2007 May 25 - Fri

Phishers can use social Web sites as bait to net victims: Informatics study Indiana University (05/24/07)

Personally, I've been able to identify phishing emails as they arrive, and promptly delete them. Indeed, some are quite tempting and realistic, but if one looks at the links closely, the imposters can be separated from the real thing.

If there is ever any confusion, I'll go the source directly, bypassing the link, and type in the correct link directly.

An ACM Newsletter speaks of a study that show that separating the wheat from the chaffe is becoming more difficult. Here is what they say:

Popular social network sites such as Facebook and MySpace are being used by cybercriminals to gather personal information to create targeted phishing attacks, according to Indiana University School of Informatics researchers. In their study, "Social Phishing," the researchers established a baseline for the success rate of traditional and social network-based phishing attacks. Phishers steal personal information by sending authentic looking requests, either by email or instant messaging, asking someone to click on a link and submit their information on what looks like a legitimate Web site. "Phishing has become such a prevalent problem because of its huge profit margins, ease in launching an attack, and the difficulty of identifying and prosecuting those who do it," says associate professor of informatics and computer science Filippo Menczer. "Our study clearly shows that social networks can provide phishers with a wealth of information about unsuspecting victims." The study sent email messages to two groups of students asking them to enter their university ID and password. One group received an email from what they thought was a friend, while the other group received an email from a stranger. Only 16 percent of students who received an email from a stranger entered their information, while 72 percent of those receiving emails from "friends" gave away their information. Associate professor of informatics and member of the research team Markus Jakobsson says they were astonished by the 72 percent response rate. The researchers suggested some countermeasures to prevent phishing, including digital signatures on emails to verify the source, browser toolbars that alert users to spoofing attempts, spam filters that detect spoofed emails, and providing users with a secure path to enter passwords, alerting users that they are trying to authenticate to an unknown site. The study is scheduled to be published in the October 2007 issue of Communications of the ACM.

The full article can be found at the Indiana University.

[/Personal/Technology] permanent link