Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Phishing for Credit

Zonk posted more than 9 years ago | from the both-academic-and-financial dept.

Security 218

An anonymous reader writes "Two graduate students at Indiana University conducted a phishing study to determine how readily students will give up personal information if the phishing emails appear to come from close friends. Using only publicly available information, they sent out emails to students asking them to click a link that required username/password information. Needless to say, the study has generated lots of attention on campus. The student newspaper has the story and the researchers have created a blog where the participants can vent."

cancel ×

218 comments

Sorry! There are no comments related to the filter you selected.

Dear Friend (4, Funny)

fembots (753724) | more than 9 years ago | (#12351790)

Dear Friend,

Can you please click on this link [nzbest.com] ?

Yours Truly Friendly,
Close Friend

Re:Dear Friend (-1, Troll)

tomhudson (43916) | more than 9 years ago | (#12351907)

We are doing a survey.

Respondents will be compensated.

Please click here [zoy.org] if you wish more details,
or here [zoy.org] if you wish to skip the survey and continue reading slashdot.

Thank you.

Re:Dear Friend (1)

grolschie (610666) | more than 9 years ago | (#12351914)

Classic. This humour is lost on non-NZers though. Your site is refering the the $1.95 MacD's ad right? If so, shouldn't it be the kid's father who should be selling him?

Dear Fiends (1)

antdude (79039) | more than 9 years ago | (#12352014)

Can you also please click on this link [aqfl.net] ? ;)

Yours Truly Unfriendly,
Close Fiend

Just watch (5, Insightful)

hsmith (818216) | more than 9 years ago | (#12351792)

They will be pressed with charges even though they had good intentions compared to hardly anyone getting caught with malicious intentions.

Re:Just watch (5, Insightful)

j!mmy v. (613784) | more than 9 years ago | (#12351869)

Oh, naturally. The single fastest way to get people riled and after your ass is to make them look stupid. Publicly.

Seriously, whatever happens, guys sharp enough to organize a phish study couldn't see it coming?

Re:Just watch (2, Insightful)

tomhudson (43916) | more than 9 years ago | (#12352031)

Seriously, whatever happens, guys sharp enough to organize a phish study couldn't see it coming?
... in their defence, they could say that it should have been obvious - after all, their server wasn't located in the .ru tld.

Lesson # 1: Don't do phishing research in Amerika, because In Amerika, phishing does YOU!

Lesson # 2: If you're going to do the time, at least make it worth your while. Make sure you have a buyer for any info you get.

Lesson # 3: Remember to have a good agent for the TV movie and book deal lined up BEFORE you start your "research"

Lesson # 4: Before publishing your results, make sure you use the password info to get enough data to be able to blackmail everyone into silence. Uploading kiddie porn to their accounts is a good way to start. It's like the WMDs, "We'll find them, even if we have to put them there ourselves".

Time will tell - someone will get it right eventually.

Re:Just watch (0, Troll)

T-Ranger (10520) | more than 9 years ago | (#12351878)

pressed with charges
Man, you speek the english good.

Re:Just watch (0)

Anonymous Coward | more than 9 years ago | (#12351915)

That went over my head... I've heard the term before?

Re:Just watch (1)

alanlke (685520) | more than 9 years ago | (#12352033)

Don't take it too personally. The idiomatic phrase is: "to press charges". In english, one can press charges against another, but one cannot be pressed with charges.

Re:Just watch (2, Funny)

s20451 (410424) | more than 9 years ago | (#12352071)

No, he means this [wikipedia.org] . The moral is, don't fuck with the justice department!

Re:Just watch (1)

Rosco P. Coltrane (209368) | more than 9 years ago | (#12351892)

That's the subject for their next study: life in a federal pen. Their assigned mentor teacher for their thesis is called Dr. Bubba...

Re:Just watch (1)

docbrazen (785392) | more than 9 years ago | (#12351955)

According to their blog, "The Human Subjects Committee granted a waiver of consent for this experiment".

Re:Just watch (1)

Intron (870560) | more than 9 years ago | (#12352070)

Also according to the blog:

Many of you are upset because you feel you were not asked for perminssion beforehand. I understand that this feels strange.

So its obvious that these researchers are careful about what they do and recheck everything. I would trust them with my personal information.

Re:Just watch (0)

Anonymous Coward | more than 9 years ago | (#12352109)

So its obvious that these researchers are careful about what they do...

About as careful as you, I guess.

I see their point, but... (5, Insightful)

daveschroeder (516195) | more than 9 years ago | (#12351799)

But some students are upset they were involved in the study without their consent or knowledge. Senior Rebecca Shakespeare did not even know she had been used as a sender until her friend notified her.

"I was frustrated that I was hearing from a friend that my e-mail account was sending her things," Shakespeare said. "I had no idea where it was coming from. I was irritated because I was concerned that my home system was being abused."

Shakespeare called University Information Technology Services, which said it could have been a virus and to not click on the link.

"I've spent a lot of time keeping my (computer) secured," Shakespeare said. "I feel kind of used that it was the University that was making my friends think I had opened up my system to viruses."


If that's really why they're concerned, well, maybe they'd be interested in knowing that the vast majority of virus/malware type things that send email in this fashion still don't originate from the computer of the person in question anyway...therefore, this whole rationale for worry is BS, since spoofed email can come from *anywhere*, and it's most often NOT your own computer.

And - make no mistake, I really do see their point - but the IT resources belong to the university, and neither the university nor the researchers uses the person's account or any password or other credentials belonging to the person. It was simply a spoofed "from" address; nothing more. And if it's strictly "legal" for any random person to spoof a from address, it's just as legal for the purposes of research, whose findings may provide some level of insight on *protecting* people from malicious phishing.

Now, I personally don't know whether any of this justifies doing the study in the way they did. That's a judgment call. If the university's IT organization proper is doing it, that's one thing, and I could see people being uncomfortable with the motivations. But grad students? I don't see any problem with that at all. In fact, they don't need anyone's permission to do what they did. However, in good faith, they did get the approval of the Human Subjects Committee.

Re:I see their point, but... (1, Insightful)

dmf415 (218827) | more than 9 years ago | (#12351829)

It seems those who conducted the experiment are going to get a bit more press then they expected.

Re:I see their point, but... (0, Troll)

OverlordQ (264228) | more than 9 years ago | (#12351886)

If the university's IT organization proper is doing it, that's one thing, and I could see people being uncomfortable with the motivations. But grad students? I don't see any problem with that at all.

Say what!?

I'd rather have the 'Official' Representatives of the service performing the study not some J Random User, since you know there has to be some oversight if the School Officals are doing it.

Re:I see their point, but... (2, Insightful)

John Seminal (698722) | more than 9 years ago | (#12351921)

If that's really why they're concerned, well, maybe they'd be interested in knowing that the vast majority of virus/malware type things that send email in this fashion still don't originate from the computer of the person in question anyway...therefore, this whole rationale for worry is BS, since spoofed email can come from *anywhere*, and it's most often NOT your own computer.

And - make no mistake, I really do see their point - but the IT resources belong to the university, and neither the university nor the researchers uses the person's account or any password or other credentials belonging to the person. It was simply a spoofed "from" address; nothing more. And if it's strictly "legal" for any random person to spoof a from address, it's just as legal for the purposes of research, whose findings may provide some level of insight on *protecting* people from malicious phishing.

So, what's the anwser? Is there something I can send with my emails that verifies it came from me, something that can't be spoofed. Is there some algorithm out there that a SERVER can use, attach as part of the header, that the recipient can then verify the origin?

Headers can be forged, that is old news. But what has been done about it? How can we trust any email?

The whole web was designed to be anonymous and trusted at the same time, two things that can not exists together. Either the web must evolve to a system where the sender is known, like a phone call. Just imagine if phone calls worked the way email works. You spoof your phone number, call someone else, and get their credit card number. That would land a person in jail.

Re:I see their point, but... (0)

Anonymous Coward | more than 9 years ago | (#12352011)

So, what's the anwser? Is there something I can send with my emails that verifies it came from me, something that can't be spoofed.

An OpenPGP or S/MIME signature.

Is there some algorithm out there that a SERVER can use, attach as part of the header, that the recipient can then verify the origin?

DomainKeys [yahoo.com]

Just imagine if phone calls worked the way email works. You spoof your phone number, call someone else, and get their credit card number.

It does work like that. This article [theregister.co.uk] mentions caller ID spoofing with VoIP, but anyone with a digital connection to the telephone network has been able to do this for years.

Re:I see their point, but... (2, Informative)

Twanfox (185252) | more than 9 years ago | (#12352034)

Just to be known, if you have the proper equipment, you can indeed send out a spoofed Caller ID tag. The Caller ID tag is not guaronteed to be the exact number that the person is calling from. Large companies often mask their internal numbers with one main one that anyone receiving a call could use to reach the main operator. To do so for more nefarious purposes could be done, but the trick is that, in order to truely fool a person, they have to mimic a voice as well. This is what would typically trip up someone seeking to do phishing on that level, even though it is still done to acquire username/password information if you act official enough.

Re:I see their point, but... (2, Funny)

Anonymous Coward | more than 9 years ago | (#12352108)

Yeah. I was kind of suspicious when that banker who called me had a Nigerian accent. But he offered me so much money to help him, that I figured it was OK.

Re:I see their point, but... (2, Informative)

Foz (17040) | more than 9 years ago | (#12352151)

It's a hell of a lot easier to spoof a Caller ID tag than you are leading on. I routinely get fax blasters calling me from bogus numbers like "987-654-3210" (yeah, like THAT isn't obvious, sheesh). Requires no specialized equipment at all on your part.

You have places like http://www.spooftel.com/ [spooftel.com] and http://www.covertcall.com/ [covertcall.com] (tons more can be found by googling) that easily allow this (caveat, I haven't actually TRIED any of the above, they may be completely bogus).

-- Gary F.

Re:I see their point, but... (1)

argStyopa (232550) | more than 9 years ago | (#12351962)

signed,
George.W.Bush@whitehouse.gov

Spoofing on Campus... (1)

BalorTFL (766196) | more than 9 years ago | (#12352063)

is apparently not as accepted as you think. Many places will mete out surprisingly harsh penalties to people who spoof email as a prank. In fact, whenever there's a computer involved, the authorities tend to crack down much harder on insignificant offenses. Suddenly, it's not a joke email, it's a "forged document", "computer misconduct", "violation of university policy", and second-degree mansla... Err, wait... nvm.... yeah... anyway, it's bad.

Re:I see their point, but... (1)

The Angry Mick (632931) | more than 9 years ago | (#12352089)

spoofed email can come from *anywhere*

I am George W. Bush, and I approved this message...

Re:I see their point, but... (1)

alanlke (685520) | more than 9 years ago | (#12352116)

And if it's strictly "legal" for any random person to spoof a from address, it's just as legal for the purposes of research, whose findings may provide some level of insight on *protecting* people from malicious phishing.

I agree with you that the experiment was probably not illegal, but the logic you used doesn't stand up. It is strictly "legal" for me to use a pseudonym with my friends, family, even strangers. If, however, I use a pseudonym to the purpose of committing a fraud, my action is illegal.

The real legal question here is whether the total content of the email was tortuous or criminally fraudulent; the spoofed from address is merely an element to be considered.

5 bucks says... (0, Redundant)

tmleafsar (866698) | more than 9 years ago | (#12351801)

...the school throws a fit and disciplines them.

Re:5 bucks says... (2, Informative)

Anonymous Coward | more than 9 years ago | (#12351841)

You lose. Their Ethics board cleared the experiment.

Re:5 bucks says... (0)

Anonymous Coward | more than 9 years ago | (#12351894)

Why does he lose? He didn't say he wanted them to be disciplined.

Your slashdot session has expired (4, Funny)

Anonymous Coward | more than 9 years ago | (#12351810)

please reply to this message with the following information:

Nickname:
Password:

Re:Your slashdot session has expired (0)

Anonymous Coward | more than 9 years ago | (#12351900)

Nickname: Anonymous Coward
Password:

Re:Your slashdot session has expired (3, Funny)

acoustix (123925) | more than 9 years ago | (#12351908)

acoustix
passw.....wait a second!

DAMN YOU!

Re:Your slashdot session has expired (1)

Rosco P. Coltrane (209368) | more than 9 years ago | (#12351982)

Oh, so your password is "DAMN YOU!" is it?

Re:Your slashdot session has expired (3, Funny)

varmittang (849469) | more than 9 years ago | (#12351916)

Nickname: IP
Password: Freely

Re:Your slashdot session has expired (3, Funny)

Anonymous Coward | more than 9 years ago | (#12352047)

go go gadget bash.org!

<Cthon98> hey, if you type in your pw, it will show as stars
<Cthon98> ********* see!
<AzureDiamond> hunter2
<AzureDiamond> doesnt look like stars to me
<Cthon98> <AzureDiamond> *******
<Cthon98> thats what I see
<AzureDiamond> oh, really?
<Cthon98> Absolutely
<AzureDiamond> you can go hunter2 my hunter2-ing hunter2
<AzureDiamond> haha, does that look funny to you?
<Cthon98> lol, yes. See, when YOU type hunter2, it shows to us as *******
<AzureDiamond> thats neat, I didnt know IRC did that
<Cthon98> yep, no matter how many times you type hunter2, it will show to us as *******
<AzureDiamond> awesome!
<AzureDiamond> wait, how do you know my pw?
<Cthon98> er, I just copy pasted YOUR ******'s and it appears to YOU as hunter2 cause its your pw
<AzureDiamond> oh, ok.

http://bash.org/?244321

Re:Your slashdot session has expired (2, Funny)

Cro Magnon (467622) | more than 9 years ago | (#12352050)

Nickname: Cro Magnon
Password: ********

Re:Your slashdot session has expired (1)

IdleTime (561841) | more than 9 years ago | (#12352130)

Hey! hey!!!

That is MY password!
I always use asterisk's for my password, so easy to remember.... ooopps!

Your Amazon session has expired (0)

Anonymous Coward | more than 9 years ago | (#12352094)

The funny thing about this story is I've been trying to sign up for Amazon's "book browse" service. Of course they want a valid credit card with all the info. e.g. billing, shipping, etc. Privacy violation plus if anyone hacks Amazon, well...

Re:Your slashdot session has expired (0)

Anonymous Coward | more than 9 years ago | (#12352111)

Nickname: CmdrTaco
Password: 1337h4x0r

Here's a great web site for 'ya .. (-1, Redundant)

xmas2003 (739875) | more than 9 years ago | (#12351812)

It has the latest news for nerds. [slashdot.org]

Discpline?! (2, Insightful)

PunkOfLinux (870955) | more than 9 years ago | (#12351823)

They did nothing wrong!!

Re:Discpline?! (0)

Anonymous Coward | more than 9 years ago | (#12352128)

This gets +1 insightful? Oh my aching brain.

forged headers (5, Informative)

doormat (63648) | more than 9 years ago | (#12351824)

"I was frustrated that I was hearing from a friend that my e-mail account was sending her things,"

Spam can come from anyone - its not too hard to forge the "FROM" line on an email. I'd hardly call it abuse of your account when spammers do it all the time.

Re:forged headers (0)

Anonymous Coward | more than 9 years ago | (#12351863)

just because a lot of people do it all of the time does mean it is not abuse. It just means that it is widespread abuse.

Re:forged headers (1)

XxtraLarGe (551297) | more than 9 years ago | (#12351876)

That's true, but people typically expect academic research to have some sort of ethical guidelines which this study seems to have crossed.

RTFA.... (5, Informative)

YankeeInExile (577704) | more than 9 years ago | (#12352032)

... to find that they did this experiment under the oversight of the university's Human Subjects Committee.

If that doesn't sound like some sort of ethical guidelines I don't know what does.

Re:forged headers (1)

pclminion (145572) | more than 9 years ago | (#12352048)

That's true, but people typically expect academic research to have some sort of ethical guidelines which this study seems to have crossed.

It was cleared by the research ethics body.

Re:forged headers (0)

Anonymous Coward | more than 9 years ago | (#12352052)

That's true, but people typically expect academic research to have some sort of ethical guidelines which this study seems to have crossed.

Well, they did get approval from the ethics committee, which normally deal with far more dangerous studies in the medical field.

And by getting approval, they pass the buck!

Re:forged headers (1)

Jim74 (769103) | more than 9 years ago | (#12352009)

Spam can come from anyone - its not too hard to forge the "FROM" line on an email. I'd hardly call it abuse of your account when spammers do it all the time.

And what spammers do is not abuse? Just because it is simple to do or many people do it does not mean it is not abuse. And I would definitely not be expeciting my service provider or university to be spoofing my e-mail address. To me that is a form of character defemation or identity fraud.

I would imagine.. (2, Insightful)

breakbeatninja (846922) | more than 9 years ago | (#12351837)

That regardless of the intent, this sort of conduct is at the very least considered immoral and possibly bordering on illegality. It sounds like fraud to me. Simply posing as someone else to get certain private information seems innocent enough if the goal is to warn their fellow students of their vulnerability to social engineering, since the weakest link in computer security is the person. I would imagine they are going to feel some heat from the university at the very least for this, though.

Re:I would imagine.. (0)

sp5 (867987) | more than 9 years ago | (#12351909)

That regardless of the intent, this sort of conduct is at the very least considered immoral and possibly bordering on illegality.

This is definitely illegal. It's analogous to breaking and entering, or stealing a car and saying you were just testing the security. Yah, right! Tell it to the judge...

-sp-

Re:I would imagine.. (0)

Anonymous Coward | more than 9 years ago | (#12352097)

This is definitely illegal. It's analogous to breaking and entering, or stealing a car and saying you were just testing the security. Yah, right! Tell it to the judge...

Not as illegal as being criminally stupid -
which is what you are.
Please learn to read.

Re:I would imagine.. (2, Funny)

Pansy (10091) | more than 9 years ago | (#12352175)

Spoken like someone with a 6-digit UID :P

Re:I would imagine.. (1)

rtaylor (70602) | more than 9 years ago | (#12351943)

"Simply posing as someone else to get certain private information..."

Except that they're now posing as students doing research because they were caught phishing for information.

Next time you break into a bank and get caught while inside the vault just tell the cops you were testing the security system without the banks knowledge, but intended to give a full report later on.

Re:I would imagine.. (3, Funny)

YankeeInExile (577704) | more than 9 years ago | (#12352072)

So, they magically went back in time to get approval from the ethics committee after getting caught? Shit -- fuck the write-up on the phishing -- describe the time machine!

Re:I would imagine.. (0)

Anonymous Coward | more than 9 years ago | (#12352113)

Except that they're now posing as students doing research because they were caught phishing for information.

At least they weren't posing as someone who has
a brain cell, which is what you are doing.
Please learn to read.

Heh (4, Funny)

Otter (3800) | more than 9 years ago | (#12351849)

[T]he researchers have created a blog where the participants can vent.

This would make a nice change from the usual celebrity-in-trouble "apologies", where they go on the Tonight Show, bite their lips and look downcast and assure us "I'm very, deeply, truly sorry..."

Instead we can get, "Jay, I have created a blog where people can vent."

Study extension (4, Funny)

Rosco P. Coltrane (209368) | more than 9 years ago | (#12351851)

Two graduate students at Indiana University conducted a phishing study to determine how readily students will give up personal information

After such a successful research on phishing, our two friends have decided to tackle a new study: test how much load e-commerce sites can handle, and how much money ATMs can usually deliver on any given day.

Re:Study extension (1)

Minute Work (749085) | more than 9 years ago | (#12351992)

I would love to participate in this new study. Please provide me with your bank account numbers and I will deposit all of my Nigerian assets into your accounts.

-Prince Azoo III

Re:Study extension (1)

kwieland in stl (830615) | more than 9 years ago | (#12352080)

Or how well the website holds up to a /.

shades of Randal Schwarz at Intel (0, Offtopic)

Anonymous Coward | more than 9 years ago | (#12351857)

While teaching a course on Perl, the co-author of O'Reilly's "Learning Perl" book ran the Crack program on Intel's password files, hoping to use the info to bid on a contract. Instead, Intel turned him into the police and he spent years trying to clear his name.

One VP had the following password: Pre$ident.

well (2, Funny)

Anonymous Coward | more than 9 years ago | (#12351858)

people are stupid. film at 11.

How legal is this... my spin on it all (-1, Flamebait)

John Seminal (698722) | more than 9 years ago | (#12351872)

The hackers, graduate students Tom Jagatic and Nate Johnson, conducted an e-mail experiment last week that has outraged some students and raised important questions about privacy and the public sphere. Using information gleaned from publicly available sites on the Internet, Jagatic and Johnson sent e-mails to students seemingly from e-mail addresses familiar to the students. For example, Bob@indiana.edu would receive an e-mail from his girlfriend Alice@indiana.edu. The subject would boast, "This is cool!" and the e-mail would be signed, "Alice."

The body of the e-mail instructed, "Hey, check this out!" and provided a link on the IU server that prompted students to provide their username and password. The e-mails were not actually sent from the e-mail accounts they seemed to originate from.

I am pretty sure this is illegal. It is like going to a bank with a note that says "I have a gun, give me all your money", then publishing the results as a study.

"It was deceptive, (but) there was no other way to conduct the study," said Filipo Menczer, an associate professor of Informatics and computer science. The study was conducted by Jagatic and Johnson as part of Menczer's graduate-level Web mining course offered through the School of Informatics. Associate Professor of Informatics Markus Jakobsson was the faculty adviser for the study.

"We feel very bad that the students feel violated," Menczer said. "That doesn't mean it was unethical or illegal."

Who wants to make a bet that this professor is gonna get it from *someone*??

Because of the ethical issues associated with deception, Jagatic and Johnson had to obtain permission from the Human Subjects Committee, which approves experiments on campus that involve humans and ensures studies are ethical and do not violate participants' privacy.

HUH?? I had to re-read that three times. This is better spinning than Fox News. The Human Subjects Committee is designated with protecting student privacy. And the first thing they do is???

The second part was more complicated. In most experiments, subjects must give informed consent to participate. But because the phishing study tests responses to e-mails from close friends or acquaintances -- what the study calls a person's "social network" -- it was important to keep an element of secrecy, Menczer said. So the Human Subjects Committee allowed the actual phishing attack to run without informed consent from the subjects.

I know this is going off topic, but this reminds me of the LSD studies the CIA did in the late 70's.

This professor should be fired, and he along with the students should be prosecuted. They lied. They could have done 100 differnet studies to make a network more secure. But they chose to study deception by decieving.

Re:How legal is this... my spin on it all (3, Insightful)

demondawn (840015) | more than 9 years ago | (#12351918)

Graah! Why is the solution to everyone's problem with academia "fire the professor"? Your analogy to robbing a bank is a false one; nothing was actuallly stolen in this project. I think you, and a lot of other people, are overreacting.

Re:False analogy (0)

Anonymous Coward | more than 9 years ago | (#12351996)

Present a note to the bank teller saying you have a gun and do NOT want anything but for here to have a nice day. Even though you do not have a gun and have not stolen anything, you will find what happens next to be very interesting. Try it.

You don't need to steal anything or do anything in order to break the law. The fact that you posed a false threat is sufficient, in many circumstances, to entitle you to a thorough familiarization with a night stick and quite possibly a tazer.

What was stolen? Ignorance & naivete (2, Insightful)

G4from128k (686170) | more than 9 years ago | (#12352087)

Your analogy to robbing a bank is a false one; nothing was actuallly stolen in this project.

Something was stolen from the unwitting student/participants. They lost their ignorance of the sad state of the internet's infrastructure. This "experiment" created a harsh wake-up call that e-mail is not a trustworthy medium.

SMTP was never designed for an open environment with untrustworthy users. It was designed for collegial academic networks with funding from people that run closed military networks.

Why is the solution to everyone's problem with academia "fire the professor"

I agree 100%, but shooting the messenger is an age-old solution. People prefer a comforting falsehood (email is trustworthy) to a harsh reality.

Re:How legal is this... my spin on it all (1)

DeathFlame (839265) | more than 9 years ago | (#12351964)

I doubt that sending an email with a spoofed "From" email address is illegal. It's not like your analogy at all, it's more like someone dressing up as your friend, meeting you at the bank and asking you for your card and your pin number to show you something "cool". Just because it could harm you, don't make it illegal. And your bit about privacy? Well, they obtained everyting from the public domain. They didn't do anything anyone else, who would could have actually exploited these people, couldn't have done. I think your silly for thinking the proffeser shoiuld be fired and the students prosecuted.

Re:How legal is this... my spin on it all (2, Insightful)

Anonymous Coward | more than 9 years ago | (#12352000)

I know this is going off topic, but this reminds me of the LSD studies the CIA did in the late 70's.

Except there's a large line between giving someone chemicals that could very easily be toxic, or at least cause significant health problems, and seeing if people will input private data that the study authors won't use anyway.

And disciplining the professor or the students in this instance is absolutely insane. The entire point of having an "Human Subjects Committee" oversight board is to allow the university to make these kinds of decisions. Furthermore, I'm still not clear what they did that would qualify as illegal. If spoofing email addresses is a serious crime, there's a lot more people that should be in jail (and it would be massively easier to convict spammers); it's likely that phishing for personal data is only illegal if you actually collect the data, which it appears they didn't (it did a check to see if it was valid, but they don't indicate that the password itself was saved).

Do some students feel used? Sure... but there doesn't seem to be any real harm done, and it's impossible to actually get an idea of how to deal with the problem of real phishing attempts if you can't get a sense of how many normal people actually fall for what types of things.

Re:How legal is this... my spin on it all (0)

Anonymous Coward | more than 9 years ago | (#12352019)

If you're stupid enough to give out information without verifying who you're giving it to and why it's needed, that's your own damn fault. People want to bitch about making things like this illegal, but there's no right to government ass-wiping.

Let see...*RING RING*
"Hello?"
"Anonymous? Anonymous Coward??? Is that you? How the hell are you?!!! I haven't heard from you in a long time! This is Phred Phisher!"
"Hi Phred, great, how are you?? You sound a little different..."
"Yeah, I got a cold. Hey, can I have your account information?"
"Sure, no problem! Here you go!"
"Thanks, bye!"
".............."

If you think they should be arrested for my stupidity, you're missing a few cards.

Research Finds 99% Of College Students Are Idiots! (-1, Troll)

Anonymous Coward | more than 9 years ago | (#12351874)

New research, published today, found that 99% of college students are idiots. In fact, the study found that the vast majority of college students were complete and utter morons. Further study will be required to confirm the obvious. Film at eleven.

Heh (0)

Have Blue (616) | more than 9 years ago | (#12351877)

It would have been interesting if they tried to "phish" a tech-savvy student who noticed the forged headers and reported the researchers to campus authorities as fraudsters. Would "we're only conducting a study" be accepted as a defense? (And if it was, would it be adopted by real phishers in the future?)

Re:Heh (1)

YankeeInExile (577704) | more than 9 years ago | (#12352088)

Well, I think it would be a perfectly reasonable defense, since you have in your hand the signed permission from the ethics committee.

Re:Heh (0)

Anonymous Coward | more than 9 years ago | (#12352105)

If you read the article, you'd know the authorities had approved it.

Re:Heh (0)

Anonymous Coward | more than 9 years ago | (#12352138)

Would "we're only conducting a study" be accepted as a defense?

No more so than 'not reading the article' serves
as your defense. They had permission, dumbass.

Re:Heh (1)

TheGavster (774657) | more than 9 years ago | (#12352160)

The response from IT was more along the lines of, 'yeah, some people are doing a study. Congratulations, you weren't duped.'

Look where they're from (-1, Troll)

Anonymous Coward | more than 9 years ago | (#12351880)

They're IU students... what do you expect? ;)

You would think... (2, Insightful)

demondawn (840015) | more than 9 years ago | (#12351882)

That people would be a little more mature about this; viruses and other malicious software can (and often do) get sent from friends' email addresses (how many viruses are there that read someone's Outlook Address Book?) I think people are being a little naive.

Shakespeare? (0)

Anonymous Coward | more than 9 years ago | (#12351895)

You can't take this article seriously when the main persn they interviewed was named "Shakespeare"....

Re:Shakespeare? (1)

Rosco P. Coltrane (209368) | more than 9 years ago | (#12351942)

You can't take this article seriously when the main persn they interviewed was named "Shakespeare"....

Alack, 'tis he: why, he was met even now
As mad as the vex'd sea; singing aloud

a license? (2, Insightful)

cryptoz (878581) | more than 9 years ago | (#12351901)

This reminds me of old debate about requiring a license to use the internet. The pros being obvious: stupid/ignorant people would not be allowed to open viruses any longer, etc. The cons being that the internet is currently a free, open medium with few restrictions on what can be said/shown.

Re:a license? (1)

McGiraf (196030) | more than 9 years ago | (#12352025)

Well with so much business using the web now it's become impossible to do that. Imagine the lost revenues for AOL, Amazone, Google etc. $1 from an idiot is worth the same a $1 from anybody else, and is probably easier to get.

My Friends (2)

Mintee (465975) | more than 9 years ago | (#12351917)

Are so scared of everything, they won't even give out their information so sign up a service like netflix. It's absurb.

Hey (2, Funny)

Anonymous Coward | more than 9 years ago | (#12351970)

How'd you get your d to go backwards?

Oh wait.

Well done... (4, Insightful)

Yaa 101 (664725) | more than 9 years ago | (#12351923)

I think it's good to let students (future scientists, decicion makers etc...) feel what it means to be part of socially constructed fraud... Mainly because this will get worse and worse over time, you see how many database leaks with high profile personal data have taken place lately. People have to learn ways around all this identity theft, the only way is to confront them with the consequenses of this all.

Harm was still done (1)

gcauthon (714964) | more than 9 years ago | (#12351944)

In a phishing attack there are a couple ways in which the user's identity is compromised. The first and most obvious is that the attacker, in this case a friendly IT worker, now has your credentials. The second way, is that now your credentials are quite possibly cached/stored somewhere that can be more easily hacked. How do they know someone didn't piggy-back off their hacked together phishing script and now they're planning something malicious. Once you tap into a secure channel you can create a lot of holes in no time. If nothing else, just the list of duped usernames could be extremely valuable.

Ethics (3, Insightful)

Datasage (214357) | more than 9 years ago | (#12351945)

A lot of the comments on the blog, complained that the study was unethical because the participants didnt know they were part of the study.

My two reasons why I think it couldnt have been done any other way.

1. This study focuses on deception and how people react when they are decived.

2. Telling the participants they were a part of a study or asking them to be part of it, would effect the behavior of the participants and therefore changing the study results.

As long as the information was not used in any illegal way. Then I don't find a problem with how this expirement was conducted. Yes it sucks to get phished, but its better to be fished by these guys than the hundreds of other phishers who are out there to turn phising into finacial gain.

Facebook. (1)

jeffkjo1 (663413) | more than 9 years ago | (#12351948)

This is exactly, 100%, the reason I don't have a facebook account. My friends can social interweb link themselves to everyone in the world to their hearts content, but if you want to track me down, I'm not going to unlock my door and put a huge sign on my lawn saying 'come on in and steal my TV.'

In other news (2, Funny)

Aumaden (598628) | more than 9 years ago | (#12351953)

In other news [indiana.edu] , Indiana University students found to be whiners.

Oh the brainsss! (3, Funny)

atari2600 (545988) | more than 9 years ago | (#12351994)

"I feel betrayed and offended"

Someone posted that on the blog. I think he/she should feel foolish rather than feel betrayed. Or that should be read as "I am so fucking dumb that i cannot believe i did what i did".

Re:Oh the brainsss! (4, Insightful)

remahl (698283) | more than 9 years ago | (#12352134)

That could easily be said for other experiments that have been challenged on ethical grounds. Sometimes experiments find things about ourselves we'd rather not know.

For example, the Milgram experiement [wikipedia.org] , where participants were mildly coerced by an authoritative person to administer strong electrical shocks to a subject (who was really an actor). A high proportion of the participants were willing to administer levels of shock that they believed to be lethal.

Would you like to know that you would be capable of murder as long as someone else was there to take the responsibility/blame? Even if the person in the quoted blog post should feel foolish, that does not make the experiment ethical and non-offensive - quite the opposite.

study successful (4, Interesting)

BroadwayBlue (811404) | more than 9 years ago | (#12352037)

"It's kind of ridiculous," she [Junior Lisa Aigner] said. "It's just the fact that a group supposedly affiliated with (the University) ... kind of took my trust and threw it out the window."

Welcome to the internet; trust no one. I hope more people got the message.

This was all done with official blessings (0)

Anonymous Coward | more than 9 years ago | (#12352053)

A closer reading reveals that these are not two rogue students, but supervised under faculty and had the consent of the human subjects comitee for the experiment. The students had their legal bases covered months before executing the experiment. Request Human Subject Study #05-9893, #05-9892 reports for details

reportphishing@antiphishing.org (2, Informative)

jago25_98 (566531) | more than 9 years ago | (#12352055)

For reference, send phish email you've recieved to

reportphishing@antiphishing.org

( from http://www.antiphishing.org/report_phishing.html )

The More Attention This Gets, The Better (0, Redundant)

TIMxPx (859220) | more than 9 years ago | (#12352075)

I think it's pretty clear to everyone that these students didn't follow proper procedure for research studies. When I did human experimental research, I had to have my research proposal approved by the Institutional Review Board at my college.

That being said, I hope this gets tons of media coverage. People should be talking about this at home, at work, at school, everywhere. I'm constantly having to tell friends and relatives not to enter any personal information into a computer without knowing where it's going to end up. People just don't get it, and maybe they will if they're scared about the things that could happen because of their carelessness, including financial losses and risks to personal safety.

Re:The More Attention This Gets, The Better (4, Informative)

pclminion (145572) | more than 9 years ago | (#12352091)

I think it's pretty clear to everyone that these students didn't follow proper procedure for research studies. When I did human experimental research, I had to have my research proposal approved by the Institutional Review Board at my college.

That's precisely what they did. The whole thing was authorized from top to bottom. They even got the okay from campus IT to "abuse" the computer systems for their purposes. Try RTFA sometime.

Re:The More Attention This Gets, The Better (2, Informative)

TIMxPx (859220) | more than 9 years ago | (#12352112)

It appears that the experimenters did have some clearance, after RTFA. Perhaps they didn't follow the plan, didn't disclose all of the information to the review board, or the board didn't understand the nature of the project?

Erg. I'd love to see... (1, Interesting)

Niet3sche (534663) | more than 9 years ago | (#12352150)

the IRB Human Subjects form. This was a deception study, clearly. The fact that this was so is fine, but running things like this past IRB requires a strict and rigid understanding between the PIs and the IRB. Also, AFAIK, provisions must be made for "repairing" anyone who is damaged by the research - even if it is incidental (e.g. your research was only "the last straw").


I'd like to see the IRB to determine how things are done at IU. Without seeing the form, I really cannot comment on weather what was done was "ethical" or not. It is a blisteringly simple experiment, and if they can get a paper out of it, it'd be what we call "low-hanging fruit".


However, if no IRB approval was received, then this is an entirely different matter. IRB approval == crap hits IRB if things go horribly wrong. No IRB approval == crap hits PIs and all associated if things go horribly (or publicly) wrong.


Hopefully the forms were filled out.

Any college age person who is fooled by an email o (3, Funny)

TheIndefiniteArticle (878123) | more than 9 years ago | (#12352153)

Any college age person who is fooled by an email of the described type deserves a swift kick in the ass.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?