Phishing Attacks Using Social Networks

Human Subject Study #05-9893, #05-9892

Phishing Research at IU | Research Study Blog

http://www.indiana.edu/~phishing

Phishing is the fraudulent acquisition, through deception, of sensitive personal information such as passwords, by masquerading as someone trustworthy.

Data gathered from the Internet was analyzed and used to create a contextual type of attack using deception. An email was spoofed by us, misrepresenting a communication between two friends, Alice and Bob. It is presumed an email from a friend would typically hold more credibility than from some unknown person/entity. The emails which were spoofed were not actually sent from the subject's personal email accounts.

An example of one experiment performed is as follows:

From: Alice
To: Bob
Subject: This is Cool!

Hey, check this out!

https://www.indiana.edu/%7e%70hi%73%68%69n%67/?n=XXX&rdr=%68%74%74%70
%73%3a%2f%2f%77%77%77%2e%77%68%75%66%66%6f%2e%63%6f%6d%2f%3f%6e%3dXXX/ Alice

This also study did not include the collection of any sensitive personal information. An authenticator was used to validate the username and password (credentials) provided by the subject. This validation is an assurance that the means of deception (phishing attack) was successful. By using an authenticator, there is no human review or storage of passwords. In an unethical manner a similar looking approach could be used to harvest passwords.

A social network is a map of the relationships between individuals, indicating the ways in which they are connected through various social familiarities.

A spoof attack refers to a situation in which one person or program is able to masquerade successfully as another. The email messages sent to the subjects were from spoofed origins.

Ways to Help Better Protect Yourself

www.whuffo.com

The website used in the experiment to "phish" was www.whuffo.com[*], a purported third-party website. It was used to validate Indiana University Network ID and password credentials. A simulated redirect vulnerability from https://www.indiana.edu/%7e%70hi%73%68%69n%67/ was used to send users to https://www.whuffo.com. All communications were encrypted using SSL (secure sockets layer).

Talk About this Study or Phishing in General

If you would like to talk about this study, there is an anonymous blog that can be used for this type of discussion.

Contact Information

If you have any questions about phishing or this study, please contact us via email at

Tom N. Jagatic, Principal Investigator; Nathaniel A. Johnson, Co-Investigator

Markus Jakobsson, Faculty Advisor

Acknowledgements

This study was performed as a class project for Filippo Menczer's CSCI B659 Web Mining course. It is further work on a paper presented at the Phishing Panel of Financial Cryptography titled, Modeling and Preventing Phishing Attacks, authored by Markus Jakobsson. Guidance from IUB Human Subjects Commitee was greatly appreciated. Support from the IT Policy and Security Offices was also critical to the success of this study. Lastly, the UITS Support Center should be credited for their service during the peak periods of user inquiry.


* Whuffo: Skydiver slang for people who don't jump, from "Whuffo you jump out of them planes?"