Phishers more successful than first thought

A higher than expected percentage of internet users are falling victim to phishing scams, US academics claimed today.

Researchers at Indiana University's School of Informatics said that phishers targeting US adults could be netting responses from as much as 14 percent of the targeted users per attack.

The university's study simulated phishing tactics used to elicit online information from Ebay customers.

The online auction giant was selected because of its millions of users, and because it is one of the most popular targets of phishing scams.

The researchers noted that recent surveys by the Gartner Group suggest that about three percent of adult Americans are successfully targeted by phishing attacks each year.

But this amount might be conservative given that many users are reluctant to admit falling for such a scam, or may even be unaware of it.

Other surveys may have resulted in overestimates of the risks because of a misunderstanding of what constitutes identity theft.

"Our goal was to determine the success rates of different types of phishing attacks, not just the types used today but those that have not yet occurred in the wild," said Markus Jakobsson, associate professor at the IU School of Informatics.

Jakobsson is also an associate director of the IU Center for Applied Cybersecurity Research, which studies and develops countermeasures to Internet fraud.

Along with computer science doctoral student Jacob Ratkiewicz, Jakobsson devised simulated attacks in which users received emails appearing to be legitimate and providing links to Ebay.

If recipients clicked on the link they were in fact sent to the Ebay site, but the researchers received a message letting them know that the recipient had logged in.

The researchers specifically designed the study so that all they received was a notification that a log-in had occurred. "We wanted to proceed ethically and yet obtain accurate results," said Ratkiewicz.

One experiment they devised was to launch a 'spear phishing' attack in which a phisher sends a personalised message to a user who might actually welcome or expect the message.

In this approach, the phisher uses personal information readily available on the internet and incorporates it into the attack, potentially making the scam more believable.

The researchers used three types of approach statements:
'Hi can you ship packages with insurance for an extra fee? Thanks'
'HI CAN YOU DO OVERNIGHT SHIPPING? THANKS!'
'Hi, how soon after payment do you ship? Thanks!'

In a large proportion of the messages, the user's Ebay username was included in the message to make it appear more similar to those Ebay itself might send.

"We think that spear phishing attacks will become more prevalent as phishers are more able to harvest publicly available information to personalise each attack," said Ratkiewicz. "And there is good reason to believe that this kind of attack will be more dangerous."

Copyright ©v3.co.uk

firstmorephisherssecuritysuccessfulthanthought