Phishing Attacks Using Social Networks

http://www.indiana.edu/~phishing

Phishing is the fraudulent acquisition, through deception, of sensitive personal information such as passwords, by masquerading as someone trustworthy.

Data gathered from the Internet was analyzed and used to create a contextual type of attack using deception. An email was spoofed by us, misrepresenting a communication between two friends, Alice and Bob. It is presumed an email from a friend would typically hold more credibility than from some unknown person/entity. The emails which were spoofed were not actually sent from the subject's personal email accounts.

An example of one experiment performed is as follows:

From: Alice
To: Bob
Subject: This is Cool!
Hey, check this out!
https://www.indiana.edu/%7e%70hi%73%68%69n%67/?n=XXX&rdr;=%68%74%74%70
%73%3a%2f%2f%77%77%77%2e%77%68%75%66%66%6f%2e%63%6f%6d%2f%3f%6e%3dXXX/
Alice

This also study did not include the collection of any sensitive personal information. An authenticator was used to validate the username and password (credentials) provided by the subject. This validation is an assurance that the means of deception (phishing attack) was successful. By using an authenticator, there is no human review or storage of passwords. In an unethical manner a similar looking approach could be used to harvest passwords.

A social network is a map of the relationships between individuals, indicating the ways in which they are connected through various social familiarities.

A spoof attack refers to a situation in which one person or program is able to masquerade successfully as another. The email messages sent to the subjects were from spoofed origins.

Ways to Help Better Protect Yourself

• Limit and carefully choose what personal information you give about yourself on the Internet; or possibly give out bits of "mis-information".
• Use public key cryptography. Using PGP or S/MIME will allow you to digitally sign and/or encrypt email messages.
• Look at a URL before you click it. Make sure it really does go to where you think it is going. And after you click it, ensure that it is still in a domain that you trust.
• Don't give away your credentials to a website that you do not trust. For instance, in this experiment, www.whuffo.com was not associated with IU, and therefore should not be given an IU username and password.
• The Anti-Phishing Working Group is a great place to learn more about phishing and how to protect yourself.
• A few useful tools that can help protect yourself while surfing the web are SpoofGuard and Web Password Hashing. Both of these tools are available from the Applied Crypto Group at Stanford University.

www.whuffo.com

The website used in the experiment to "phish" was www.whuffo.com[*], a purported third-party website. It was used to validate Indiana University Network ID and password credentials. A simulated redirect vulnerability from https://www.indiana.edu/%7e%70hi%73%68%69n%67/ was used to send users to https://www.whuffo.com. All communications were encrypted using SSL (secure sockets layer).

Talk About this Study or Phishing in General

If you would like to talk about this study, there is an anonymous blog that can be used for this type of discussion.

Contact Information

If you have any questions about phishing or this study, please contact us via email at

Tom N. Jagatic, Principal Investigator; Nathaniel A. Johnson, Co-Investigator

Markus Jakobsson, Faculty Advisor

Acknowledgements

This study was performed as a class project for Filippo Menczer's CSCI B659 Web Mining course. It is further work on a paper presented at the Phishing Panel of Financial Cryptography titled, Modeling and Preventing Phishing Attacks, authored by Markus Jakobsson. Guidance from IUB Human Subjects Commitee was greatly appreciated. Support from the IT Policy and Security Offices was also critical to the success of this study. Lastly, the UITS Support Center should be credited for their service during the peak periods of user inquiry.