social phishing … be very scared

i had lunch with Aaron Emigh today and he reminded me about a fascinating study from the Informatics department at Indiana University (they are doing great work there):

Social Phishing

this is an incredible paper which details a study where they sent a general phishing email to 94 students and 15 of them (or 16%) fell for the attack and entered their login and password in an obviously fake site. 16% is an extremely high number.

but it gets worse.

the research sent the same phishing email to an additional 487 students … but the email had one twist … is was sent from someone they knew (they got the information from mining Facebook). this time 349 people — or a staggering 72% — were victims of the phishing attack.

summation: i highly recommend reading the paper on Social Phishing by Tom Jagatic, Nathaniel Johnson, Markus Jakobsson, and Filippo Menczer … thanks Aaron!

2 thoughts on “social phishing … be very scared

  1. Devin

    Excellent, this confirms what I said quite a while ago. It’d be tremendously easy to create a bot that can skim people’s MySpace profiles and pick a ‘top friend’ to send an email from. Excitingly scary.

  2. Rob Leathern

    We (at Jupiter Research) did some survey work a couple years ago that indicated over 40% of people use the same username and password at all the sites they visit online — clearly the potential for using phished identities is pretty substantial. And its taken quite a few years for these new enhanced security measures that banking sites are now making people go through to come about, and not by their choice either…


Leave a Reply