Latest Phishing Scam... Actually University Research
from the gotta-trick-you-to-understand dept
Lots of people are trying to research phishing scams in order to better understand them and come up with better ways to protect against them, but some folks are apparently a bit upset at research coming out of Indiana University that involved actually phishing a variety of people to con important information out of them in order to understand what kind of phishing scams work. The researchers and the university are defending the practice, saying they learned a lot from it, and it's legal to be deceptive for the purpose of research so long as the deception is no different than what a person might come across normally and the risk to the person is minimal. Still, if any of the information is eventually misused or gets leaked, it certainly could create some problems for the university (and universities are no stranger to leaking data). The university still claims that this kind of research is key to preventing phishing... but oddly, the article seems to highlight what works for phishing scams, rather than what works to stop phishing scams. So, right now, the research seems to be telling scammers how to be more effective scammers, rather than coming up with ways to stop phishing.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: phishing, research, scams
Companies: indiana university
Reader Comments
Subscribe: RSS
View by: Time | Thread
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
In order to stop phishing...
I understand the privacy implications here, but how is a research supposed to come up with ways to reduce phishing without knowing what how/why it works (including stupid people)?
It seems to me that knowing what was most effective would at least be good fodder for an education campaign.
This is like saying a security firm shouldn't be finding exploits in computer systems because that is just helping hackers.
[ link to this | view in chronology ]
Phishing
2. Stupid People will never go away. Can we say why UAC in Vista can be good. Or how can people really believe that they had a rich relative who died in Nigeria?
[ link to this | view in chronology ]
Well I can understand...
but oddly, the article seems to highlight what works for phishing scams, rather than what works to stop phishing scams. So, right now, the research seems to be telling scammers how to be more effective scammers, rather than coming up with ways to stop phishing.
They could be using the idea of exsposing the way the phishers operate. That way if the "secret" to phishing for info is no longer secret and everyone knows about it then people will hopefully wise up a bit. Kinda like someone telling how the magician made the elephant disappear.
[ link to this | view in chronology ]
phishing isn't a victimless crime, its just that the victims are so f'ing stupid, it is really a challenge to work up any sympathy.
i have more sympathy for drunk guys that get rolled by hookers...
[ link to this | view in chronology ]
why to perform phishing experiments
First of all, in a well designed experiment, no credential is even harvested by the researcher. Instead, he or she instead verifies that that right credentials were input -- using the legitimate verification service. An example of how this is done, in the context of phishing eBay users, is available in
http://www.informatics.indiana.edu/markus/papers/ethical_phishing-jakobsson_ratkiewicz_06.pdf
This, and other experiments, are described from the ethical point of view in
http://www.indiana.edu/~phishing/papers/finn-conducting.pdf
Why are experiments useful, then? I think a good way to explain the needs for experiments is:
1. To improve phishing countermeasures, knowing what works and what does not.
2. To predict trends, knowing what the yet not exploited human vulnerabilities are.
3. To improve security education. An example effort is www.securitycartoon.com -- this is directly influenced by phishing experiments.
Cheers,
Markus
[ link to this | view in chronology ]
research on phishing
[ link to this | view in chronology ]