IE 11 is not supported. For an optimal experience visit our site on another browser.

School conducts anti-phishing research

Kevin McGrath, a 25-year-old doctoral student at Indiana University whose e-mail was secretly hijacked for a university experiment, surfs the internet from his parents home, July 12, 2007 in Louisville, Ky.
Kevin McGrath, a 25-year-old doctoral student at Indiana University whose e-mail was secretly hijacked for a university experiment, surfs the internet from his parents home, July 12, 2007 in Louisville, Ky. Brian Bohannon / AP
/ Source: The Associated Press

The e-mail appeared to be a routine correspondence between two friends. "Check this out!" it read, then listed a Web address.

But the note was fake, part of an online ruse called phishing that has become a scammer's favorite way to get sensitive information from unsuspecting computer users.

The catch? The scammers were Indiana University researchers, the e-mail an experiment.

"I didn't know I was being used," said Kevin McGrath, 25, a doctoral student at Indiana University whose e-mail address was one of hundreds used as "passive participants" for an experiment to study who gets duped by phishing.

As universities nationwide study ways to protect online security, methods at Indiana are raising ethical and logistical questions for researchers elsewhere: Does one have to steal to understand stealing? Should study participants know they are being attacked as part of a study? Can controlled phishing ever mimic real life?

Indiana researchers say the best way to understand online security is to act like the bad guys.

"We don't believe that you can go and ask people, 'Have you been phished?' There's a stigma associated with it. It's like asking people, 'Have you been raped?'" said Markus Jakobsson, an associate professor of informatics who directs IU's Anti-Phishing Group.

The university has conducted nearly a dozen experiments in the last two years. In one, called "Messin' With Texas," researchers learned mothers' maiden names for scores of people in Texas. Maiden names often are used as a security challenge question.

Another conducted in May found that 72 percent of more than 600 students tested on the Bloomington, Ind., campus fell for an e-mail from an account intended to look familiar that sought usernames and passwords.

By contrast, only 18 percent of 350 students in a separate control group were fooled when they received e-mails from addresses they did not recognize.

The experiments found that hackers have the most success by using hijacked Web addresses or e-mail accounts that look real. The research also showed computer users generally have little knowledge of Web site security certificates and leave themselves open to attack with poorly configured routers or operating systems.

Understanding those weaknesses is a key to combating phishing, which accounted for nearly three-quarters of 11,342 online attacks recorded between January and March, according to the US-Cert, which monitors online attacks for the Department of Homeland Security.

Many companies have taken steps to protect consumers, but none have proven entirely effective — which is why IU believes it's important to understand phishing "in the wild," as Jakobsson describes it.

Federal laws governing university research allow scientists to use deceptive means if the risk participants face is minimal and no greater than what they would face in daily life.

Peter Finn, who serves on the Indiana review board that approves the studies, said the university believes the phishing experiments fall within those guidelines — even though about 30 students complained about the methods.

"The probability of harm from the study is nowhere near the magnitude of the harm that would result from actual phishing attacks," Finn said.

Jakobsson said researchers take steps to protect information from hackers who might snoop on the studies. The fake Web sites and e-mails used in the phishing attempts are created behind a secure server. No information submitted by test subjects is stored. The experiments, which are not encrypted in order to mirror real conditions, record only that someone gave information — not what they provided.

“Deception research”
Celia B. Fisher, a human research ethicist at Fordham University in New York, said the experiments qualify as "deception research" and are legal, even necessary.

"There is no way to find this information out without deceiving the participants, because as soon as you tell them what you're doing, you won't have any real information," she said.

But Lorrie Cranor, who directs an anti-phishing group at Carnegie Mellon in Pittsburgh, said controlled laboratory studies can be just as useful.

The school has developed an online tool accessible only from its labs called "Anti-Phishing Phil" to lead participants through scenarios based on actual phishing attempts. The experiment hopes to determine which methods work the best at deceiving users.

Cranor's research has found that successful phishing attempts rely on human vulnerabilities such as greed, curiosity, ignorance and fear.

"When you talk to someone, you look in their eyes and say, "Does this look like they're telling the truth?' And we get pretty good at making these judgments," she said. "But most of are not very good at making these judgments online."

Conditioning users to recognize those weaknesses before it's too late is the safest way to combat phishing, she said.

"If we were to collect personal information from people, we have to be very careful," Cranor said. "You don't want to be responsible for holding a list of people's Social Security numbers."