School Conducts Anti-Phishing Research

EVANSVILLE, Ind. -- The e-mail appeared to be a routine correspondence between two friends. "Check this out!" it read, then listed a Web address.

But the note was fake, part of an online ruse called phishing that has become a scammer's favorite way to get sensitive information from unsuspecting computer users.

Kevin McGrath, a 25-year-old doctoral student at Indiana University whose e-mail was secretly hijacked for a university experiment, surfs the internet from his parents home Thursday, July 12, 2007 in Louisville, Ky. (AP Photo/Brian Bohannon) (Brian Bohannon - AP) QUIZ What percent of U.S. tweens own a mobile phone? A. 15 percent B. 25 percent C. 35 percent D. 55 percent • Test Your Knowledge -- More Questions Partnership Resources for anyone who runs a small business or wants to start one. • Business Survival Skills: Dealing with the Next Bank Collapse • Presidential Debate Puts SMBs Center Stage on Health Insurance • Qualities of True Leaders: Humor • Starting a Business • Small Business on the Net • Home-Based Businesses » RESOURCE CENTER Save & Share Article What's This? Digg Google del.icio.us Yahoo! Reddit Facebook

The catch? The scammers were Indiana University researchers, the e-mail an experiment.

"I didn't know I was being used," said Kevin McGrath, 25, a doctoral student at Indiana University whose e-mail address was one of hundreds used as "passive participants" for an experiment to study who gets duped by phishing.

As universities nationwide study ways to protect online security, methods at Indiana are raising ethical and logistical questions for researchers elsewhere: Does one have to steal to understand stealing? Should study participants know they are being attacked as part of a study? Can controlled phishing ever mimic real life?

Indiana researchers say the best way to understand online security is to act like the bad guys.

"We don't believe that you can go and ask people, 'Have you been phished?' There's a stigma associated with it. It's like asking people, 'Have you been raped?'" said Markus Jakobsson, an associate professor of informatics who directs IU's Anti-Phishing Group.

The university has conducted nearly a dozen experiments in the last two years. In one, called "Messin' With Texas," researchers learned mothers' maiden names for scores of people in Texas. Maiden names often are used as a security challenge question.

Another conducted in May found that 72 percent of more than 600 students tested on the Bloomington, Ind., campus fell for an e-mail from an account intended to look familiar that sought usernames and passwords.

By contrast, only 18 percent of 350 students in a separate control group were fooled when they received e-mails from addresses they did not recognize.

The experiments found that hackers have the most success by using hijacked Web addresses or e-mail accounts that look real. The research also showed computer users generally have little knowledge of Web site security certificates and leave themselves open to attack with poorly configured routers or operating systems.

Understanding those weaknesses is a key to combatting phishing, which accounted for nearly three-quarters of 11,342 online attacks recorded between January and March, according to the US-Cert, which monitors online attacks for the Department of Homeland Security.