Phishing ruse nets 1,000 at university
ABU DHABI // The e-mails seemed innocuous enough. One was a routine message requesting a university account password change. The other promised entry into a prize raffle in return for filling out a banking survey.
But both were fraudulent. Fortunately, for many unsuspecting recipients at the American University of Sharjah (AUS) who followed the hackers' instructions, they were part of a harmless ruse, an experiment to see how many people would fall victim to a phishing scam. The first part of the university-sanctioned experiment, conducted in April on 10,000 students, alumni, staff and faculty, lured 954 people into trying to change their university log-on passwords. More than 200 students fell for the second part, which involved them saying what banks they used.
No names or personal information were recorded during the experiment. More than 96 per cent of those fooled were current students, said Dr Fadi Aloul, an associate professor in computer engineering, who supervised the study. "I was definitely surprised to see such a large number in terms of students," he added. Phishing attacks use spoof e-mails and bogus websites to trick recipients into sharing sensitive data. "Almost on a monthly basis, we get regular e-mails from bank-phishing e-mail addresses saying: 'Your AUS account has been locked', which is a typical rip-off," Dr Aloul said.
Cyber attacks in the Middle East had boomed in recent years, according to the computer security firm Trend Micro. "It's still viewed as a rich region with an opportunity for a more recipient and less aware market when it comes to these threats," said Ian Cochrane, the company's marketing manager in Dubai. Although AUS's IT department routinely warns its web community members to be vigilant, Dr Aloul suspected that the alerts went ignored. It appears that, in many cases, he was right, despite the IT department sending out a warning about the fake attack.
"It tells you that students don't care much about reading these e-mails carefully," Dr Aloul said. "After seeing this experiment, I hope it made a better impact on them." Amna, 21, who is majoring in computer engineering at AUS, was one of the students caught out. "The point is that it made me more aware," she said. "Seeing it happen and then when I saw the e-mail from an IT director, that just made me realise it does happen. We see e-mails and we read them, but it doesn't hit us until it actually takes place.
"I was actually happy that someone made me realise. It would have been much worse if it had been a real attempt. I was lucky because the first time it happened to me, nothing bad happened. People probably lose a lot of money on things like that. "It was a nice way to make people aware. It's a fun experiment to be a part of, rather than as a victim." The idea for the experiment came from a conversation with the university's IT director. "They're doing a good job sending the e-mail warnings, but I asked him if he knew how many people actually fell for this?" Dr Aloul said. "He didn't know, so I proposed, let's be the hackers for one day and make it in a controlled way."
The only other people aware of the test were the university's provost and three computer engineering students, Jamshaid Mohebzada, Arsalan Bhojani, and Ahmed El Zarka, who created the phoney e-mails. The first went out on April 10, urging recipients to change their passwords "immediately", after a "security intrusion". The link displayed in the e-mail redirected people to a strange domain name that was not associated with the university.
"Unfortunately, many people don't check the URL [uniform resource locator, the global address of documents and other resources on the internet], so people went to that page and sent their usernames," Dr Aloul said. The second e-mail was sent 10 days later, requesting names, phone numbers, e-mail addresses and asking which bank recipients used. It offered a computer flash drive as a prize for taking part in the survey.
While 220 students fell for it, the 350 staff and faculty members appeared to have learned their lesson. "Staff and faculty did not bother at all, it was zero," Dr Aloul said. Dr Aloul hopes to present the research at a future cyber security seminar and is trying to have the study published in an academic journal. firstname.lastname@example.org