Phishing researcher 'targets' the unsuspecting

Executes online attacks as part of experiments aimed at improving security

If he weren't so ethical, Markus Jakobsson could be a world-class online fraudster. In a way, he already is.

Jakobsson, a cybersecurity researcher and professor at Indiana University in Bloomington, spends much of his time perpetrating online attacks of unsuspecting Web surfers - without actually harming them, of course - to see what types of ruses people will fall for and to predict potential new techniques phishers might pursue.

The university that gave the world Alfred Kinsey, the famous sex researcher, is more than willing to tolerate experiments that might improve computer security, even if it annoys a few unwitting participants.

"They think everything that is not immoral or illegal is fine," Jakobsson joked Wednesday at the Usenix Security Symposium in Boston, while delivering a talk on the human factor in online fraud such as phishing, click fraud and crimeware. Victims of online attacks often give up personal information, such as bank account details, or have their computers controlled remotely by hackers.

Jakobsson's research subjects can't know they're being experimented upon, or the results would be meaningless. The typical procedure is to tell them about the research after they've unknowingly participated, which Jakobsson admits has led to some angry responses.

In one experiment, Jakobsson and his students sent e-mails to about 20 people directing them to a site authenticated only by a self-signed certificate, an identity certificate signed by its creator. Many people accepted the certificate even though anyone knowledgeable in computer security should not have.

"We were on four continents within a day with a starting point of 20 of these messages," Jakobsson said. "We could have put malware on computers."

In another study, Jakobsson found that while people often won't click on a suspicious link within an e-mail, they will go to the site if they are instructed to copy and paste the same URL into their browsers. The lesson Jakobsson took from the study - which involved an e-mail asking users to update their eBay accounts - is that public education efforts about the danger of online attacks are insufficient. People know they're not supposed to click on suspicious links, but they haven't been told not to copy and paste the same links into an address bar. A slight change in approach causes victims to let their guards down and pays dividends for bad guys.

Jakobsson also found a problem related to the practice of credit card companies identifying users by the last four digits of their account numbers, which are random. From his research, it turns out people are willing to respond to fraudulent e-mails if the attacker correctly identifies the first four digits of their account numbers, even though the first four are not random and are based on who issued the card.

"People think [the phrase] 'starting with' is just as good as 'ending with,' which of course is remarkable insight," he said.

Page Break

Another experiment targeted Indiana University professors, prompting them to use their university-issued passwords to get onto a site that appeared to be hosted outside of the school. Most were duped.

"We sent them to a page that said 'service temporarily unavailable, please try again later.' That would stimulate people's interest and many people returned," he said. "It was nice to see computer scientists never fell for the experimental attack when it was sent by a stranger. ... It was a wakeup call that the people in the School of Education did not distinguish whether it was from a friend or someone unknown to them."

One finding could have been predicted by anyone: Men are more likely to click on a link sent to them by a female than by a male. But the study dug up some more surprising facts by targeting e-mail addresses from a social networking site that listed political affiliations.

"It was delightful for me to see that people on the far left and far right were much more vulnerable than people in the middle, which confirms to me that they're crazier than the rest of us," Jakobsson said.

In another study, Jakobsson and his wife exposed weaknesses in eBay's system that allows communication between buyers and sellers. A recipient of an e-mail sees a yellow button that says "respond now," but the button carries no information about the intended recipient. Jakobsson pasted the button onto a spoofed e-mail to a victim, making it appear to be a legitimate e-mail from an eBay user. Instead, the victim -- or, in this case, research subject -- is taken to a site with a URL that's similar to eBay's but was actually run by Jakobsson.

The researchers spoke with eBay after performing their experiment.

"Just a few months after we performed this experiment and told them the results, this attack started to happen in the wild, pretty big-scale too," he said. "We were terrified that we caused it to happen."

It turned out the same type of attack had already been occurring, but on a smaller scale, so Jakobsson was off the hook. He said eBay officials reacted positively to his research because it gives them information that can help improve security. For reasons related to public relations, eBay doesn't experiment on its own customers, he said.

There are several good reasons to perform such experiments, Jakobsson argues. They improve phishing countermeasures by discovering what works and what doesn't. Jakobsson said one experiment showed 400 subjects one of two AT&T links: one with the company name in the URL or one with the phrase ""

The link was the real one used by AT&T -- yet users deemed it less trustworthy than the one with AT&T's name in the URL. Phishers seem to know this already, as they tend to register domain names that look similar to the site they want people to think they are logging on to.

"Custom name attacks are remarkably successful," Jakobsson said.

Experiments can help researchers predict trends by discovering what human vulnerabilities haven't been exploited yet, Jakobsson said.

Although some argue users can't be taught to avoid online attacks, Jakobsson thinks his research can lead to better education methods. Some common advice is so vague that it's pretty much useless, he said, leaving lots of room for improvement.

"The technical component is important, but it's not all," Jakobsson said.