the sources of information phishers use to create scams like these is one of the best ways to prevent them from succeeding.
Knowing exactly WHERE user education is lacking is also important. I can tell the e-bay scams because I can see that the URL on the emails for the “Contact Us”,”FAQ” etc links all go to “www.ebay.com” and the one that takes me to the ‘login’ screen goes to 192.168.0.0 (yes, I know that’s a BS address, you tech freaks. You think I’m gonna post somebody’s server IP on a public blog to get targeted?)
I can already hear people asking “why not just put the scam together and NOT actually inconvenience people by making them feel like victims.” C’mon. Any study needs some kind of metric by which to judge the success or failure of the experiment. Just so happens, the only way to see how successful a phishing scam is . . . is to ACTUALLY pull it off. And you idiots out there talking about how you didn’t consent . . . get a grip. It takes all of two seconds worth of though (if that much) to see that prior warning and/or consent COMPLETELY invalidates the results.
So definitely bother to educate yourselves, but you researchers, don’t fool yourselves that you’re going to solve this problem with mere education. I’ve explained this stuff IN DETAIL to my mother-in-law (and many others) numerous times. All I’ve managed to do is make her so paranoid she’s afraid to check her e-mail. She still can’t tell a phishing scam from a real-life informational e-mail. So be it. I’ve done what I can to protect her. But there’s MILLIONS more out there. We can’t POSSIBLY expect every user to be technically proficient in order to be protected.
THAT’S what this study should be focusing on . . . how to protect the ignorant ones. You’ll never get to 100% success, but maybe we’ll make identity theft the exception rather than the norm eventually.
My $.02 worth.
P.S. Now for the ignorant rant.
Quit whining, you stupid dumbasses, and bother to learn a lesson or two. If your only response to embarrassment & inconvenience is ignorant, overblown threats and juvenille posturing, you’ve got some hard lessons coming. Suck it up, swallow your pride, and deal with the situation constructively. Here’s a thought . . . LEARN from it.
Why the hell else are you at a university?
Geez!
April 26th, 2005 at 5:48 pm
Nobody hacked into anybody’s computer. The experimentors simply sent an email from their own computers spoofed as yours. It’s pretty easy to do.
April 26th, 2005 at 5:49 pm
I quote from above:
“I am an attorney interested in representing victims of this study in a class action lawsuit. To participate, please click the link provided below and provide the following personal information…”
Allow me to say you you Mr. Attourney . . .
Get the hell out of here, you fucking opportunist! It’s lawyers like you that give the whole legal profession a bad name. Who’s been hurt by this . . . honestly?
I fucking hate people out for a quick buck.
You make me sick.
Go find REAL victims and make the REAL bad guys pay you piece of crap.
April 26th, 2005 at 5:52 pm
“Allow me to say you you Mr. Attourney . . .
Get the hell out of here, you fucking opportunist! It’s lawyers like you that give the whole legal profession a bad name. Who’s been hurt by this . . . honestly?
I fucking hate people out for a quick buck.
You make me sick.
Go find REAL victims and make the REAL bad guys pay you piece of crap. ”
Come on.. dont tell me you really fell for that post..
Whoever posted that posted an obviously bogus link.. they dont even try to hide it.
YOU STILL HAVENT FIGURED OUT THAT YOU HAVE TO CHECK YOUR SOURCES FIRST!
April 26th, 2005 at 5:59 pm
this is pretty cool what you guys did. if people base their decisions on trusting email based soley on the name it comes under (LOL) then they deserve whatever they get. the llusers of today are the llusers of tommorrow.
you should have included some professors in it too!
April 26th, 2005 at 6:00 pm
I can not believe this.
I became aware of your study from a /. story. Congrats on a well executed study. I read what steps that you took to go about this experiment. I could of not have agreed more on your approach to this.
I think the organizers took WELL MORE than the needed precautions to conduct this study.
And every SINGLE ONE OF YOU should be thanking them for teaching you a lesson!
Most of you have no idea how email services / DNS / TCP/IP services work. For instance, I can (using built-in windows scripting) call up an email object and add whom-ever I want as the sender
Set objEmail = CreateObject(“CDO.Message”)
objEmail.Subject = “VALIDATE YOUR ACCOUNT!”
objEmail.Sender = gbush@whitehouse.us.gov
objEmail.To = (The message WILL be sent to this person, and appear as if it came from George W. Bush himself)
objEmail.Send
To think that an email came from a person, solely because of the email address is a gross mis-calculation.
False DNS entries (this is quite new), you might think you are going to a certain website, however be sent instead to a phisher’s basement.
All you know is that you type in www.google.com , what comes up is a website. Well what happens is your computer receives www.google.com, it then talks to the local DNS server (Domain Name Service) and requests if it knows www.google.com’s IP address which is 64.233.187.104. BUT! If a phisher uploaded bad DNS info into the server such as this 207.46.20.60 A www.google.com, people requesting google from this DNS server would instead be routed to www.microsoft.com, however their browser would still state www.google.com.
Some phishers aren’t this smart and dumb this down to use “almost like” addresses to trick un-witting victims.
www.google.com
www.goog1e.com
for instance.
AND IT WORKS ALOMOST ALL THE TIME!
This is a serious problem going across our society, and you ungrateful punks should be ashamed for doing anything besides stating “Thank you for the lesson.”
April 26th, 2005 at 6:01 pm
Honestly people, you have no reasonable expectation of privacy whatsover when you publically post information on the world-wide web. None. Ever. Period.
This experiment appears to have been very well thought out and planned. I only hope that the results can be used to raise people’s awareness of this major issue facing internet users today.
I look forward to the detailed analysis and resulting paper.
Cheers to Tom and Nathaniel.
April 26th, 2005 at 6:07 pm
apparently bchenry@indiana.edu was already in the practice of posting his email address in public forums:
http://recsports.indiana.edu/forms/boards/socplayer.html
He should now look into a good spam software
April 26th, 2005 at 6:20 pm
This was a good test, people need to lean to be careful on the internet. If you had said up front this was a project, the results would have been skewed. People shouldn’t be indignant but rather glad that this was benign and that it wasn’t a true phishing e-mail.
April 26th, 2005 at 6:24 pm
OH MY GOD! How petty can you be, someone found vehicle unlocked in a parking lot, opened the door and put a note on the steering wheel to remind you to lock your car. And now your mad…sure maybe he was looking in public parking lots for unlocked cars, maybe it would have been nice to know ahead of time that people might be trying the door on your car while you were away, but lets face it, they did you a favor!!
Perhaps you would have preferred someone less benign point out your particular brand of naivete.
I think you should all get a clue, and be thankful that someone bothered to use a study that had public results.
Additionally, anyone that practices a little common sense while surfing or emailing, is not vulnerable to these types of “intrusions”
LOCK YOUR DOORS, YOUR PARKING IN PUBLIC!!
April 26th, 2005 at 6:26 pm
I’m not a university student at IU, but I find this study unethical. I suppose if this were a real scam, the /. crowd would tell everyone to shut the f*ck up and be glad you learned a lesson???!! Following the same reasoning, victims of “real” phishing attacks should be happy they were scammed. At least they learned a lesson, right??
Would we react the same way if an outside company did this? Would we be so quick to say that it’s OK to trick people as long as it wasn’t “real”?? If Microsoft did this as part of a security test, would we be happy about it? If not, why should it be OK for someone from the university?
April 26th, 2005 at 6:30 pm
I’m here from /. too.
All of the students crying “Oh, I didn’t sign a waiver, I’m having my dad call the school!” need to get their heads out of their asses.
This was a valid study. They wanted to prove something (that e-mail received from what appeared to be their friends trusted that information implicitly), and they did just that.
They did not use any priveleged information.
They did not ask for any waivers because they don’t need to. If they wanted to present your own social security number to you (supplied by the school) then they would need such information. If someone came by and gave you a piece of paper telling you to go to a web site and put in your username and password, and you do, then that’s your own damn fault.
The only thing in question is whether they broke any laws by faking the “from” address; the answer to that is “no”. There are no laws that prevent that.
April 26th, 2005 at 6:37 pm
I don’t know about anyone else here, but assuming that they did use thefacebook.com, as their public information. The website states in their terms of service that: “Illegal and/or unauthorized uses of the Web site, including collecting email addresses or other contact information of members by electronic or other means for the purpose of sending unsolicited email and unauthorized framing of or linking to the Web site will be investigated, and appropriate legal action will be taken, including without limitation, civil, criminal, and injunctive redress. ”
Not only this, but it’s not public information. You have to have a name and password to access the information. Which also means that you have to be in college, since you have to use your email account. So, the information is not “public ” information as they state.
It is very public. Google has cached that information without any name or password…or requiring people to visit facebook.
Welcome to the internet & search engines http://tinyurl.com/7mzcl
April 26th, 2005 at 6:40 pm
It fills me with a sense of unease to see how gullible and emotional children in college are now.
April 26th, 2005 at 6:41 pm
what a bunch of cry babies. I expected more from colleage educated post X gen adults. Get a grip. You allowed yourself to be duped, and are now aware of the dangers od phishing and data release.
This was a legit experiment, to basically see how many fools would give up oersonal data without a second thought. Antime I’m asked for password, personal info etc, by any process other than one I initiate or verify via a phone call; there’s a simple answer. NO
So grow up and quit acting like a lot of cry babies.
April 26th, 2005 at 6:54 pm
It’s quite sad to see that not only would a large number of people in higher education fall for this but also that instead of learning from it, they want people fired or sued.
Is this what we can expect from our Universities now? “I’m humiliated because of something stupid I did. I want heads to roll!”
April 26th, 2005 at 7:01 pm
I’m flabbergasted that anyone is even remotely upset by this experiment. Doesn’t everyone get these bogus emails? My mom gets bogus emails purporting to be from “me” … who falls for this stuff? Who is so naive as to possibly get upset? I’m thinking that this should be the topic of the study … understanding the social dynamics of technology news … phishing is covered on the radio, tv, newspapers, blogs … this has been old news for quite a long time … and yet, it seems that there are people out there who are still unaware of the phenomena, unaware to the point of getting angry about it … why am I bothering to be bothered? Why am I upset that some schmuck students don’t know what phishing is? Maybe I’m upset that, once having been victim myself, there are still people who haven’t been victimized? That’s so not fair, that there are people out there who are so cocooned, that they are only now finding out about this … can I be one of them? one of the last to loose my innocence?
April 26th, 2005 at 7:25 pm
You were idiots who got caught doing stupid shit…. Don’t blame them, blame your own stupidity. This will probably be the only thing you will seem to learn in your whole career at IU. Just think how many of you morons won’t get your identity stolen now, because you learned an invaluable lesson. All I have to say is… you guys a dumb dumb dumb.
April 26th, 2005 at 7:41 pm
The only flaw in the study’s implementation that I find is not giving the IT support people a heads up to field specific queries triggered by the original emails.
The University’s IT support techs/staff should have been able to inform callers that emails generated/received during a specific time window are harmless, and any others should be flagged and checked for being spoofs outside the original study’s email generation time frame.
Any other prior notification would have poisoned the study results. All other beefs are of little import.
Those who have been burned or friends of the same should use this as an opportunity to discuss scams and other related issues and how to avoid them, regardless of the source. Some healthy dialog will go a long way to raising the awareness needed to put scammers out of commission.
For those in film studies, ever seen the movie “Paper Moon” (1973) with Ryan O’Neal and the young (Academy Award winning precocious performance by) Tatum O’Neal?
The scams depicted are still working to this very day, with a few creative twists from time to time.
When will people learn?
April 26th, 2005 at 7:53 pm
Identity stolen? There seems to be a nieve bunch of people here that think their email address is somehow protected. Your account may be password protected but that does not prevent someone else using another email account to send out emails using your email address (spoofing). Your email address is just as protected as your home address. Anyone can give out your home address when asked.
Being caught by phishing is pretty dumb. If a man holding a clipboard knocked on your door and asked for your banking details would you give it to them? Sadly the answer for many is probably yes.
As long as the personalized data is properly destroyed, and the results are gainfully employed then I’d sugest this was a very good experiment.
R.D.
April 26th, 2005 at 7:55 pm
ha ha!
April 26th, 2005 at 7:59 pm
I bet y’all that got tricked in this experiment won’t let it happen again. Bruised egos aside… imagine how embarrassed you would be if this had been for real.
Moral of the story: Don’t be stupid, there are lots of sneaky people on the internet. Be glad you got caught when the stakes weren’t very high.
April 26th, 2005 at 8:03 pm
And the real study is all of the posts on this forum…
April 26th, 2005 at 8:03 pm
You are all focusing on the people dumb enough to click the links. The main issue is the people who had their emails spoofed without their express permission. All I know is that most of the people who had their emails spoofed already know what phishing is and didn’t learn a damn thing. This study accomplished nothing that an educational broshure could not have covered. All it did was invade privacy and piss a lot of people off.
April 26th, 2005 at 8:20 pm
First Post.
April 26th, 2005 at 8:20 pm
Quote from an unimformed apologist.
“You are all focusing on the people dumb enough to click the links. The main issue is the people who had their emails spoofed without their express permission. All I know is that most of the people who had their emails spoofed already know what phishing is and didn’t learn a damn thing. This study accomplished nothing that an educational broshure could not have covered. All it did was invade privacy and piss a lot of people off.”
The only way people learn these days is to have such a traumatic experience that is causes them to rethink thier ignorance. People dont like to change.. and barring some sort of forced learning, people who hadnt learned how to avoid phishing up to this point never would have unless they had been a victim of it. Its a sad fact of human nature. If those people hadnt felt so abused and maniuplated, they would not walk away from this having learned anything. MY guess is that some peoples pride will still prevent people from learning the lessons here.
Its not my job or the researchers job to teach any of these people a lesson about being intelligent with thier personal information. It was thier job to identify statistically how many people in a given group are unimformed and are a danger to the rest of us in the digital world.
the best thing these people can do is to walk away having learned something. Being humiliated in such a way may help that lesson stick. If people walked away thinking it was a joke or a useless exercise, they are destined to make the same mistake again. Hopefully these people came to UI with the intention of coming away a smarter, more informed citizen who is able to survive the harsh realities of the outside world.
You missed an important detail. Email spoofing as its called is inherently build into the protocol.. There has NEVER been any protection of it.. Nor can there be at all unless the protocol is rewritten. If you look at your headers it will tell you where the email really came from.
April 26th, 2005 at 8:25 pm
You are all focusing on the people dumb enough to click the links. The main issue is the people who had their emails spoofed without their express permission. All I know is that most of the people who had their emails spoofed already know what phishing is and didn’t learn a damn thing. This study accomplished nothing that an educational broshure could not have covered. All it did was invade privacy and piss a lot of people off.
Your email address is as easy to spoof as your IP address.
This is something you still haven’t learned I can pretend to be you on this internet thingy no matter what you do University person so be careful and learn from your mistakes instead of turning a blind eye and crying ‘foul’
April 26th, 2005 at 8:26 pm
It scares the hell out of me to think that you collegiate numbnuts are this country’s future. I think your folks should have done us all a favor thirty years ago and gotten sterilized.
April 26th, 2005 at 8:31 pm
The ignorance here is shocking. I second the proposal to sterilize all who fell for this.
April 26th, 2005 at 8:34 pm
I maintain my position that IU, like other universities, should make a basic computing and security class mandatory for all freshmen. But they won’t because they’re too busy using the Student Technology Fee that we pay in order to fund research like this instead.
April 26th, 2005 at 8:39 pm
http://www.theregister.co.uk/2005/04/22/email_destroys_iq/
These children were using BOTH.
April 26th, 2005 at 8:49 pm
Wow. I can’t believe people are upset about this! Wake up! Who are you going to bitch to when your identity gets stolen and it’s YOUR OWN DAMN FAULT!!!
If this study has made you less likely to fall for crap like this in the future - then instead of bitching - you should be grateful!
Education. Now you know. Wake up.
April 26th, 2005 at 9:03 pm
To all of the whiners, complainers and bitchers suckered by this phishing scam, did your parents have any kids that lived? You screwed up and now want to blame someone else for your stupidity. I vote for sterilization for the lot of you.
April 26th, 2005 at 9:12 pm
“I quote from above:
“I am an attorney interested in representing victims of this study in a class action lawsuit. To participate, please click the link provided below and provide the following personal information…”
Allow me to say you you Mr. Attourney . . .
Get the hell out of here, you fucking opportunist! It’s lawyers like you that give the whole legal profession a bad name. Who’s been hurt by this . . . honestly?
I fucking hate people out for a quick buck.
You make me sick.
Go find REAL victims and make the REAL bad guys pay you piece of crap.”
Well, that wraps up phase 2.
April 26th, 2005 at 9:15 pm
Student Technology Fee? That is the stupidest shit ever. I worked for UITS from 2002-2003 and EVEN if that fee is up to $500 by now, that wouldn’t even have been one paycheck. And, lest we forget, there’s thousands of computers on campus, and IU has one of the most robust and technologically advanced server rooms in the world… with highly trained and skilled staff to maintain it. There’s MILLIONS and MILLIONS of dollars involved, so before anyone gets self-righteous about their bill, let’s think of the true cost of the technology they’re using… which, by the way, the Student Tech Fee doesn’t even come close to covering, and is largely subsidized by the state.
I was so fucking tired of students’ parents calling in and complaining about shit like, “WELL I PAID $200 FOR YOUR TECHNOLOGY…” Well then spend 5 minutes and tell your idiot daughter not to give anyone online any information about herself, ever. It’s not like UITS employees, in their spare time, install viruses and spyware on users’ computers, and we sure as hell didn’t send out bogus e-mails. The LAST thing we wanted to do was handle 1000 idiot bitches who got some AIM message from a “friend” and then got a virus. Can you imagine taking 100 phone calls a day, all saying the same thing? Do this, do this, do this, do this. I mean, just think about the poor guys who had to deal with your dumb asses:
“Hi, UITS?”
“Hello.”
“These fuckers stole my information.”
“And by stole, you mean you gave it to them.”
“Um, but they said they were someone else.”
“That doesn’t make a difference.”
“Oh. So can you spank them?”
“No.”
“But I’m still mad.”
“Shoot yourself.”
Guess what? You’ve failed college! Go home, enroll in cosmetology school. Over with. Or… have your daddy call and yell at us for a good half an hour. At least you’ll have the satisfaction of knowing that, while pops is busting veins, we’re sitting with the mute button on, studying and getting paid by the hour.
Feel free to e-mail complaints to bchenry@indiana.edu. He’s a cocksucker anyway. Oh, and my name is Charlie. And I hate you.
April 26th, 2005 at 9:31 pm
You pay the school to do a lot of things to you. For example, parking, textbooks, meal points, etc. Welcome to IU, you are paying to be screwed… but guess what? You still continue to pay. The committee says that it was okay and they are responsible for those judgments. I bet they are a bunch of nazi’s or better yet liberals who like to trample all over your rights for their own personal gain. Whether you got duped or not it still stands that the people who are duped are pissed because they weren’t told about this. Well how exactly can you conduct a well done experiment if you know about it. “Hi, we are going to send you an e-mail asking you to put your password in, please do it. Then we will send e-mail to your friends masked as your e-mail address and tell them about what we are about to do to them. We are going to hope that you actually fall for it even though you know about the trick.” - Thanks.
Comeon! This is stupid, you got duped or maybe you didn’t and you’re still pissed about it. It was considered ethical but hey we live in a sue-happy society. Why don’t you just sue the university for money for your pain and suffering. I don’t need to tell you that, some of you are planning on doing that anyway. Get over it.
April 26th, 2005 at 9:33 pm
Tom N. Jagatic ,
Please identify some real benefits you see from this activity. I’m a computing professional and author of anti-spam and anti-phishing tools. To date I see no information that I was not already aware of. Specifically:
1. It’s well known to spammers and phishers that using known asociates is more effective than unknown addresses and that is why address spoofing is common for both spamming and virus activities (and why viruses routinely use the address books on the infected computers).
2. It’s well known that operators of insecure mail systems (those which don’t act to block attacks from their own servers) increase the risk because people are more likely to trust the emails from the same sysems. This is why addresses on the targetted systems are commonly used.
3. There are active initiatives, notably the SPF system, reverse DNS lookups and spam/phishing IP address databases (DNSBLs), which are acting to decrease the incidence and success of such forgery-based attacks.
Because what is examined here is already very widely known and understood it appears to me that the only significant effect of this activity is going to be to decrease the respect for those carrying it out, the Human Subjects Committee and Indiana University, who seem to have accepted a largely useless activity without any real gains to offset the costs.
Frankly, if this is doing much to move forward scientific understanding at Indiana University, that scientific understanding seems well behind the current state of the art.
April 26th, 2005 at 9:38 pm
I have nothing to do with this study (I live in Australia) but I read about this on slashdot.
To the people /crying. You guys are idiots, you got phised by someone that wasn’t trying to do anything malicious with the information they garnered off you.
Look at it this way, you got a free lesson on the potential nastiness of the internet. I can imagine how much more indignant you would be if you found out about these techniques when you noticed a substantial amount of money missing from your bank accounts.
Basically you are all naive idiots and you got a free wake up call. GG for complaining about it. I bet you won’t be making the same mistake again, you should be thanking these guys.
April 26th, 2005 at 9:49 pm
To the self rightous so called “computing professional and author of anti-spam and anti-phishing”.
One side effect is all the people that unintentially took part have been made aware of what malicious people can do if you are naive and click on links from emails that ask for username and passwords, without losing anything (money,time whatever).
Best public awareness campaign ever.
April 26th, 2005 at 9:54 pm
“I am an attorney interested in representing victims of this study in a class action lawsuit. To participate, please click the link provided below and provide the following personal information…”
to everyone yelling at this lawyer, it’s a JOKE, another phishing attempt. Please tell me you knew that and you aren’t that slow of a learner!
April 26th, 2005 at 10:13 pm
“I maintain my position that IU, like other universities, should make a basic computing and security class mandatory for all freshmen. But they won’t because they’re too busy using the Student Technology Fee that we pay in order to fund research like this instead.”
1. Yes, they should make a class like that mandatory, I’m sure it’s coming.
2. The fee did not pay for this research, instead it pays for the on-campus computers you get to use for whatever you want — this usage apparently doesn’t exclude you from helping the researchers collect data.
April 26th, 2005 at 10:22 pm
Tom, maybe you should suggest this page to a psych major. It is always interesting to see how people who are embarrassed respond with aggressive behavior such as threats.
April 26th, 2005 at 10:57 pm
The /. crowd is the most heartless group of misguided self-righteous pricks in the universe. Let them learn their lesson without being insulted into the ground and asked to be sterilized, thrown out of school, flogged, etc etc. Children.
April 26th, 2005 at 11:14 pm
Ahhh, dont mind the /.ers everybody, they suck more cock than a Thai hooker.
Anyways, the study was undoubtedly unethical. One coule argue that taking people against their will and giving them shock treatment to see how they respond wouldn’t be unethical because it does service to blah blah. Thats hardly the case at all.
The fact of the matter is that this group used people in research without informing them of it, and performed an act that in any other situation would be considered illegal. Since they claim it is done in the name of research, they think they are justified. Boring and boring again, as nothing I’ve seen so far by this group provides any new thought on the subject.
The people that fell for these phishing attacks shouldn’t have, but that certainly didn’t give Tom and his crew the right to abuse them. So with that, I’m going to sign out.
Oh, and /.ers suck ass, as do the pricks that did this study.
April 26th, 2005 at 11:18 pm
Since most computer viruses come from people you know, I would like to see a study comparing the people who clicked on the phising link to those who have viruses. My guess is the ratio will be high.
April 26th, 2005 at 11:21 pm
I was not included in this study, so I don’t speak as someone who feels a personal sense of violation from this study. Instead, I would like to speak as a fellow graduate student here at Indiana University. I feel that the research done by these two graduate students is very valuable and makes a real contribution to our knowledge about people’s behavior on the internet.
Their study has received large coverage on the internet and lots of commentary on www.slashdot.com. It has raised a very important issue in our community and has made a lot of people aware of a serious problem. I would be seriously disappointed if our university puts restrictions on studies like this in the future. People who are offended by this study should take a moment and reflect on what exactly caused them to react so vituperously. On the whole, I think most people will agree that this study was not out of line with what a university education is supposed to promote.
Sincerely,
Amos Batto
April 26th, 2005 at 11:29 pm
/.ers rule…
As for the screamers…go watch tv…
April 26th, 2005 at 11:48 pm
The general population is idiotic. That’s why everyone is sooo easily duped. Phishing has been going on since the 90’s and only proves that people haven’t caught on to social engineering and its effects.
Just remember…
All Your Base Are Belong To Us.
April 27th, 2005 at 12:28 am
Had to be said…
Best … Fishing Scam ….. EVER!
April 27th, 2005 at 1:06 am
Stop complaining about not being asked.
If you actually gave your username and passwords in the first place when asked to from an email, then you really need to get your head out of @$$ and think about why you gulliable enough in the first place.
Great experiement.
maybe next the researchers should ask for credit card numbers and see how many people give them up.
April 27th, 2005 at 2:42 am
To the numbskulls who fell for this and are whining about it:
You should get down on your hands and knees and kiss Tom’s hairy behind to thank him for teaching you in such a harmless manner exactly how stupid you have been.
But that’s a bit of a catch 22 problem - you’re really too stupid to realise how stupid you are.
April 27th, 2005 at 2:58 am
Me allready told ya, nekst time you will pay with reall money 4 u stupidity, bwahahahahahaaa
- phisher from a country you don’t know where on the map is
April 27th, 2005 at 3:53 am
Thanks for the laugh, this is great!
I especially liked the jokester who says “I’m an attorney filing a class action lawsuit just follow this link and enter your personal info….” That in itself was funny enough, but the guy who thinks it’s a bloodsucking lawyer and gets irate is just hilarious.
You should try focusing your next study on why people just absolutely refuse to learn or even think. I mean, PT Barnum showed us that people loved to be duped many years ago. Why not show us why? Eh well, back to my war in Iraq…
April 27th, 2005 at 3:57 am
Rather than whining about ‘they tricked us’, try to make yourselves more secure. I work at a UK university and it is very easy to get information about who your friends are. Advice here: DO NOT GIVE OUT DETAILS THROUGH EMAIL REQUESTS!!!
April 27th, 2005 at 4:22 am
From a total outsider. (Non US, non student).
It is surprising to read the shocked reactions written on this forum. It is surprising because it boils down to the same old irresponsible student behaviour: “not now, we are not ready, give us more time, warn us… could you please be clever enough to give us the answer to the question you ask us, could you please not do your job”. Think about it: the same old thing happens if you run an unplanned quick exam, always. A set of students will find reason why not to. It is surprisingly childish.
Proving one can collect private data from publicly available data is interesting. The many naive users who don’t see or don’t want to understand the implications of releasing/exposing private data on the net are the first victim. I don’t consider myself out of the problem. I am pretty wary at the GMail contract for example: all my data will be subject to automatic (so they say) scrutiny in order to send me adds. That is a huge statement. Though, many users don’t see a problem there. (Well personally I don’t have a GMail account.)
Complaints about fake friends identity usage in order to lure targets is worrying. This procedure is well used by viruses for years: sending emails with friends addresses, even with “stolen” attachments to make it look valid. So this should be a very basic knowledge. The reaction proves it is not.
The point about “un-ethical” behaviour does not stand. Here we have got an experiment _not_ causing damage but exhibiting it’s possibility. It’s not like police performing illegal actions in order to stop illegal actions. Apparently the experiment got the approval of whatever responsible authority. So where is the un-ethical ? Sounds more like an epidermic reaction.
All together great opportunity at opening eyes a little more.
April 27th, 2005 at 4:46 am
Idiots! What were the researchers to do?
Send you an email “If you’re a fool, click this link”?
The information used generating the emails was publically available.
The experiment was overseen by the correct ethical and governing bodies.
No personal details were actually stolen.
How outraged are you all at all the people whose bank details are stolen? Do you go posting and writing college articles giving out about those actual crimes?
No? Too busy whining I guess.
April 27th, 2005 at 5:05 am
total outsider,
The techniques are well known. They are unethical and normally used by criminals. Even though well known there’s a claim that this project was doing something new by using them. That appears to suggest reason to doubt the academic value of the project.
April 27th, 2005 at 6:39 am
The academic value of the project is that the participants are a bunch of selfish ignorant consumers that want everything on this world to happen only with their permission.
April 27th, 2005 at 7:48 am
Another person from the outside looking in…
Just trying to help the participants of the experiment understand potential recourse and responsibilities when someone either attempts or suceeds in a phishing attempt…
Check out the federal definition of identity theft at:
http://www.consumer.gov/idtheft/federallaws.html
As you can see, just spoofing another user’s name in the email From field is not immediately a crime according to the base federal rules even though the field can be construed as a “means of identification”.
But…
All recipients and those who had their identities spoofed should check their home state AND all local laws concerning identity theft. Even the presence of a simple town ordinance that makes what the “researchers” did a potential felony causes their actions to also become a federal crime and that crime SHOULD be reported to the appropriate federal authorities.
Next…
You should go on the internet and look up like the DNS block lists. Try DNSBL, RBL and other variants and go to those sites. Look at the offending email headers and report the originator’s address ( look at the “Received” headers - NOT the “From” field )… and submit the offending address along with a copy of the email. This will assure that any phisher, experimenter or other has less of a chance of sending future emails to you.
Next…
Go and read the regulations at the URL:
http://www.ftc.gov/bcp/conline/pubs/buspubs/canspam.htm
If the phishing ( or other ) email purports to be from a site offering a service, item sale or etc. and the From field was forged then the sender has violated the CAN-Spam act ( what did whuffo say it was doing? I never got to see the page ). They should be reported to the appropriate authorities ( links are on the given URL ).
Btw, you should do these things when ever you see a phishing attempt… no matter where it originated. Even if the originator later claims that no harm was meant or done… I mean, if you DID fall for a phishing attempt by someone… are you really going to be so naive as to BELIEVE THEM when they say “we were just joking” ?
The best way to stop spam, phishin and so forth is through knowledgable community action and cooperation.
Sign me…
A Concerned Citizen
April 27th, 2005 at 8:45 am
This is just like the Nazis using secret experiments on Jewish twins and homosexual gypsies. STOP THE ANTISEMITISM NOW!!! This was done with taxpayer money and those who did it should be fully prosecuted to the extent of all local, state and federal laws!!!
April 27th, 2005 at 9:42 am
+1 insightful, -1 flamebait
Thanks for the study! Now spammers know precisely how to increase their effectiveness rate in their phishing attempts. 3% of customers are affected currently by phishing you say? Well, now with your new and improved technique, maybe a few extra hundred thousand people will fall to phishing scams. Top notch work. I suppose this eventually means phishing will gain greater public awareness and whatnot, but for the mean time, its open season for phishers.
Think of this as analagous to publishing a new security exploit, except there’s no good way to distribute the patch yet. Sure you get kudos for your discovery, but in reality, all you do is make people’s lives miserable until the patch (information) is widely distributed.
April 27th, 2005 at 10:15 am
students-take a home study course in PC security for teens/kids/ordinary mortals
http://www.hackerhighschool.org/
April 27th, 2005 at 10:37 am
I’m not a student. I’ve been watching cons like this for a long time. This project is not unlike a con-man showing up at your front door with fake credentials. Just a few pointers… don’t throw your bank or credit card info. around like it was yesterdays supermarket flyer… look at the lock icon on the browser, before you type anything… and be thankful this “phish” came from you own school.
April 27th, 2005 at 10:44 am
Love the Nigerian Scam rip-off post…
:-)
But now… HOW do we know this isn’t a REAL scammer… I personally ask the maintainers of this forum to get the IP address of the poster… and report it to the proper authorities…
If you really believe you are ( trying to ) helping people… you would do just that… and with a vengeance…
That is, of course, assuming that the “experimenters” who are so concerned with security are actually tracking the IP addresses and such of people posting on their forum… to handle such blantant attempts at defauding people…
Sincerely,
A Concerned Citizen
April 27th, 2005 at 10:47 am
I am not responsible for errors in grammar or spelling in my previous post…
Um… it was just an experiment to see how many people would comment…
REALLY… :-/
Sincerely,
A Concerned Citizen
April 27th, 2005 at 11:18 am
This was awesome! Just be grateful you’re more aware now.
And don’t give your your information. Come on.
April 27th, 2005 at 11:23 am
funniest thing is, there is not a thing anyone can do to the authors of the study. Shows the intelligence of the pupils at the school. Investigate all you want, nothing is enforcable.
there is no reason for you to enter your username/pass - you already did to get the email, whether automatically or when you access your email client, and began looking at your inbox.
as said in earlier comments - just check the address bar. if it doesn’t have https just close the window.
April 27th, 2005 at 11:49 am
Good on researchers. I reckon it might be useful for people to appreciate the fact that this helps plug the holes that a real phisher might drive a truck through, and instead encourage those involved. Its a shame embarrestment turns to anger…
April 27th, 2005 at 12:09 pm
I see it is going to be a loooong day! CENSORSHIP SUCKS!
April 27th, 2005 at 12:18 pm
Idiots!
Seriously people, you only have yourselves to blame… what kind of moron still falls for crap like this?
April 27th, 2005 at 12:20 pm
Obviously the kind that goes to indiana.edu such as bchenry@indiana.edu
April 27th, 2005 at 12:25 pm
You should obviously read B Chenry’s posts. His e-mail was spoofed and he didn’t receive an e-mail with the link to click. Dumbasses.
April 27th, 2005 at 12:29 pm
Good ole’ Brandon Henry. I went to school with you in Evansville. How is that Mitte Scholarship doing? Also how is the Mitte Society going? You need to recognize scams a tab better, huh? Sure you do you got fooled!!! You know who this is, sorry I stole your GF from you but it was for the best my friend. You suck you fool!!!
April 27th, 2005 at 12:34 pm
http://www.kelley.indiana.edu/mitte/images/YMCA%20013.jpg
Look a picture of the infamous Brad Henry. Wow what a tool. Someone get to Photoshoping an Owned photo of him!!!
April 27th, 2005 at 12:35 pm
Yeah I know he didn’t click the link, but I still like making fun of him. Mainly because he is a whiney biotch but also because I am bored and don’t want to study.
April 27th, 2005 at 12:35 pm
[img]http://www.kelley.indiana.edu/mitte/images/YMCA%20013.jpg[/img]
April 27th, 2005 at 12:36 pm
Umm you mean Brandon Henry not Brad Henry there Cowboy!
April 27th, 2005 at 12:52 pm
Nope sorry no outbreaks. But I can’t wait to see some good photoshops of you in your perty hat!
April 27th, 2005 at 1:01 pm
if you have the name, please list the students responable!
i persoanlly traced the phished emails in my account, and they had a uits extension…
UITS denied involvment…
now the news…
IU was behind it all along!
You guys are liars!
If I find out who is responable, I will take legal action!
unethical pigs!
April 27th, 2005 at 1:02 pm
agreed! LETS SUE!
April 27th, 2005 at 1:08 pm
AFAIK, all the emails were publicly available - and thus no one’s privledge was infringed and there was no trespass.
Just “grouping” the emails in some sort of intelligent manner to make the social networking work is not an infrigment either. All *.indiana.edu ?
If you care about your private information - don’t let it become public!
April 27th, 2005 at 1:11 pm
ppl who do not know how the internet works should not use it.
If you get freaked out when tells you that you sent them a phishing scheme - go luddite.
April 27th, 2005 at 2:16 pm
>The /. crowd is the most heartless group of misguided self-righteous pricks
>in the universe. Let them learn their lesson without being insulted into the
>ground and asked to be sterilized, thrown out of school, flogged, etc etc.
>Children.
I am not a /.’er. I go to IU.
Given that, I think the /.’ers are completely in the right to belittle those who think they can puruse the internet without worry.
You need a license to drive a car, why is the computer + internet so different?
If they never take the time to protect themselves, then they can’t complain when they get hurt.
THE INTERNET IS NOT A SAFE PLACE. It is not full of sunshine, lollipops, and rainbows. I’m tired of fixing friends’ computers because they can’t use common sense (spyware, viruses, spam). Is it so hard to see that the website with 100 flashing and pulsating advertisements on the main page alone, may not be the best place for you to download your stupid ringtones from?
It’s time to let the kids touch the stove and get burned. Only then will they learn that it’s serious business.
There is a reason I’m paranoid… it’s because I HAVE to be.
April 27th, 2005 at 2:53 pm
you IU students that are whining your had your identity stolen really ought to figure out these guys did you a favor.
The net is FULL of people that will steal your identity without being as nice.
April 27th, 2005 at 2:53 pm
So it ok if I send out emails claiming to be from a bank (if I can find out the names of the the patrons) and then walk away and say, well you shouldn’t told me anything anyway. I mean the bank shouldn’t get mad at me right! Even thought I did not ask for their permission, and may have now spoiled their reputation.
April 27th, 2005 at 3:03 pm
My name is Wendy Freeman, and I am not afraid to attach my name to my beliefs on the unethical nature of this study. I believe the experiment was unethical, regardless of the arguments that the results would have been tainted were the subjects notified in advance. It would seem that we would have needed to have at least agreed to some sort of vaguely-worded consent form, authorizing our participation in a possible study.
I received the e-mail from my boyfriend, an undergraduate who does research in the chemistry department. I assumed he wanted to show me something related to the project he was working on. Since he was in class when I received the email, I clicked on it, entering in my username and password at the prompt because I am used to doing that to access Indiana University-related sites such as CFS and certain student organization sites. I just assumed the link was not working when it took me to the error page.
While working for my policy analysis concentration, I took a class on program evaluation. In it, we read about the ethics of social experimentation. Social experiments are inherently different than science
experiments because of the ethics of using human subjects. The researchers cannot expect the same sort of control over a social pseudo-experiment as they could have over a laboratory experiment. Should not human subjects be protected from emotional harm as well as physical? When my boyfriend realized the e-mail was not from him, we immediately began worrying about the safety of my personal information. I broke down crying at the prospect of identity theft. Would not this be considered emotional harm?
They say it was publicly-available data they used. We believe it was obtained through thefacebook.com, in which case it would be publicly-available only to students at IU or “friends” of the subjects involved. I do not know if this would have any implications on the validity of their experiments.
I would like to take part in action against this study. While some may call me a “moron” or an “idiot” for believing in the unethical nature of the study, I could merely call them names, too, but how will this be productive? Here’s a bit of advice for one of the name-callers…”losers” is spelled with only one “o.” Honestly, how do you think you can be taken seriously when you merely point fingers at alleged “loosers”? Only through intelligent conversation and research of the issues involved can this be resolved.
I am not an idiot for going to a www.indiana.edu site, for we place trust in our university that our information is safely guarded. What can we learn from a phishing experiment that unfairly used Indiana University sites, e-mails, and passwords to dupe us into falling into a category of alleged “idiots”?
If the University cannot be trusted with our information, who can be? If we cannot trust the University with our information, then how do we manage bursar bills, Union Plus accounts, and even graduate school applications? Everything is moving to the Internet, and we would not be able to survive in the university environment if we were to refuse to give our information to anyone. That is why there are safeguards to protect us, so we can place our trust in institutions in hopes they will not betray that trust. The University has failed to uphold its end of the bargain, and has violated that trust. It is only natural for those subjects harmed in this act to feel offended.
April 27th, 2005 at 3:13 pm
You think people should have to be licensed to operate computers? You think these people were ‘perusing the internet without worry’? It was an effective deception and a trick, that they fell for. The test was well-timed and leveraged information about the academic time of the year. It’s not just that they were ignorant and deserve to be slammed into the ground or publiclly belittled and have their photos altered and pasted all over the internet because of an effective test like this. Next time you make a mistake, I hope you get insulted endlessly and your photo photoshopped and pasted all over the internet as idiots frothing at the mouth to boost their own self-esteem laugh at your expense like rabid spider monkeys.
All that needs to be said is that they should take it as a lesson and be more careful. It’s not necessary to go on and on with the immature belittling and bashing.
April 27th, 2005 at 3:19 pm
“It scares the hell out of me to think that you collegiate numbnuts are this country’s future. I think your folks should have done us all a favor thirty years ago and gotten sterilized.”
If this is a student’s best suggestion for creating a more-educated public, I am certainly worried what the future could look like. Whereas this scenario is not likely to actually occur, perhaps more frightening is how many people cannot make an intelligent argument and/or cannot spell words such as “flourish” and “realize.” Now I am fearful for the future.
April 27th, 2005 at 3:25 pm
Anyone that threatens legal action should take themselves to court for being retarded!! There are so many ways that you can get tricked out there, and if you feel violated, then you’re a little bitch. Anyone could have done this, and from the way the experiment (because after all, no one’s information was used illegally) was run, it was extremely ethical. These researchers could have just as easily used social engineering to attack their own IT department (and might even be doing so?!) I’m glad someone is showing people out there how stupid they are. If you feel violated because your address was used to trick someone else, then be happy that it’s not already being used! It wouldn’t be public domain if you weren’t giving it away signing up for crap on websites! If it was obtained through the university sight, then you shouldn’t have give consent for it to be displayed there. This is the same type of study that I have to do for school, and if I had to tell a whole group of little bitches that there address was going to be used, then what’s the friggin’ point??
April 27th, 2005 at 3:31 pm
Being upset that their information was used is a normal reaction and doesn’t require that you insult them like that. The site they went to and entered their info on was university-hosted and the emails were set up in a way that was persuasive. You very well might have fallen for it as well, child.
April 27th, 2005 at 3:38 pm
If you touch a hot stove, you might burn your hand.
If you don’t look both ways when you cross the street, you might get run over.
If you don’t lock your house when you leave in the morning, your stuff might get stolen.
If you wait too long to stop at a traffic light, you might rear-end somebody.
…Some kinds of common sense are taught to us. Others- we must learn ourselves by applying previous knowledge to new situations. Every day, people who fail at common sense must live with the consequences, like accidentally burning their own house down.
If you post your personal information in a public place, other people might read it and use it for themselves. Congratulations on failing at adulthood!
-a fellow college student
April 27th, 2005 at 3:44 pm
Check out the website that Brandon made to “showcase [his] talent of computer programming, graphic design, and investment/portfolio management.” Ha!
April 27th, 2005 at 3:45 pm
http://mypage.iu.edu/~bchenry/
April 27th, 2005 at 3:45 pm
…Some kinds of common sense are taught to us. Others– we must learn ourselves by applying previous knowledge to new situations.
And you’re usually ok with following links to your own university’s sites and entering information, you’re used to it. These people received an email appearing to come from friends and had a link to a site at their university. The emails were sent at a time when people would be stressed to begin with, and were made such that the least suspicion would be raised.
Falling for this experiment is not failing at adulthood. While they shouldn’t be so determined to sue/etc/etc, they should realize it’s a dangerous lesson, but they don’t need to be lambasted like this. You might have fallen for it too, it was a tricky experiment and shows the dangers, but you very well might fall for it too.
April 27th, 2005 at 3:46 pm
Check out the website that Brandon made to “showcase [his] talent of computer programming, graphic design, and investment/portfolio management.” Ha!
Go back to bed, 5-year-old.
April 27th, 2005 at 3:48 pm
“you very well might fall for it too.”
Yes, I might.
And then I would have to live with the consequences.
April 27th, 2005 at 3:50 pm
And then I would have to live with the consequences.
Exactly. I wasn’t saying the people who were tricked shouldn’t accept it. I say that strongly. But they don’t need to have their photos passed around and mocked and insulted and threatened because they were tricked. It was a good experiment, you are in no position to say they ‘failed at adulthood’ or anything like that.
April 27th, 2005 at 3:54 pm
Be afraid, be very afraid
Social Engineering Introduction
Purpose
To Introduce the Concept of Social Engineering
To Stress the Importance of Information Security in Any Environment
To Stress the Importance of Developing a Security Policy
To Demonstrate How Proper Security Practices Can Prevent Future Liabilities and Losses
Scope
Social Engineering Terms
Specific Examples of Social Engineering
Methods of Social Engineering
Possible Effects of a Social Engineering Attack
Steps for JHM to Prevent or Reduce Effects of a Social Engineering Attack
Restrictions on Research and Methods
All books cited were found at the University of South Carolina. Web site forms of periodicals contained the most up to date information, so are used frequently. Some information was only available on the Web, such as a guide to social engineering (for social engineers) which would not be published in such a format. The only restriction on research was the attempt to limit the amount of information included in this report.
Definition of Social Engineering Terms
“It is often said that the only secure computer is an unplugged one. The fact that you could persuade someone to plug it in and switch it on means that even powered down computers are vulnerable.” – Harl
Social Engineering
Term used among crackers and samurai for cracking techniques that rely on weaknesses in wetware rather than software; the aim is to trick people into revealing passwords or other information that compromises a target system’s security. Classic scams include phoning up a mark who has the required information and posing as a field service tech or a fellow employee with an urgent access problem.
More generally, a type of attack on information that requires a user of a computer system to perform an act to allow another to gain access to the system.
Cracker
A social engineer who ‘cracks’ (gains unauthorized access to) computers, typically to do malicious acts; ‘crackers are often mistakenly called hackers, who just aren’t malicious in their attacks, and can act as samurai.’
Samurai
A cracker who hires out for legal cracking jobs, snooping for factions in corporate political fights, lawyers pursuing privacy-rights and First Amendment cases, and other parties with legitimate reasons to need an electronic locksmith.
Wetware
Human beings who are users or operators of a computer system as opposed to the system’s hardware or software.
Mark
The person that a cracker or samurai is attempting to impersonate or gain information from in a social engineering attack. This is the person who is researched for an attack.
Dumpster Diving
Digging through the trash of a company to find important documents to aid in a social engineering attack.
Adware
These programs are installed either by clicking on a link on webpage that links to the installer program; by a “drive-by download”, which installs a program through a browser security hole; or finally, by being bundled with other software, and explicitly listed in the End User License Agreement (EULA). These program cause popups and attempt to sell items.
Spyware
These programs are installed in a similar manner to adware, and can track what sites you go to on the internet, as well as your keystrokes.
Malware
Is short for malicious software, and can be defined as any software program that interrupts your normal computer usage.
Phishing
This is the practice of sending out an email to the user of a system, usually a financial system, and requesting personal information, such as the user name and password or account and routing numbers.
Pharming
Involves redirection of a website using a poisoned DNS server (the server that converts URLs, like www.citibank.com, into IP addresses, like 68.142.226.46). A poisoned DNS server has the wrong IP address stored for a given URL, which redirects the surfer.
IRC or IM
Internet Relay Chat or Instant Messenger: programs that allow an instant conversation over the internet.
Operating System Message Service
The part of an operating system established for a network administrator to send a message to every computer on the network.
Cookies
Files that store user information about a particular site on a surfer’s computer, usually including preferences, but sometimes also usernames and passwords.
Script Exploits
Take advantage of a legitimate website’s flaw that allows an extra control (a username or password box) to be placed on the real website but sends data to a third party.
Popups
Windows that popup using flaws in a browser in an attempt to sell items or just to persuade someone to click to install malware, spyware or adware.
VoIP Caller ID Spoofing
Takes advantage of a feature on VoIP (Internet Telephony) phones which allows the customer to create the name that appears on the caller id box of the person they are calling.
Identity Theft
Stealing a person’s financial information, especially credit cards and Social Security number with the intention of using that data to commit fraud or create a phony persona.
ChoicePoint and NexisLexis Examples
What Data Brokers Do
Data brokers collect every type of identifiable and financially sensitive information about everyone living in the United State of America using data aggregators that search through multiple databases in parallel. The data includes the Social Security number, full name, address and telephone information, driver’s license number and furthermore can include the type of car a person drives and personal identification including eye color and hair color. This information is stored in large databases, and sold to whoever requests it. This is helpful to many people because it allows for a credit check to go through in minutes, and also allows law enforcement to hunt down an individual more easily. On the down side, it is a central vault of information that anyone looking to make money from identity theft would desire to break into.
How Social Engineering Worked
Crime rings, posing as legitimate businesses, created accounts with ChoicePoint over the phone, just as any other customer of a data broker would. They requested the information through the legitimate channels that ChoicePoint conducts their business, essentially giving the criminals everything necessary for identity theft. With NexisLexis, social engineers stole passwords from current system users and then used that information to gain access through normal channels to the victim’s information.
Worst Breaches of Financial Information Through Social Engineering
The idea behind this type of identity theft is that “No one’s going to rob a bank for a million dollars… when they can rob a million people for a dollar.” Stealing this type of information not only allows criminals to apply for new credit cards or loans in another’s name, but also to gain access to current bank accounts by having the needed information that a bank would require to disclose financially sensitive data to a member. 145,000 individuals were victimized through ChoicePoint, and 320,000 individuals through NexisLexis. Social Security numbers don’t change, so this information could be used at any point in these individual’s lives to take over their credit.
Conclusions to be Drawn
Ethics
There have been many questions about the business ethics involved when an individual’s information is lost. ChoicePoint admits to having lost information previously without informing anyone and also that they waited for more than six moths after they knew of the breach to inform the affected individuals. NexisLexis initially admitted to losing 32,000 customer records. A month after that initial report, it was disclosed that the victims of NexisLexis counted nearly ten times that at 320,000! These businesses are afraid to look bad when admitting that something went wrong and seemingly will lie in the NexisLexis case, or just be quiet in the ChoicePoint case. Another question is what information should be sold to whom? These data brokers have amassed a wealth of information on everyone in this country, and don’t seem too intent on keeping it protected. Granted, they have gone through large growth phases and their emphasis has been on keeping their systems from being accessed electronically. On the other hand they can’t just reveal this type of information to anyone and expect it to always be faithfully used. ChoicePoint as well as all companies that maintain personal information need to develop guidelines for ensuring that any company that requests their data will faithfully secure it in at least a standard as high as their own, which itself should be extremely stringent. Currently, both companies have stopped selling information except in the cases of a financial transaction or a law enforcement request.
Legislation
These break-ins led to identity theft which costs American individuals and businesses $50 billion yearly according to the Federal Government. The only avenue a business or individual has to fight their identity theft is to place a fraud alert on their credit report. Currently, this lasts for 90 days, and if it can be proven that there has been a usage of that identity, then it can be extended for 7 years. The downside to this system is that if the identity isn’t used within the 90 days of the first credit alert, it is nearly impossible to extend, informing the criminals exactly how long they need to hold this information before using it. California Senator Dianne Feinstein is working on a new bill to close this loophole, and also require the data brokers to inform any individuals if their data is lost or stolen. Another bill aims to stop the sale of Social Security numbers without the individual’s consent. The Sarbanes-Oxley Act could be a method for pursuing legal action against these data brokers, but when the section concerning internal controls and oversight was completed, it only considered financial filing accuracy, not necessarily information access control. Without a broader interpretation, this makes Sarbanes-Oxley only applicable to companies that actually handle the movement of individual’s money. The same situation exists for the Gramm-Leach-Bliley Act of 1999, which requires financial sector boards to monitor information security. This law has been used to take financial companies to trial, but it remains unclear if data brokering companies falls under its reach. Although the intent of lawmakers seems noble, with ChoicePoint alone paying nearly $300,000 a year in lobbying Congress, it is almost certain that any new laws will be watered down and keep up the murky liability status of large companies that broker data.
Law Enforcement
The central issue with law enforcement is that there are not sufficient in numbers nor are they adequately trained. Howard Schmidt, the previous White House internet security adviser, admits that there is not enough well trained law enforcement to be effective at stopping these types of crimes. The best he can advise is for individuals to take responsibility for their own computers by running anti-virus, anti-spyware, anti-spam, and firewall software to reduce the likelihood of attacks, but this does little to prevent people from being financially harmed by the neglect of another entity.
Outsourcing
Placing these records in another country does little to ensure it won’t be stolen. Currently accounting, bookkeeping, tax preparation, auditing and payroll services and a myriad of financial related jobs are being outsourced to other countries, along with the necessary information to do these jobs. The problem that occurs in this situation is that U.S. Laws governing U.S. companies are thrown out the window. On top of that, there is no agreed upon international standard for information security and privacy. This means that a contracted company outside of the U.S. that has U.S. citizen’s information can essentially do whatever they desire with that information, within the confines of their contract to the in-country U.S. Company, or if they can cover their tracks well enough, they can just completely ignore the requirements of their contracts.
Other Examples
Bank of America lost tape backups that contained 1.2 millions customer’s credit card records. The University of California and other schools have allowed thousands of student and teacher records to be accessed electronically. This goes to show that social engineering is the easiest way to gain access to sensitive information.
Methods of Social Engineering
Classic Social Engineering – The Personal Touch
General Pattern
Social engineering often is a request to take an action that results in the recording of sensitive information (like usernames and passwords). Rich Mogull, a Gartner analyst, states that “people are, by nature, unpredictable and susceptible to persuasion and manipulation.” It’s important to look at this from a cracker’s point of view to understand how these attacks work. A social engineering attack generally follows this pattern:
1. Information Gathering – this is the preparation work for an attack. A mark has to be found, with the necessary information to pass off as the mark, or to convince a mark to give up information. This often is at least a name, social security number, and knowledge that this person has access to the system that the cracker wants to get to. A cracker won’t make any attempts without adequate information on the mark.
2. Development of Relationship – all computers and their systems rely on a person at some point to power the machine, and keep it operational. Anyone with admittance to any part of the system, physically or electronically is a risk. By developing a relationship with one of these people, there are many types of information requests that a cracker can make of them.
3. Exploitation of Relationship – the key to crackers exploiting the relationship is to give the mark the feeling of control, making them feel as if they need to help. Playing on people’s desire to assist and feel in control allows social engineering to work.
4. Execution to Achieve the Objective – now that the cracker has the username and password, they are in, and the social engineering part of the attack is completed. This is when the cracker can get to the information they are seeking.
Channels
With each channel of attack, the previous pattern always comes into play. There is some form of information gathered to appear to be a legitimate user of a system, or to convince a legitimate user or operator to give up information. A relationship is formed either over the phone, through the mail, or in person, that results in some type of exploitation. From there, the system is cracked, and the cracker can get gain the necessary information.
1. Telephone – in addition to the phone, the wetware is the most important part of phone based social engineering. Things to bear in mind are that a cracker will attempt to have a clean phone line without call waiting and some office noise in the background: all to appear legitimate. A voice changer is sometimes used by a male cracker, because often computer operators are male and respond well to women over the phone. It helps the cracker to know how that person talks, so a direct call to the mark posing as a telemarketer usually is what gives them an opportunity to hear the mark’s voice and speaking style to make it easier to mimic. Once the cracker has the needed information on the mark, all they have to do is call technical support, and if all goes to their plan, the cracker can get whatever further information he wants.
2. (Snail) Mail – this attack requires a broader approach and doesn’t have the success rate of the phone based attack. A larger mailing generally works well incase there are people who lie, don’t reply, or do not give the desired information. The idea is to trick people into thinking that they need to divulge the information in order to win a prize. The key for this attack to work is that the mailing cards look very attractive, and therefore are perceived as being legitimate and accurate. The cracker wants the person to establish a username and password on this mailing so that they can later access a website. The goal is that this username and password is the same as one that they already have, and if so, then the cracker can go back into their system and gain access using the victim’s username and password.
3. Live – this attack requires the quickest wits, and the most intelligence. Whenever going onto a site to get information, it is important that the cracker fits in with the rest of the people there. If the employees dress in suits and ties, then the cracker will be sure to do so as well. He will be clean shaven and have his hair done nicely so as not to stand out, and most of all, be calm and confident. Some form of identification is needed even if it doesn’t match the site’s form, so the cracker can always pose as some sort of outside technical support, contractor, or visitor. While there, the cracker will dig around in desk drawers and isolated trash cans to assist with gathering information on a mark. Payroll sheets and employee lists work great. From here, a direct request for information can be made to an employee, by posing as one of the previously mentioned positions, or the information gathered can be used later in a phone or mail based attack.
Examples
Outside of a theatre in London’s theatre district, a person offered a chance to win tickets to an upcoming show. The questions to answer for these tickets included the name, birth date (an age was required), mother’s maiden name, address, phone number, pets name, all to ensure that if the person won the tickets that they would get to the right address, and if there was any issue, they could verify identity with the mother’s maiden name and call the phone number if needed. Of course useless information like the mark’s favorite play, favorite theatre and general questions pertaining to the setting were included, with the personal information spread throughout. One mark said, “I work for a bank and this information could be used to open a bank account.” From there, she continued to fill out the survey! The respondents gave the following percentages of their information:
Names 100%
Pet’s Names 94% - commonly used as a password
Address 98%
First School 96% - this and mother’s maiden name are key questions banks ask
Birth Date 92%
Phone Number 92%
This goes to show that through social engineering, sometimes the easiest way to gain information is a direct live request.
Internet Social Engineering
Although these attacks are not the classic personal social engineering attacks, Internet Social Engineering attack methods rely on the same principles of the Classic Social Engineering to gain access to the system. The Internet Social Engineering attack relies on a person within the system to act in a certain way to allow access for the cracker. In most cases, these attacks cause a loss of system resources to a host program and a loss of productivity due to computer slow down and repair time, not to mention actual monetary losses.
Adware
These are in most cases harmless pertaining to identity theft, but these programs also distracts employees, leading to reduced productivity.
Spyware
Spyware gives a cracker access to your credit card numbers, usernames and passwords, and general intellectual properties, usually by monitoring key strokes. Spyware can also attack a spyware scanning program and attempt to disable it, as well as send out information when the user is not using a browser but is attached to a network. Spyware linked damages alone cost U.S. consumers $200 million last year.
Malware
These can include trojan horses, which create a back-door to a computer, giving a cracker access to it; viruses, which can take down a computer system and cause the computer to act strangely; worms, which spread by performing port scans and independently sending themselves out through host system’s email software; page hijackers, which can change the homepage and cause a browser to redirect to the page that the hijacker program wants to open; and finally, dialers, which cause the computer to dialup to a certain charge telephone number, giving the creator money for the call to their “900″ number. In addition to the losses listed above, this also can cost the end user on their telephone bill.
Message Client/OS Message Service Attacks
These attacks are often just ways to manipulate people into clicking on a link by posing as a system administrator requiring a software update. Once clicked, one of the programs listed above is installed and will perform its attack.
Phishing
One of the most common types of social engineering occurring today is “Phishing.” These attacks attempt to persuade the victim that they need to go to their financial institution’s web site to correct some information, and may ask for the username, password, or account number. People will give out their personal information when requested by replying to these mass e-mailings, or by clicking on the link and filling out this information on a page that looks just like the real company’s page. The attacker can then easily login to that system and then legitimately transfer funds to any bank account, or use the victim’s credit card. This type of fraud cost U.S. consumers $500 million last year.
Pharming
Pharming takes advantage of a feature that allows DNS server to share information to require less maintenance per server. If a website is searched for, and it isn’t found on the DNS server itself, it will check with another DNS server, and once found, save the data so that it will no longer have to look. If a DNS server is converting URLs into the wrong IP addresses, this can divert a surfer from a legitimate site without installing any software on their computer! Just by typing in the URL, the surfer will end up at a site that looks just like their bank, and have a login space. Once the user “logs in,” the username and password are given to the “Pharmer” hosting the fake site, and they can now get into the victim’s bank or credit card account.
Cookies, Scripts, and Popups
Since cookies save data on the computer, that data could be accessed by a different website (without spyware) to gain information on a user’s login username or password, or some other desirable information. Script vulnerabilities can cause the legitimate site to have an added control that takes in information. If the user enters information into that control, it is then sent to the third party that placed the control onto the page through the script vulnerability. Popups were the original way to convince someone to “click here.” They are still a primary mode of attack, and if someone clicks there, they can expect that something malicious may happen.
VoIP Caller ID Spoofing
This attack takes advantage of part of the VoIP system that allows a user to choose to be in any area code and to change the way their name shows up on a caller id unit. A cracker can call someone up, tell them that they are from the bank that appears on the victim’s caller id, and then ask them for their bank information to verify their systems. Once they have this information, identity theft is a simple task.
Potential Effects of Social Engineering
Computer Failures
Computer failures are inevitably annoying and result in down time. This means that there is an increased cost in support, because someone has to correct the problem, and also there is lost productivity from the user that should be using that computer. If the computer that fails is a server, then there may be information that is not currently accessible, which would result in a greater productivity loss.
Sensitive/Proprietary Information Loss
Many technical companies as well as research companies gain a lead on their competition through the knowledge that they have developed. If this knowledge is accessed by a competing company, or individual that shares it with all interested parties, then that edge has been lost, and the time and money invested that gained those results were a waste.
Liability to Customers for Information Loss
It’s better to be safe than sorry. Currently the laws pertaining to privacy are lax and allow all but financial and health sector companies to be as careless as they like in the name of a “free market.” It is against the law for an individual to commit fraud, identity theft, and to use a stolen Social Security number, but the best prevention is to keep this information out of an attackers hands. European countries have extensive privacy laws which are designed to keep data from being give out as in the ChoicePoint and NexisLexis examples. If America ever does implement these types of laws, it remains unclear if they will be retroactive and may apply to any business (specifically those outside of the financial and health sectors, which already have some minimal legislative requirements). For these reasons it is important to start safeguarding individual’s information now rather than to wait for it to be a problem in the future and be held liable.
Steps to Prevent or Reduce Effects of Social Engineering Attacks
Develop a Security Policy
It is important to expect that an attack will occur, and to implement the following safeguards for your systems to ensure that they are not compromised.
Architecture
Firewalls should be used to prevent unauthorized access to parts of a system. Anti-virus and anti-spyware software needs to be run regularly to ensure that no unauthorized programs are attempting to access data. Intrusion detection devices should be used proactively to monitor for attempts to access the system so that there is an alert for a future attack. Patches for software need to be applied as soon as they are tested and proven not to interfere with daily business functions. Access control through the system needs to be limited on a group basis, so that different parts of the company cannot access information they should not have access to. Encryption needs to be used on all sensitive data stored within the system, as well as on transmissions to other entities. Data needs to be backed up in the event of an attack that succeeds and takes down the system.
User Rules
Employees should be required to agree to a strict user policy that should include the following:
Physical Security – employees should lock all rooms and file cabinets that contain sensitive data when not in use. Documents that are no longer needed should be destroyed with a paper shredder, and backups that are no longer needed should be completely erased with no chance to recover data from the device. Before discarding any data device, all information should be completely erased from the device with no opportunity for recovery. All computers should be kept locked when away and any lost or stolen devices should be reported immediately.
Electronic Security – employees should have password protected screen savers, at least eight character passwords that contain letters and numbers, and should not have these passwords in writing. Employees should not install software on a machine without consent from the IT department. E-mail from unknown senders and their possible attachments should not be opened. Information should not be shared with a third party unless they agree to a security plan similar to your company’s plan. Any sensitive information sent through e-mail should be encrypted. Information should not be released without expressed consent, and should only be released in a manner prescribed by management.
Managerial Rules
Management has a responsibility to hire employees that will follow these policies and to police these policies. Further policies concerning which hardware and software to purchase, the amount of employee training and the quality of the IT professionals will not necessarily ensure that the security is perfect, but will demonstrate that all attempts have been made to prevent an attack on their information. Without management maintaining these standards, information can become insecure and vital trade secrets or customer information could be lost, which would make the company appear incompetent.
Outline Your Security Plan for the IT Specialists, but Always Involve All Employees
The IT department will always do their best to secure the systems, but it takes every employee being vigilant and working with the IT department to prevent a social engineering attack. If the users of a system feel as if they are working with the administration to safeguard information, then they will be more likely to follow the rules given to them, as well as to inform the IT department if something strange is occurring with their computer.
Test Your Systems Regularly with Experienced Social Engineers (Samurai)
A chain is only as strong as its weakest link, and social engineering goes after the wetware of a system. Without testing the wetware in a system, those weak links will never be revealed. Always test regularly, and if a weak link is found, remove it.
Conclusion
In many cases, the social engineering part of an attack is only the “request:” the request to click a button, respond to an email, or to answer a question. Once this information is obtained, the system is compromised. There is no way to ensure that a social engineering attack never occurs. The best that can be done is to inform all employees of social engineering during training, and to give them the knowledge to determine if they are trying to be used in such an attack.
Bibliography
Definitions of Terms:
All definitions came from dictionary.com and spywareguide.com.
http://www.dictionary.com (2005). Accessed April 15, 2005.
http://www.spywareguide.com (2005). Accessed April 15, 2005.
ChoicePoint and NexisLexis Examples:
Block, S. (2005, April 12 2005). Place fraud alert on credit reports fight ID theft. Retrieved April 16, 2005, from http://www.azcentral.com/business/articles/0412ID-Theft-Alert-ON.html.
Hines, M. (2005, April 11 2005). Tougher data-leak law proposed. Retrieved April 16, 2005 from
http://news.com.com/Tougher+data-leak+law+proposed/2100-7348_3-5663318.html.
Kostrzewa, J. (2005, April 12 2005). ID Theft May Grow as Jobs Go Overseas. Retrieved April 16, 2005 from
http://www.crmbuyer.com/story/ID-Theft-May-Grow-as-Jobs-Go-Overseas-41739.html.
Llett, D. (2005, April 6 2005). Schmidt: More cops needed for high-tech beats. Retrieved April 16, 2005 from http://news.com.com/Schimdt+More+cops+needed+for+high+tech+beat/2100-7349_3-5657381.html?part=rss&tag=5657381&subj=news
Proctor, P. (2004, February 19, 2004). The Security Implications of Sarbanes-Oxley. Retrieved April 19, 2005 from http://enterprisesecurity.symantec.com/Content/webcastinfo.cfm?webcastid=84.
Press Release. (2004, February 17, 2004). Information Security and Sarbanes-Oxley. Retrieved April 19, 2005 from http://enterprisesecurity.symantec.com/article.cfm?articleid=3331.
Press Release (2004, November 16, 2004). FTC Enforces Gramm-Leach-Bliley Act’s Safeguards Rule Against Mortgage Companies. Retrieved April 19, 2005 from http://www.ftc.gov/opa/2004/11/ns.htm.
Rigby, B. and Kolker, T. (2005, April 12, 2005). LexiNexis Uncovers More Consumer Data Breaches. Retrieved April 16, 2005 from http://www.reuters.com/audi/newsArticle.jhtml?type=technologyNews&storyID=8157471.
Swatz, J. (2005, April 11 2005). Rules aimed at digital misdeeds lack bite. Retrieved April 16, 2005 from
http://www.usatoday.com/tech/news/techpolicy/2005-04-11-net-law-cover_x.htm.
Volonino, L. & Robinson, S. “Principles and Practices of Information Security: Protecting Computers from Hackers and Lawyers”. Pearson Education: New Jersey, 2004.
Specifics of Social Engineering and Potential Effects of Social Engineering:
Bernz. (1996). The Complete Social Engineering FAQ! Retrieved March 16, 2005 from http://morehouse.org/hin/blckcrwl/hack/soceng.txt.
Girard, J. (2004, July 9 2004). A Field Guide to Spyware Variations. Retrieved March 16, 2005 from http://www3.gartner.com.
Harl. (1997, May 7, 1997). The Psychology of Social Engineering. Retrieved March 16, 2005 from http://cybercrimes.net/Property/Hacking/Social%20Engineering/PsychSocEng/PsySocEng.html.
Hines, M. (2005, March 4, 2005). A phishing wolf in sheep’s clothing. Retrieved March 16, 2005 from
http://news.com.com/A+phishing+wolf+in+sheeps+clothing/2100-7349_3-5616419.html?tag=nefd.top.
Roberts, P. (2005, April 1, 2005). Surfers may be unknowingly redirected to malicious Web pages. Retrieved on April 14, 2005 from http://www.pcworld.com/resource/printable/article/0,aid,120268,00.asp.
Saita, A. (2005, March 24, 2005). Security no match for theater lovers. Retrieved on April 18, 2005 from http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1071265,00.html.
Social Engineering: The Overview. Retrieved April 14, 2005 from http://www.antionline.com/showthread.php?s=&threadid=231674%20.
Sullivan, A. (2005, March 21, 2005). Scam Artists Dial for Dollars on Internet Phones. Retrieved April 16, 2005 from http://story.news.yahoo.com/news?tmpl=story&u=/nm/20050322/wr_nm/columns_pluggedin_dc.
Potential Effects of Social Engineering
Information is compiled from all sources for this section.
Steps for JHM to Prevent or Reduce Effects of Social Engineering Attacks:
Freeman, D. “Information Security for In-House Council: Reducing the Risk of Liability from Hacks, Attacks, and Other Threats to Information”. National Legal Center for the Public Interest, 2002.
McDowell, M. (2004). Avoiding Social Engineering and Phishing Attacks. Retrieved March 16, 2005 from http://www.us-cert.gov/cas/tips/ST04-014.html.
April 27th, 2005 at 4:03 pm
It is not the students right to use anyones email (when they are not given the opertunity to agree to it ) to show how people can be fooled. You should alway be very careful when on the internet. Of course I, or almost most anybody that sets their mind to it could fool somebody into giving us confidential information. If after doing that I say ‘well I just wanted to see if you would’ because I am a student doing a study does not make it ethical. Is what I can gather from the previous posts, is that the Banks and paypal are asking for it (phishing) because they give out their website addresses.