Something’s phishy? There may be more than money at stake…

The term “phishing” refers to the malicious practice of trying to extract sensitive information (such as passwords) from users. Compared to numerous other Internet-related terms, “phishing” is one of the least understood ones among users. I have found this in my work as have others in theirs. Of course, it may be that people understand the concept of phishing without knowing it is called as such. It is difficult to do large-scale data collection using more elaborate methods, but I implemented some related questions on a survey recently taken by over one hundred students who were randomly sampled from a diverse group. (See the end of this post for details about the data set.)

In the context of a larger study, I showed participants three hypothetical emails and offered several options for how they might proceed (respondents could check off several actions such as “delete it”, “ignore it”, “forward to tech support with a question”, etc.). When shown an email that looked very much like the one that comes from the IT department of the university (one that would not be hard to replicate by someone with malicious intent) over half of respondents said they would “follow the instructions outlined in the email”, which included going to a Web site and entering their username and password. Even more students said that they would “click on the links in the message and follow the instructions on those pages”. Less than 15 percent checked off the option of contacting tech support with a question or reporting the email as abuse. And in the open-ended field where respondents could explain what else they might do, only one student described actions that suggested the potential problem with the email. This among the generation that is supposedly savvy about digital media. See my forthcoming paper on The Role of Expertise in Navigating Links of Influence for more on this (especially pp. 12-19.).

When I talk to my students (at a different school than where the above study was conducted) about online privacy and security issues, and ask them about the potential implications, the usual response is about financial concerns: credit card numbers stolen, money lost. However, as I try to remind them several times throughout the course, financial issues are not the only ones at stake when managing one’s identity and actions online. For example, in the realm of health and politics one can easily come up with examples of cases where third parties should not have access to our information.

And then there is reputation. I have noticed some troubling incidents on Flickr recently and wanted to write a post about these experiences to remind people about the importance of being vigilant. Don’t stop reading just because you are not a Flickr user, by the way. These same issues could occur on lots of other sites as well.

Flickr is a photo-sharing community site where people post photos and often comment on others’ images. These comments sometimes include cute little awards that let you add your photo to an invitation-only group or whatnot. Recently, I received such a comment on one of my photos and clicked on the link included within it. This led me to a login screen seemingly still within Flickr. The people behind that site did a very good job replicating Flickr. You had to be very conscious of your actions not to proceed and follow what you were being instructed to do, namely, enter your Yahoo!/Flickr username and password.

Lucky for me, I did realize that there was something phishy going on here. I was already logged into Flickr so this login request did not make sense to me. I checked the location bar of the browser, and as expected, it did not say flickr.com/etc. Then I did a search for phishing on Flickr groups and confirmed that this was not something I wanted to pursue. Others had encountered similar issues and had already reported them so hopefully the admins were aware.

So what could one do with the username and password of Flickr users who were not as cautious or who simply did not realize what might be going on? First, one’s Flickr username and password is the same as one’s Yahoo! ID and password so it allows access to one’s email account and all other associated services, none of which is desirable. Within Flickr itself, it allows the malicious user to post comments on others’ photos using the account.

And that is precisely what I experienced this morning. Click here for a screen shot of a picture I posted and the comment that followed immediately after. Note that this comment came from someone who is not on my contacts list and whose account I had never seen as far as I recall. The comment on my photo of a Dublin door reads:

Hi,

Someone at RAMCON said you sell nude images of children on flickr(loldee etc..) and i was just wondering(if this is true) then how much do you charge and what payment methods you accept?

Thanks.

There is very minimal chance that someone from a paid account would leave such a message publicly on a photo.

Searching on Flickr, I see that others are experiencing the same issue with the exact same message, but using different people’s accounts. This can be really damaging to the person whose account is used for such messages especially if this person does not realize or does not understand what is going on. Already several people have reported the person participating in that discussion thread accusing him of having left at least three such messages.

So I thought a reminder was in order: before entering your username and password anywhere, be sure to check that you are on the Web site you think you are on, look at the address of the Web site in the browser and if it is not the one you expected then beware.

[*] Details about the data set: In February-March, we administered a paper-pencil survey to students in the one class at the University of Illinois, Chicago (UIC) that is required of all students thus posing no selection bias as to who was in the sampling frame from the university. UIC is one of the most ethnically diverse research university campuses in the US. We have a 98% response rate of the 85 course sections, and an 82% response rate of all students enrolled in the class. The survey data about understanding the term “phishing” represents the responses of 1,236 participants. We used stratified sampling (on gender and user skill) for the follow-up observational study (March-May, 2007) that also included a short additional survey. We achieved a 58% response rate on that portion of the study with 103 students participating.

Thanks to the MacArthur Foundation for supporting this work.

4 Responses to “Something’s phishy? There may be more than money at stake…”

  1. Flickr-User Says:

    Hello I will like to thank you to make me understand what was going on. I’m the guy that the identity was stolen by the flickr award “love lotusflower”. I new that something was wrong with that award but I was a new member on flickr so I did not know how this award thing work. So yes I enter my old username and my old password to be on that group. The web page asking me fro my username an password look like a flickr web page. After I did that I saw a photo for a few second and after nothing, the was no group and no photo at that web page. The award stay for few days under my photo an vanish after that. I did not really care about it. Saturday I got your email with some other 5 or 6 email being mad at me because of the comment I had left under there photo. Of course I never made that comment or ask for any kind of photo the “phisher” was asking. I do understand the people that were mad at me. I will have done the same. The send me emails telling me I was a sick person. But in my bad luck I got your email telling me that my account was hack and to change my password what I did. I also change my flickr identity and I’m actually thing to leave flickr. I also, like you say, under you photo deleted the obscene comment that the “phisher” did on your photo and 79 other photos. But I still don’t understand why the did this. Please could you tell me? Can the spy on my computer? If that was there goal why the send such a comment on other members of Flickr? The should have know doing that that somebody will send me a email asking me what was going on. Where the really looking for what the say? If so why did the send email only to 80 persons? Or where the mad at me because the didn’t find anything interesting in my computer or my yahoo account that the can use? If the did this is against me or my reputation the really are stupid because I’m an unknown person. I will ask you please a last favor, could you mention under you photo that the real owner of that Flickr site contact you tell you that he was not the person putting such a disgusting comment under you photo. Thank you very much and you can be certain that it’s the end of my story on the web. Bye bye

  2. lisa Says:

    Fascinating. Less than 15%!! I thought the percentage who are net-savvy might be a bit higher in an American university. Looked quickly for some metrics in your paper. Did you do a breakdown on the age of the student? In Australia a person who’d been using the Internet since age 5 would not be older than 16 or 17 so I guess the results could improve dramatically as you survey younger students. It would be interesting to see if the results in a high school survey show improvement in that percentage.

  3. eszter Says:

    Lisa, about 85% of these respondents are 18-19 so this is not a question of age. It’s a myth that the younger the student the higher the level of understanding, certainly a myth regarding any dramatic differences.

  4. Dima Says:

    Indeed, it is surprising to see how unaware the young people are of what is going on. I am really curious about perceptions of privacy by the young people. There is a study going on in my department about online privacy, but i would be particularly interested in looking at the young people’s attitudes towards it. I think the notion of privacy has changed over the years and suspect that the results may be just as surprising.

    Anyhow, it’s nice to see you here Lisa. It is a small virtual world :)