Phishers might be getting takers on as much as 14% of their trick messages, much higher than previous estimates by network security watchers, according to a University of Indiana study.
The university's School of Informatics simulated phishing attacks on eBay customers since they are such a popular target of actual online scams. The simulated attacks were conducted as part of research summarized in a paper called: " Designing Ethical Phishing Experiments: A study of (ROT13) rOnl query features."
The researchers tempered its findings about a surprising high number of phishing victims by noting that other research, such as a Gartner report that say about 3% of adult Americans are successfully targeted, might not take enough into account the number of people who won't admit to being duped.
"Our goal was to determine the success rates of different types of phishing attacks, not only the types used today, but those that don't yet occur in the wild, too," according to a statement by Markus Jakobsson, associate professor of informatics at Indiana University and an associate director of the school's Center for Applied Cybersecurity Research. (He's also behind a new company called RavenWhite exploiting cookie technology to protect Web users from identity theft and other online threats.)
As for the simulated attacks used in the research, users received e-mail appearing to be legitimate and an eBay link. Recipients who clicked on the link did in fact get directed to eBay, but the researchers were also notified. The researchers say all they received was the login notification, not login information such as a passwords that real phishers covet. The research was given the go-ahead in advance by a committee at the school that reviews ethics of studies involving human subjects.
The research included a look at "spear phishing," which involves messages that appear to be from a friend other other expected e-mail correspondent. These messages typically included personal information, such as an ebay username, that would make them seem legit.
"We think spear phishing attacks will become more prevalent as phishers are more able to harvest publicly available information to personalize each attack," said Indiana researcher Jacob Ratkiewicz, in a statement. "And there's good reason to believe that this kind of attack will be more dangerous than what we're seeing today."
A slew of vendors are trying to address the phishing problem. Even the next version of Microsoft's Internet Explorer browser is set to include a Phishing Filter.