Student warns of new phishing methods

As the ever-expanding age of the Internet develops further, so do the problems, such as identity theft and computer viruses, that accompany it. University Information Technology Services provides IU students with information about security and even free anti-virus software for IU students on its Web site. \nNow, however, even that might not be enough protection for users. \nAlex Tsow, a graduate student of computer science, has conducted research that shows students should not only be wary of suspicious "phishing" e-mails, but also of hardware that can perpetuate the attacks. \nPhishing is a method of identity theft in which a created Web site mimics a legitimate company's and deceives the user into providing his or her personal information, Tsow said. \nTsow presented his research, titled, "Phishing with Malicious Consumer Electronics," Tuesday to fellow students. The presentation focused on a new type of phishing attack that employs the use of a home router. \nTsow explained how hackers and people with working knowledge of routers are able to buy a router and then change the internal settings so that it connects to different Web sites in order to obtain restricted information for identity theft and steal money. \nTsow has been working on this project with Markus Jakobsson, associate professor of Informatics, for about a month. \nAs part of his research, Tsow bought a router and altered its internal settings to misdirect the user from eBay.com to that of the Anti-Phishing Working Group Web site, www.antiphishing.org. Though the router successfully misdirected the user to the new site, the address still appeared as www.ebay.com in the URL bar. \nTsow said once a router's settings have been changed, it is referred to as a compromised router.\n"Anti-virus programs check your computer's memory and hard drive. They have no access to the router, so it isn't checked," Tsow said. \nSome compromised routers are even more difficult to detect because the attacker can revert the router to its original settings, which removes evidence of an attack having taken place, Tsow said. \n"It only takes a few minutes to change the settings on a router," he said. "I could probably do around 20 per hour." \nTsow's research found the average identity fraud in 2006 costs about $6,000 and estimated that if someone sold 15 compromised routers per week for one year and had three victims for each router, that person would end up stealing almost $15 million in one year. \n"It makes you paranoid. It's hard to know what to trust," said Divya Aggarwal, a graduate student of Informatics. \nTsow said there is currently no easy solution to this problem. However, he shared some preventive measures wireless network users can practice in order to avoid the effects of a compromised router. He said to accept only signed firmware from trusted hardware vendors and set default policies to never accept self-signed certificates. Tsow said he is changing his browsing habits on wireless networks to be more careful. \n"I would fall for most of this if I didn't know better," he said.