Students go 'phishing' for user info

For students duped by a bogus e-mail claiming to be from the IU server, two students at the School of Informatics have a message: You've been spoofed by fictitious identity hackers.\nThe hackers, graduate students Tom Jagatic and Nate Johnson, conducted an e-mail experiment last week that has outraged some students and raised important questions about privacy and the public sphere. Using information gleaned from publicly available sites on the Internet, Jagatic and Johnson sent e-mails to students seemingly from e-mail addresses familiar to the students. For example, Bob@indiana.edu would receive an e-mail from his girlfriend Alice@indiana.edu. The subject would boast, "This is cool!" and the e-mail would be signed, "Alice."\nThe body of the e-mail instructed, "Hey, check this out!" and provided a link on the IU server that prompted students to provide their username and password. The e-mails were not actually sent from the e-mail accounts they seemed to originate from.\n"It was deceptive, (but) there was no other way to conduct the study," said Filipo Menczer, an associate professor of Informatics and computer science. The study was conducted by Jagatic and Johnson as part of Menczer's graduate-level Web mining course offered through the School of Informatics. Associate Professor of Informatics Markus Jakobsson was the faculty adviser for the study.\n"We feel very bad that the students feel violated," Menczer said. "That doesn't mean it was unethical or illegal." \nThe purpose of the study was to act as a sort of public service announcement, warning students about how to protect themselves from identity theft -- or "phishing" -- on the Internet.\n"They could have stolen these people's identities," Menczer said, adding the study did not actually obtain any personal information that was not already available in the public domain. "These things really happen. We are trying to be one step ahead of the bad guys to try to figure out what kind of dangers (are) ahead."\nBecause of the ethical issues associated with deception, Jagatic and Johnson had to obtain permission from the Human Subjects Committee, which approves experiments on campus that involve humans and ensures studies are ethical and do not violate participants' privacy. Jagatic and Johnson met with the committee repeatedly through the semester and obtained permission for two separate parts of their experiment, Menczer said. The first part allowed them to "mine" the Internet for information about people as long as it was obtained from the public sphere.\nThe second part was more complicated. In most experiments, subjects must give informed consent to participate. But because the phishing study tests responses to e-mails from close friends or acquaintances -- what the study calls a person's "social network" -- it was important to keep an element of secrecy, Menczer said. So the Human Subjects Committee allowed the actual phishing attack to run without informed consent from the subjects. \n"Let's say you want to study if people will help you if you have a heart attack in the middle of the street," Menczer said. "This is the same circumstance. There is no way this study could be conducted if the potential subjects were aware of what was going on."\nBut some students are upset they were involved in the study without their consent or knowledge. Senior Rebecca Shakespeare did not even know she had been used as a sender until her friend notified her.\n"I was frustrated that I was hearing from a friend that my e-mail account was sending her things," Shakespeare said. "I had no idea where it was coming from. I was irritated because I was concerned that my home system was being abused."\nShakespeare called University Information Technology Services, which said it could have been a virus and to not click on the link.\n"I've spent a lot of time keeping my (computer) secured," Shakespeare said. "I feel kind of used that it was the University that was making my friends think I had opened up my system to viruses."\nShakespeare received an e-mail Sunday from Jagatic and Johnson that explained her involvement in the study and provided the address of a blog created specifically to provide a forum for students involved in the study. The site, www.indiana.edu/~phishing/blog/, lists more than 40 comments -- some grateful that they have learned about phishing, but most were furious. Some comments threaten legal action, such as a comment posted at 10:51 p.m. Sunday that says the student will seek "legal counsel from professors on campus to further investigate this and seek a case for research misconduct."\nJunior Lisa Aigner said although she understands the purpose of the study, she feels Jagatic and Johnson should have been more forthcoming about the e-mails.\n"It's kind of ridiculous," she said. "It's just the fact that a group supposedly affiliated with (the University) ... kind of took my trust and threw it out the window."\n-- Contact Staff Writer Colleen Corley at ccorley@indiana.edu.