More phish out there than we thought

Network World - Phishers might be getting takers on as much as 14% of their trick messages -- a much higher percentage than previous estimates by network security watchers, according to a University of Indiana study.

The university's School of Informatics simulated phishing attacks on eBay customers because they are a popular target of online scams. The simulated attacks were conducted as part of research summarized in "Designing Ethical Phishing Experiments: A study of (ROT13) rOnl query features" (PDF format).

The researchers contextualized their findings about a surprisingly high number of phishing victims by noting that other research, such as a Gartner Inc. report that says about 3% of American adults are successfully targeted, might not take into sufficient account the number of people who won't admit to being duped.

"Our goal was to determine the success rates of different types of phishing attacks, not only the types used today, but those that don't yet occur in the wild, too," according to a statement by Markus Jakobsson, associate professor of informatics at Indiana University and an associate director of the school's Center for Applied Cybersecurity Research. (He's also behind a new company exploiting cookie technology to protect Web users from identity theft and other online threats.)

As for the simulated attacks used in the research, users received e-mail, appearing to be legitimate, that included an eBay link. Recipients who clicked on the link were indeed directed to eBay, but the researchers were also notified. The researchers say all they received was the log-in notification, not log-in information that real phishers covet, such as a password. The research was reviewed and OK'd in advance by a committee at the school that reviews the ethics of studies involving human subjects.

The research included a look at spear phishing, which involves messages that appear to be from a friend or another trusted e-mail correspondent. These messages typically included personal information, such as an eBay username, that would make them seem legit.

"We think spear phishing attacks will become more prevalent as phishers are more able to harvest publicly available information to personalize each attack," said Indiana researcher Jacob Ratkiewicz, in a statement. "And there's good reason to believe that this kind of attack will be more dangerous than what we're seeing today."

Many vendors are trying to address the phishing problem. Even the next version of Microsoft's Internet Explorer browser is set to include a phishing filter.