School of Informatics studies effects of phishing on social networking Web sites

Don’t be fooled; these “phishes” aren’t looking for a hook. They’re looking for user names, passwords, credit card information, and social security numbers. \nThe School of Informatics conducted a study in 2005 regarding “social phishing,” during a time when social networking was not as popular as it is today. \n“Social phishing” is defined in the study as “a form of social engineering which an attacker attempts to fraudulently acquire sensitive information from a victim by impersonating a third party.”\nThe study was headed by associate professors of informatics Filippo Menczer and Markus Jakobsson and graduate students Tom Jagatic and Nathaniel Johnson. The main idea was that these students would click on a link outside of the IU server and be asked to enter their user names and passwords. \nMenczer explained that they gathered information from a Web site for the study and built a network to ‘phish’ these students. Jagatic and Johnson sent e-mails to IU students that appeared to be from other IU students. \n“The purpose of the study was to see how easy it was to get information,” Menczer said. \nAccording to the data in the study, 349 students out of the 487 that were targeted clicked on the link in the e-mail and authenticated with their valid IU user name and password. The study targeted college students between the ages of 18 and 24 and were selected based upon the amount and quality of information that they disclosed about themselves. \nJagatic, the principal investigator of the study, explained that even though the information provided on social networking sites is intended for friends and relatives, it can be used in many other ways. \n“I think users of social networking Web sites should be cognizant that the information they disclose about themselves may be available in the public domain,” Jagatic said. \nThe study itself took about a semester to complete. After attaining approval from University Information Technology Services, designing the Web sites and writing out proposals, Jagatic and Johnson planned the “phishing attack,” which consisted of them sending out the e-mails that asked for user names and passwords. The “phishing attack” took about three or four days. \n“We expected it to last longer,” Menczer said. “We had so much data, we stopped as soon as we could.” \nJagatic added that there’s an anti-phishing group on campus that has conducted other research in phishing attacks and counter-measures, but even though they have these studies, students may still find it hard to filter out phishes. \n“At the end of the day, I think technological countermeasures can help lessen the effect of phishing attacks, yet defending against deception in a place like the Internet is intrinsically difficult,” Jagatic said.