More phish out there than we thought
Barnum spins in grave as 14% of those targeted take the bait
April 25, 2007 12:00 PM ETNetwork World - Phishers might be getting takers on as much as 14% of their trick messages -- a much higher percentage than previous estimates by network security watchers, according to a University of Indiana study.
The university's School of Informatics simulated phishing attacks on eBay customers because they are a popular target of online scams. The simulated attacks were conducted as part of research summarized in "Designing Ethical Phishing Experiments: A study of (ROT13) rOnl query features" (PDF format).
The researchers contextualized their findings about a surprisingly high number of phishing victims by noting that other research, such as a Gartner Inc. report that says about 3% of American adults are successfully targeted, might not take into sufficient account the number of people who won't admit to being duped.
"Our goal was to determine the success rates of different types of phishing attacks, not only the types used today, but those that don't yet occur in the wild, too," according to a statement by Markus Jakobsson, associate professor of informatics at Indiana University and an associate director of the school's Center for Applied Cybersecurity Research. (He's also behind a new company exploiting cookie technology to protect Web users from identity theft and other online threats.)
As for the simulated attacks used in the research, users received e-mail, appearing to be legitimate, that included an eBay link. Recipients who clicked on the link were indeed directed to eBay, but the researchers were also notified. The researchers say all they received was the log-in notification, not log-in information that real phishers covet, such as a password. The research was reviewed and OK'd in advance by a committee at the school that reviews the ethics of studies involving human subjects.
The research included a look at spear phishing, which involves messages that appear to be from a friend or another trusted e-mail correspondent. These messages typically included personal information, such as an eBay username, that would make them seem legit.
"We think spear phishing attacks will become more prevalent as phishers are more able to harvest publicly available information to personalize each attack," said Indiana researcher Jacob Ratkiewicz, in a statement. "And there's good reason to believe that this kind of attack will be more dangerous than what we're seeing today."
Many vendors are trying to address the phishing problem. Even the next version of Microsoft's Internet Explorer browser is set to include a phishing filter.
Reprinted with permission from
Story copyright 2009 Network World, Inc. All rights reserved.
phishers
Additional Resources



White Papers & Webcasts
Death to PST Files
Download Now
The Tangled Web: Silent Threats & Invisible Enemies
Download Now
Tape Killed the IT Guy
Watch Now
Forrester Consulting Mobility Study: Taking Control of Enterprise Mobile Device Diversity
Download Now
BRM: What You Can Do To Reduce Risk In Challenging Times
Watch this webcast now!
What IT Must Do to Support Employee-Owned BlackBerry, iPhone and Android Mobile Devices
Download Now
Web 2.0, Social Media and the Dark Web - A Web Criminals Paradise?
In this discussion, learn about the challenges of protecting your users from the potentially unsafe content hidden in the "Dark Web".
eGuide: Enterprise Security
Smart Security Strategies for 2010. Read now!
Disaster Recovery 2008: Reduced Costs and Improved Performance
How long can your Enterprise afford to be without your data? With an accelerated disaster recovery program, you never have to answer this...

