Last modified: Wednesday, July 30, 2008
IU Department of Computer Science study shows popular Web sites at risk for phishers
FOR IMMEDIATE RELEASE
July 30, 2008
BLOOMINGTON, Ind.-- A recent study by Indiana University School of Informatics researchers revealed that nearly 2.5 million Web pages on some of the Internet's most recognizable and trusted sites have 128,000 links that could be easily manipulated by phishers -- making them vulnerable to online scams.
Department of Computer Science doctoral student Craig Shue, along with fellow doctoral student Andrew Kalafut and their advisor, Assistant Professor Minaxi Gupta, developed a computer program that was capable of crawling tens of thousands of sites. The program searched for and identified the open redirects -- an application that takes a parameter and redirects a user to the parameter value without any validation -- within such popular sites as Google and eBay. While these redirects serve a legitimate purpose, they lack security controls and can be manipulated by phishers to send visitors to any site on the Internet.
"We were surprised by the number of these open redirects on sites that people trust implicitly," said Craig Shue, who led the study. "From a business perspective, companies have to consider how having this type of vulnerability on their Web site could impact their overall brand. When considering whether to click on links in e-mail, users often look at whether the link goes to a trusted site. However, with redirects, phishers can manipulate the links to defraud these users."
Shue will present the findings of the study at the Usenix Workshop on Offensive Technologies (WOOT) in San Jose, Calif., later this month. He continues his work with Indiana University's Networking Research Group, a group within the Computer Science Department led by Gupta. Shue expects to receive his doctorate in 2009.
About the Indiana University School of Informatics
Founded in 2000 as the first school of its kind in the United States, the Indiana University School of Informatics is dedicated to research and teaching across a broad range of computing and information technology, with emphases on science, applications and societal implications. The school includes the Departments of Computer Science and Informatics on the Bloomington campus and Informatics on the IUPUI campus. The school administers a variety of bachelor's and master's degree programs in computer science and informatics, as well as PhD programs in computer science and the first-ever PhD in informatics. The school is dedicated to excellence in education and research, to partnerships that bolster economic development and entrepreneurship, and to increasing opportunities for women and underrepresented minorities in computing and technology. For more information, visit www.informatics.indiana.edu.