School conducts anti-phishing research

updated 8:45 a.m. ET July 23, 2007

EVANSVILLE, Ind. - The e-mail appeared to be a routine correspondence between two friends. "Check this out!" it read, then listed a Web address.

But the note was fake, part of an online ruse called phishing that has become a scammer's favorite way to get sensitive information from unsuspecting computer users.

The catch? The scammers were Indiana University researchers, the e-mail an experiment.

"I didn't know I was being used," said Kevin McGrath, 25, a doctoral student at Indiana University whose e-mail address was one of hundreds used as "passive participants" for an experiment to study who gets duped by phishing.

As universities nationwide study ways to protect online security, methods at Indiana are raising ethical and logistical questions for researchers elsewhere: Does one have to steal to understand stealing? Should study participants know they are being attacked as part of a study? Can controlled phishing ever mimic real life?

Indiana researchers say the best way to understand online security is to act like the bad guys.

"We don't believe that you can go and ask people, 'Have you been phished?' There's a stigma associated with it. It's like asking people, 'Have you been raped?'" said Markus Jakobsson, an associate professor of informatics who directs IU's Anti-Phishing Group.

The university has conducted nearly a dozen experiments in the last two years. In one, called "Messin' With Texas," researchers learned mothers' maiden names for scores of people in Texas. Maiden names often are used as a security challenge question.

Another conducted in May found that 72 percent of more than 600 students tested on the Bloomington, Ind., campus fell for an e-mail from an account intended to look familiar that sought usernames and passwords.

By contrast, only 18 percent of 350 students in a separate control group were fooled when they received e-mails from addresses they did not recognize.

The experiments found that hackers have the most success by using hijacked Web addresses or e-mail accounts that look real. The research also showed computer users generally have little knowledge of Web site security certificates and leave themselves open to attack with poorly configured routers or operating systems.

MORE FROM INTERNET

Internet Section Front

As Internet turns 40, barriers threaten growth Parental software is aid, not answer No music video needed for YouTube success Imdb.com allows free film, TV viewing Best Buy to acquire music-sharer Napster Wall Street Journal launches social network Yahoo's home page to get makeover Virginia court strikes down anti-spam law One in five bosses screens applicants' Web lives Facebook gets another facelift Internet Section Front   Add Internet headlines to your news reader: