The eMail message appeared to be a routine correspondence between two friends. “Check this out!” it read, then listed a web address.
But the note was fake, part of an online ruse called phishing that has become a scammer’s favorite way to get sensitive information from unsuspecting computer users.
The catch? The scammers were Indiana University (IU) researchers, the eMail an experiment.
“I didn’t know I was being used,” said Kevin McGrath, 25, an IU doctoral student whose eMail address was one of hundreds used as “passive participants” for an experiment to study who gets duped by phishing.
As universities nationwide study ways to protect online security, methods at Indiana are raising ethical and logistical questions for researchers elsewhere: Does one have to steal to understand stealing? Should study participants know they are being attacked as part of a study? Can controlled phishing ever mimic real life?
Indiana researchers say the best way to understand online security is to act like the bad guys.
“We don’t believe that you can go and ask people, ‘Have you been phished?’ There’s a stigma associated with it. It’s like asking people, ‘Have you been raped?’” said Markus Jakobsson, an associate professor of informatics who directs IU’s Anti-Phishing Group.
The university has conducted nearly a dozen experiments in the last two years. In one, called “Messin’ With Texas,” researchers learned mothers’ maiden names for scores of people in Texas. Maiden names often are used as a security challenge question.
Another conducted in May found that 72 percent of more than 600 students tested on the Bloomington, Ind., campus fell for an eMail message from an account intended to look familiar that sought usernames and passwords.
By contrast, only 18 percent of 350 students in a separate control group were fooled when they received eMails from addresses they did not recognize.
The experiments found that hackers have the most success by using hijacked web addresses or eMail accounts that look real. The research also showed computer users generally have little knowledge of web-site security certificates and leave themselves open to attack with poorly configured routers or operating systems.
Understanding those weaknesses is a key to combating phishing, which accounted for nearly three-quarters of 11,342 online attacks recorded between January and March, according to the US-Cert, which monitors online attacks for the Department of Homeland Security.
Many companies have taken steps to protect consumers, but none has proven entirely effective–which is why IU believes it’s important to understand phishing “in the wild,” as Jakobsson describes it.
Federal laws governing university research allow scientists to use deceptive means if the risk that participants face is minimal and no greater than what they would face in daily life.
Peter Finn, who serves on the Indiana review board that approves the studies, said the university believes that the phishing experiments fall within those guidelines–even though about 30 students complained about the methods.
“The probability of harm from the study is nowhere near the magnitude of the harm that would result from actual phishing attacks,” Finn said.
Jakobsson said researchers take steps to protect information from hackers who might snoop on the studies. The fake web sites and eMail messages used in the phishing attempts are created behind a secure server. No information submitted by test subjects is stored. The experiments, which are not encrypted so as to mirror real conditions, record only that someone gave information–not what they provided.
Celia B. Fisher, a human-research ethicist at Fordham University in New York, said the experiments qualify as “deception research” and are legal–even necessary.
“There is no way to find this information out without deceiving the participants,” she said, “because as soon as you tell them what you’re doing, you won’t have any real information.”
But Lorrie Cranor, who directs an anti-phishing group at Carnegie Mellon University in Pittsburgh, said controlled laboratory studies can be just as useful.
The school has developed an online tool called “Anti-Phishing Phil,” accessible only from its labs, to lead participants through scenarios based on actual phishing attempts. The experiment hopes to determine which methods work the best at deceiving users.
Cranor’s research has found that successful phishing attempts rely on human vulnerabilities such as greed, curiosity, ignorance, and fear.
“When you talk to someone, you look in their eyes and say, ‘Does this look like they’re telling the truth?’ And we get pretty good at making these judgments,” she said. “But most of us are not very good at making these judgments online.”
Conditioning users to recognize those weaknesses before it’s too late is the safest way to combat phishing, Cranor said.
“If we were to collect personal information from people, we have to be very careful,” she said. “You don’t want to be responsible for holding a list of people’s Social Security numbers.”
Anti-Phishing Group at Indiana University http://tinyurl.com/2dru4e
Phishing Report from Carnegie Mellon University http://www.cylab.cmu.edu/default.aspx?id=2255