Phishers more successful than first thought

By on

US academics warn that scammers may have success rate of 14 per cent.

A higher than expected percentage of internet users are falling victim to phishing scams, US academics claimed today.

Researchers at Indiana University's School of Informatics said that phishers targeting US adults could be netting responses from as much as 14 per cent of the targeted users per attack.

The university's study simulated phishing tactics used to elicit online information from eBay customers.

The online auction giant was selected because of its millions of users, and because it is one of the most popular targets of phishing scams.

The researchers noted that recent surveys by the Gartner Group suggest that about three per cent of adult Americans are successfully targeted by phishing attacks each year.

But this amount might be conservative given that many users are reluctant to admit falling for such a scam, or may even be unaware of it.

Other surveys may have resulted in overestimates of the risks because of a misunderstanding of what constitutes identity theft.

"Our goal was to determine the success rates of different types of phishing attacks, not just the types used today but those that have not yet occurred in the wild," said Markus Jakobsson, associate professor at the IU School of Informatics.

Jakobsson is also an associate director of the IU Center for Applied Cybersecurity Research, which studies and develops countermeasures to Internet fraud.

Along with computer science doctoral student Jacob Ratkiewicz, Jakobsson devised simulated attacks in which users received emails appearing to be legitimate and providing links to eBay.

If recipients clicked on the link they were in fact sent to the eBay site, but the researchers received a message letting them know that the recipient had logged in.

The researchers specifically designed the study so that all they received was a notification that a log-in had occurred. "We wanted to proceed ethically and yet obtain accurate results," said Ratkiewicz.

One experiment they devised was to launch a 'spear phishing' attack in which a phisher sends a personalised message to a user who might actually welcome or expect the message.

In this approach, the phisher uses personal information readily available on the internet and incorporates it into the attack, potentially making the scam more believable.

The researchers used three types of approach statements:

'Hi can you ship packages with insurance for an extra fee? Thanks'

'HI CAN YOU DO OVERNIGHT SHIPPING? THANKS!'

'Hi, how soon after payment do you ship? Thanks!'

In a large proportion of the messages, the user's eBay username was included in the message to make it appear more similar to those eBay itself might send.

"We think that spear phishing attacks will become more prevalent as phishers are more able to harvest publicly available information to personalise each attack," said Ratkiewicz. "And there is good reason to believe that this kind of attack will be more dangerous."
Copyright ©v3.co.uk
Tags:

Most Read Articles

You must be a registered member of iTnews to post a comment.
| Register

Poll

How should the costs of Australia's piracy scheme be split?
Rights holders should foot the whole bill
50/50
ISPs should foot the whole bill
Government should chip in a bit
Other
Flash is heading towards its grave, and that's...
Great! Good riddance
Sad! Flash had some good qualities
Irrelevant. I don't care
What's Flash?
View poll archive

Whitepapers from our sponsors

What will the stadium of the future look like?
What will the stadium of the future look like?
New technology adoption is pushing enterprise networks to breaking point
New technology adoption is pushing enterprise networks to breaking point
Gartner names IBM a 'Leader' for Disaster Recovery as a Service
Gartner names IBM a 'Leader' for Disaster Recovery as a Service
The next era of business continuity: Are you ready for an always-on world?
The next era of business continuity: Are you ready for an always-on world?

Log In

Username:
Password:
|  Forgot your password?