Slashdot Mirror
Phish Scams Fooling 28% of Users
Etaipo writes "Anti-spam firm MailFrontier Inc has done some testing with consumers to see if they could differentiate between legitimate e-mails and phish scams. The results, to me, were pretty shocking.
The company also has provided a similar test on its web site. Get an answer wrong, and we revoke your geek license on the spot."
Personally I never cared for Phish. They attracted a lot of the same fanbase as the Dead but I just couldn't bring myself to like them. I tried, I really, really did. It's sorta sad that now that they are breaking up for good that they are scamming 28% of the population. I would have never guessed that a cool jam-band would have to resort to this sort of scheming in order to get money!
I guess after all those tours and all those basically unsuccessful albums they are in need of people's credit cards in order to support their own solo touring and promotion.
All kidding aside, I am genuinely disgusting that the authors of these articles did not call this sort of scam by a legitimate title such as "fishing" or "credit card scamming" or "you are a fucking moron for falling for the give me your Credit Card Number in an email" like it has been in the past. I wasn't aware that "scr1p+ K1dd13 sp34k" had crossed into "real journalism". I can see it now... Parents banning their children from listening to Phish because FoxNews told them that they could have their credit cards stolen.
-1 Troll for the authors of these articles.
I answered 2 incorrectly as Fraud to get an 80% score so I lose 2 geek points but gain them back for erring on the side of caution. Actually I never bother with HTML mail and just skip it. That hasn't bit my butt yet.
IT's colour schemes are giving me a seizure...
Trolling is a art,
Why did I have to provide a credit card number before the test showed me my score?
I passed with flying colors! This is an excellent quiz to send to your friends who are less internet-savvy. I found a common thread throughout all of them: "if you don't verify your account information, it will be suspended."
Homestarrunner.net -- It's Dot Com!
This test is like a Kobayashi Maru test on star trek. You have to alter the conditions to win. You can't see the details in the hyper links nore the refer information in the header.
Some of these fraud mails looked really legit and were mainly given away by the fact that their URLs went to something like fraudprevent-visa.com instead of fraudprevent.visa.com. fraudprevent-visa.com is a domain name that may or may not be affiliated with Visa, while fraudprevent.visa.com is a subdomain of Visa.com, meaning it's not 100% safe, but much more likely to be legit.
But asking people to know this difference is asking a bit much of them. What might be interesting would be a "Phisher Identifier" built into mail clients that could identify bogus or unauthorized URLs based on a very carefully maintained database of legitimate URLs.
Seems that a plug-in could be written for Outlook, Eudora, etc.
- Greg
Start a happiness pandemic
The earthlink one about expired cc is the only one i thought was legit that wasn't... then i read it again....
fp...
phishing is bad... reminds me of AOL days..
No news here folks, move along!
Sent from my ASR33 using ASCII
Pleaase fill in your Bank password to save your score.
Do I loose points if the page won't load due to a slashdotting?
like i trust links on /.
> get tea
No Tea: dropped.
Let me be among the first to call "Bullshit" on this supposed test.
Any nerd worth his salt knows to first check the headers of the e-mail and Lookup the IP to see where the mail really came from, and/or view the source of the HTML and identify obfusicated URL redirects. Then again, any IT guy who is using HTML-enabled e-mail should have his geek license revoked in the first place.
No replies and it's already down. Anyone have a mirror of the test?
I'm never going to trust research that's done by corporations to generate or augment the need for their products.
Obviously they weren't testing the premise of "people aren't that stupid, and probably dont need our fancy products"
Yeah, if you look hard enough you'll find people stupid enough to fall for anything. That's no feat.
I don't need no instructions to know how to rock!!!!
When it's that easy, you can't even call it social engineering. It's just social nudging, and people are ready to fall for it.
The CB App. What's your 20?
At my place of business, I run a strictly whitelist-only policy of Internet use permissal. If a user goes to a web site that is not on my comprehensive whitelist, he instead sees a small form with which he may explain the business-related uses of the web page in question.
Needless to say, this policy is entirely foolproof as a means of deterring so-called "phishing" in my workplace. I haven't heard any complaints, so I can only assume that the users enjoy my protecting of their identities.
Sincerely,
Seth Finklestein
Proud Systems Administrator
I'm not Seth Finkelstein. I still speak the truth.
Nevermind this. I'm still waiting for my money from Bill Gates and Disney for forwarding that email to everyone I know a couple years back.
Right is wrong when left is right.
How many legitimate "offers" have you actually gotten via email? I'd like to see the person who signs up for porn and conducts business using the same email address.
Steal This Sig
then the web server fell over from the massive /.'ing
"I'd rather be a lightning rod than a seismometer." -Ken Kesey
I think at least 40% of Phish fans are fooled/fools.
-phozz
It seems like all of the anti-spam/phishing/whatever legislation lately will make testing like this illegal, or at least more difficult because of the threat of legal action.
Maybe on the positive side though it will help reduce the amount of "Shocking!" yellow journalism that's out there.
Flip back to and refresh /. to see that almost a third of email users don't have the third of a clue it would take to recognize this crap for what it is. "We has noticed a high level of suspishous attemtpts to access your account and brute force your PIN..."? Um. Okay.
Aside from the fact that I never click on links in email, what I do do is look at the received headers and the actual links to see where there really go to decide if it's phishbait or not. They've deleted both from the test messages...
Everytime I read a statistic like this I have to ask myself if it's even worth fighting against this kind of thing any more, or if we should consider it a tax on the stupid. Cynical, maybe, but I'm tired of explaining why you should never give out personal information via email to people and having them turn around and do exactly that a week later. I admit, some of the newer emails are getting quite professional looking, but as soon as they start asking for passwords/CC #s, red flags should go up. Sadly, many users gladly give the scammers what they're after with not a thought.
Vandemar.org
They all began with www.n15th.com, therefore I marked them all fraud.
Pictures at eleven.
"Ask not what your country can do for you." --John F. Kennedy
The biggest demographic that is hit by these phish scams are poor, lower class minorities. With little experience using computers, let alone the internet, recent hookups to the internet in inner cities are the most heavily effected. Blacks and hispanics are especially notorious for having difficulties deciphering "phish" emails, as they've become used to cowering before anything with a menacing letterhead. It's sad that the real victims of these e-mail scams are already in difficult financial situations and can barely afford to pay for other basic services. Shame on these scammers, they are even worse than most spammers.
+ Donald Gunth
+ Email: dgunth@quicktek.net
"Caffeine is the greatest lubricant ever created." -ESR
But haven't fallen.
My parents got an e-mail stating that we were charged $3000 for a new Dell laptop. Nevermind that we all use Macs.
So I check out the site... Looks professional, seems legit, but it asks for a bank account and social number on a non-secure connection... Phishy?
I checked out the root domain of the given address and ran a search to see to whom the site was registered. Definitely not a real company, an individual, and the root domain didn't exist as an accessible webpage. Not the kind of thing that is very professional. I bounced the e-mail back and dismissed it. Our credit bill the next month didn't have a Dell laptop on it. What do you know?
All it takes is some common sense to get out of these things, but perhaps real companies should start adopting S/MIME or PGP to ensure their identities to make it more apparent to a layperson.
Of course, a false company could just as easily hide behind these "foolproof" authentication mechanisms.
Help a college student
Honestly, I got through 3 examples before giving up. The real test for me is, "Is the link back to the official site? Or does it look like a link and take you to some mysterious 3rd party server?"
In this test *ALL* links pop up to a "for the purposes of this test, this link has been suspended" This makes the whole thing useless.
Anybody can copy a legit paypal or eBay email and change a few words and make it "look" real. The key is in the links and the data mining.
one of the things I look for is the actual location of hyperlinks. the online test disables the viewing of the location of the hyperlink in the status bar.
MORTAR COMBAT!
the quiz is /.ed
so does that mean i score a NaN?
Were there rules to looking at the data? All I did was view source, did a few quick DNS lookups and I got an 80. Although I got this great visa offer for my efforts
Rule Number One - never post your press releases to Slashdot if you aren't sure your servers will handle it...
I know, I know, it's "gullible".
Yeah, and a comparable percentage of Americans are so fucking dumb they can't find their own country on a world map. Coincidence? You decide.
"OH SHIT, THERE'S A HORSE IN THE HOSPITAL!"
Can't I live while I'm young?
There is no gravity...the earth just sucks.
Is it really so surprising that as spam matures it gets better at impersonating real email? It would be useful to repeat such a test periodically to see it trend over time. Likewise, it would be interesting to see the nature of valid business email content change over time to adjust. Perhaps we can have an internet age Darwin elaborate on the mechanics.
Politicus
Honestly, it's pretty simple. Just never click on any link in any email. If it's from a company you deal with, type in the URL you know and love to find the information. The only one of the emails in that entire "quiz" I would have trusted was the one without any links, that simply said "go to ebay.com, click on your account." Anything else could be fake.
At the very least, copy and paste the URL rather than click it, and study it for 3 seconds before going to the site to make sure it looks like the site you think you're going to.
We've all received a number of these scams, and most of us on /. are surely not likely to fall victim.
But I can see why the confusion for some people:
1. They are intimidated the moment they sit at the computer.
2. The same people who might be skeptical as ever when dealing with a live human do not have a clue that the "internet" can be an evil place at times.
3. Some of these sights look exactly like the page they are emulating including all the other links on the page going to the real site. These people just do not know to look for "www.ebay.com" instead of 200.50.66.71 in the address bar. That is (sadly) still meaningless to a lot of people.
Education and experience on the web is likely to reduce these issues over time, but for now, it's just a way-too-easy niche opportunity for thieves and scammers to prey upon the naive.
nt
Come from legitimate sources whom I have existing relationship with.
I was keeping in touch with this girl via email - she was cute! I was hoping for a chance and go "visit". Then, one day, she forwards me that "Test software and Bill Gates will give you $xxx!" I was afraid that she was taking it seriously and maybe she'd get ripped-off. I was trying to figure a way of telling her without making her feel stupid. So I reponded with something like, "You got one those too? Aren't those fraud spams funny? Ha Ha." She still felt stupid and apologized for sending me such a thing. I emailed her back trying let her know that it's hard to know what's legit, etc ... don't feel bad...etc ...
End of story: she never emailed me again or had any other contact with me. Fucking Spam!
One of the common tricks I use to tell if someone is phishing is to compare the actual URL link with the one displayed in the test. That is, does the HREF match what's printed on the screen? If not, hit delete faster than a fat girl running towards chocolate. Easiest way to tell as the e-mails are looking more and more legitimate.
I got one for PayPal asking me to update my account information that had a bad link. Also got me since I had just moved and was in the habit of updating account information for sites!
but for how long?!?!
Outdoor storage sheds and pet kennels
This sensationalist phishing PR campaign, if anything, once again proves that content-based filtering is a waste of time and resources. If you rely on spell-checking corporate e-mail as a means to identify its legitimacy, you're off track. If you rely on subtle hints in the message to tip you off that something's funny, you're wasting time.
A simple check of the source IP of the mail relay is the most reliable method of identifying phishing scams. Many of us who primarily use RBLs to block spammers don't deal with this crap because our users never get it in the first place. The main source of these phishing schemes are the same foreign servers that any decent mail admin has RBL'd a long time ago.
So we have another anti-spam company scaring consumers as a means to promote their ineffective spam-filtering solution that will likely involve continual upgrades and degredation of the user's mail service. There are better choices: don't accept any mail from rogus SMTPs. Blacklist the DSL pools, blacklist the IP space of ISPs that allow this illegal activity and you not only stop spam, but you stop worms and these phishing scams.
I am against any anti-spam/worm/phishing technique which involves analyzing the content of the e-mail. RBLs have proven to be more robust and reliable in stopping the spread of this junk and don't slow down mail service or compromise the privacy/security of users.
Yes - it hurts my eyes too, especially on the laptop screen - viewing it even slightly off-angle makes it nearly unreadable.
..and I can't figure out how to get PINE to display HTML mail. What is this 'spam' you speak of?
HA! I just wasted some of your bandwidth with a frivolous sig!
They're all ledgitimate.
Also it asks for your credit card before you see your score but only so it can verify your identity.
Right is wrong when left is right.
I was once fooled believing that I received a fraudulant email making me believe it came from Sony. I wrote to Sony to report the email and they told me it was legite!
What caused me to think it was fraudulant? Well, the URLs in the email was going for something like sony.<somecompany>.com. The URL did not finish with "sony.com". The only way to figure out if an email is phoney or not is to check the URLs (assuming your browser does not have the famous URL bug which shows you a legite URL but once clicked, sends you to another site while still showing the legite URL in the URL bar), but when companies use 3rd parties to email their users and provide services, they cause these confusions.
Remember the year 2000? They promised us flying cars. They delivered the PT Cruiser...
I got Verizon DSL service back in February. A month later, I got an e-mail that basically stated there was a problem applying the DSL charges to my phone bill. In the e-mail, which was sent to "Verizon Customer", they suggested I reply to the e-mail with my account name and credit card information.
I thought it was a scam, but left it in my inbox. Two weeks later my service was shutoff. Apparently the message was legit.
After I got the problem straightened out, I sent them a very nasty, yet informative, e-mail and they agreed that they will review their e-mail policies and apologized for sending such a message to begin with.
No license? Then you are forever doomed to be an "Anonymous Coward."
My lack of God, it's Trotsky!
I need to get one of these and use it as a prequalifier for clients. If you can't pass this test I won't work on your computer.
Well maybe I will, I'll just adjust my hourly rates accordingly.
As seen on Wired: Get a free desktop PC
I wonder what the record is for the fastest Slashdotting of a site? This one went belly up in what looks like less than 18 minutes...
the future is here, it is just not evenly distributed - w. gibson
Linking to a cgi from the front page? Why don't we just find out where the server is and burn down the building instead?
I got one that looked like a family gathering invitation. They must have hacked my mom's email account. They wanted me to respond with my "rsvp." That set off my bullshit detector. I better let mom know because they keep sending me email and now they're claiming I'm going to be disowned if I don't show to my own brother's wedding. I've stopped answering the phone as well because they have sound-alikes leaving me messages and look-alikes showing up at my door. You know as soon as they get your rsvp, they empty your bank account with it. I'm not falling for it.
Here's a quickie link to the test examples. The month's almost over, and I've got plenty of bandwidth to burn. (Famous last words...)
http://www.littlecutie.net/temp/slashdot/
Stressed? Me? Of course not. Stress is what a rubber band feels before it breaks, silly.
So I got 9/10 because MS is an even bigger bunch of assholes than I'd have thought. Wow.
-Looking for a job as a materials chemist or multivariat
Just viewed the source of the pages, easy enough to tell who is lying and who is not. Only 1 was marginally troublesome do to a lot of spaces in the URL which pushed the real domain name far to the right.
MORTAR COMBAT!
I get emails asking to "verify" my credit card, even going so far as to say it's needed to prevent credit card theft -- and I don't even have a credit card.
/ not because I live "off the grid" but because I hate being in debt.
The quiz lets you see the emails, but there's no way to determine where the links are truly headed because they're disabled. I mean, I can make a link with the text "www.ebay.com" and have it point to "www.ripping-you-off-guy.com" in the HREF tag, and the typical user isn't going to see it.
What we NEED is mail clients that, when the user clicks on a link, will automatically deobfuscate the domain it links to and pop up a warning message to the effect of "Clicking this link will take you to a web page on the Internet domain 'www.ebayscammer.ca'. If this is not where you intended to go, click 'Cancel' now."
....because any email that asks for any personal info or provides a URL to where you are supposed to fill something are immediately tossed and the site reported to the legitimate site (usually Paypal or Ebay). If I didn't initiate any webform, I don't use it! Is it that difficult for most people?
I got all the questions right, plus I'm getting millions of dollarz from this guy in Nigeria. Thanks for forwarding the link to us! Null
I marked all as frauds without reading them, why should I even consider "US Bank" mails while I am living in Switzerland ?
Trolling using another account since 2005.
How could i know wether the links go to a legitimate site if "For the Phishing IQ Test, the Link has been disabled"?
Seriously, wouldn't that be the #1 way to spot fraud? You know, like, looking what you are telling your computer to do instead of trusting a random piece of text that arrived via means that make it next to impossible to validate the sender?
Free as in mason.
One two and three
Since technically you are a part of that 100%, aren't you just fooling yourself? pwn3d!!!1~ /FTM Fan
Here's one I got a while back. It wasn't quite taken in buy it.
Yet Another Web Site
The intended "challenge" of the quiz seems to be the ability to compare http://paypal.com to http://123.45.67.89/paypal in the browser status bar - however, the JavaScript used to generate this only works in IE
i have 'javascript update status bar' disabled, so i had to view source on each page to find the address it was faking. got 2 wrong because i only checked the first few links and the 'click here' link was further down.
on the other hand, people 'phishing' could use the 'javascript update status bar' that is used there to fake real urls, making even their test a poor training. "trust the status bar rather then the text"
...and the damned thing took forever to load the test questions. I literaly wasted 15 miutes trying to load the pages while I multitasked.
The big kicker? When I hit "Score" it wiped my answers and started me over. I wanted to see the results and did not want to retake the thing because it took so long so I marked the first one as ok and the rest as false because I was in a hurry and pissed at this point.
I got an 80% score as a result, and then I wondered if anyone else had the same problem and if it skewed the results.
If so it would be a good way to sell their service:
1: Fake the results at a high failure rate
2: Induce widespread panic
3: Profit.
When the only tool you have is a claw hammer every problem starts to look like the back of someone's skull.
Errr... I guess I'll take the test tomorrow, when pages on their webserver take less than 6 minutes to load...
The 28% figure would probably be more meaningful if similar numbers were provided for users being fooled by Grateful Dead scams, String Cheese Incident scams, etc.
But I think that's mostly because I recognize these as E-mails that I've actually received at some point. The Citibank one is especially funny since I'm not even a Citibank customer.
!#@%*)anks for hanging up the phone, dear.
One of our server got used by a phisher as a means for checking his hotmail, which received all the replies from his phishing expeditions. This particular one was the eBay one. I would say that the replies broke down about this way:
30% sent in funny, or fake data
60% answered with their eBay logins, but nothing else
The scary was the last 10%. They put in essentially every bit of personal data they had -- credit card numbers, their ATM PIN, social security numbers, even their checking account number and routing number!
We called the FBI and the credit card companies, and none of them wanted to talk to us because we weren't personally harmed, and had no monetary damages.
You don't want to see him. He's my boss, and quite ugly ...
... is that they don't allow you to use the easiest possible filter, which is that if I get an email from someone I don't do business with (eg, in my case, paypal) it's guaranteed fraud, I don't actually have to read it to decide, it just goes in the bin unread with the rest of the spam.
check it out, interesting use of frames by the perps
Anatomy of an embryonic identity-theft-by-email
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
Is there a remedial test I can take to get my geek license back?
===== Murphy's Law is recursive. =====
call me a n00b, but i use hotmail and yahoo and I personally don't get spam. i think its just something people who give out their email too frivolously get
...that I would have clicked any of the links in the emails.
If I get any message that smells remotely like phish (i.e. any email that tells me to do something with my account), I go to my browser, and visit the site by manually entering the name of the website. If it then turns out to be a bogus email, I send a copy to the admins of the site, so they can track the insensitive clods down, and do whatever it is they do with them.
The IQ test would be a lot easier with access to full mail headers, too...
How's my programming? Call 1-800-DEV-NULL
Dear Friends,
The linked-to site is slashdotted. I have generously set up a mirror for it. Please visit this page:
Mirror
PS - never mind the prompt on that page that asks for your bank and credit card info. It's just a formality!
John Kerry is a Joke!
I got a 10/10 but I dont use any of those things. Perhaps it is because I knew it was test but... If those are real phishing scam letters it is pretty scary since for the most part they look professional. On a different note dont websites ussualy say that they will not email you for XXXX. And if they do isnt it ussualy a big notice.
A ruler wears a crown while the rest of us wear hats. But which would you rather have when it's raining?
We here at phishfarm offer a compehensive monitoring and blocking service to save our customers from hassle such as this. Just email all your bank account details (required for verification) to make.timesprout@rich.com and we will ensure that email soliciting for information or money will ever reach you again.
PS we have found that sending us naked pictures of your wives/girlfriends increases the accuracy and efficiency of our blocking engines so for the highest quality of service include a few piccies.
Do not try to read the dupe, thats impossible. Instead, only try to realize the truth
What truth?
There is no dupe
INCORRECT.
Whose side did you take in the david lee roth/van halen split? VAN-HALEN or Roth?
Van Halen?
HE'S A COP!!
No unauthorized use. Trespassers will be shot. Survivors will be shot again.
Not that hard of a test, IMO. I got 10/10, anyway. Mainly, don't give credit card or other sensitive info as a result of an unsolilcited e-mail (either by replying to the e-mail or visiting a URL in the e-mail and entering the info there) Legit companies will not expect you to do this, and if they really do need verification of such things, will use some other means to contact you than e-mail. If a company thinks sending an e-mail is a reasonable way of getting or verifying sensitive information from their customers, it's a good sign that you should reconsider doing business with them.
... actually picking up the telephone and actually calling your financial institution/online vendor directly to confirm a problem with your account?
If the company was worth its salt, they will have a telephone number for you to reach them in the event of a problem or suspicious activity.
My domain and web space are provided by oneandone.co.uk: when I received a bill saying "we have had problems billing your account, please go to 1and1.co.uk (i.e. a similar but different address) and update your credit card details" I thought it was a phish.
It turns out their billing department uses this different domain name, and the Visa card details I had logged with them had expired. If I didn't doublecheck my Trash and some other paperwork, my web site would have been disabled.
soon I'll be a CERTIFIED geek!
...is Social Engineering. Or Con Artistry depending on your tastes.
The average non-techie wouldn't know what a "Phish" scam was if it was sitting on their face, any more than they would know what a phreak was or why hacker, cracker, and coder all mean very different things.
I agree with GGParent. This crap should never have made it into the media. They're only going to be screwing it up.
ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
phish scams attack windows, no linux.
phish scams cause problems not for me.
I don't possibly see how that's offtopic.
but then again, I'm not moderating today.
None of the samples provided mail headers... how the hell am I supposed to even begin to tell if its legit if I can't see whether or not the mail came from 65adsl.brazil.xxxxxxx.net or something similar?
Thats my first step in checking the legitimacy of an e-mail.
I had to go through the quiz twice. The first time I went through I said they were all fraudulent because the links weren't to the place they said they were to... Then I realized that was the protection the mail website had... So then I took it again assuming that the link in the status bar was the link they meant for us to think was the real link... That's really all you have to do to get them all correct. (I got 10/10)
...telling her she had won a trip for two to the ESPN Espy Awards show in Hollywood on July 14th. She sent me an IM about it, and I (rather condescendingly) informed her that she was almost certainly being spammed. Well, after going to espn.com and finding that the person listed in the email was really in their PR department, and contacting her through their 800 number, guess what?
That was the coolest hotel I've ever stayed in. The show sucked, but the view from the room almost made up for it.
Quantum materiae materietur marmota monax si marmota monax materiam possit materiari?
How is the US Bank email fraudulent (the online survey says i was wrong, and that it was a fraud)? Is usbank.com not a valid domain for U.S. Bank? The website looks legitimate, the link was a secured one. Heck, it even works. The domain appears to be registered to U.S. Bancorp, which appears valid. If that really was fraudulent, and the links went to where they said they did, I'd really like to know how you can tell! John
Why should it be legitimate if I don't have a PayPal account?
You're assuming that the phish is attempting to turn your computer into a zombie.
Someone else having your credit card # and SSN without owning your computer is still a problem for you, no matter what your platform.
Also keep in mind when taking the test that there are two ways you can be wrong. A miss is saying it's legit when it's actually fraudulent, and a false alarm is saying it's fraudulent when it's legit.
I've been using computers for a long time and expected to get 100% on this test but only got 70%. However, all of my mistakes were false alarms. So at least I always erred on the good side.
...I won't use an email client that renders HTML. Or at least, won't let me turn that off.
When I get these mails, 95% of the time I delete them unread; no legitimate business should ever need me to "confirm my information". Every so often I look at one, and since I only see the raw HTML, it's easy to see that the images and whatnot are all being pulled from the real company site, except for the "login" link which goes to some mysterious dotted quad address.
(Side note to companies: stop letting outsiders pull images off your server; only let your own pages refer to them. It's an Apache FAQ, fer cryin' out loud.)
Every so often a friend will send me HTML mail, but I can cope. :-)
You cannot apply a technological solution to a sociological problem. (Edwards' Law)
The Earthlink email got me as they used an IE display bug to hide the @ symbol, but I was only using IE because their silly status bar display code didn't work in Firefox.
I was a bit dubious that the link was different to the text but I put that down as Earthlink being rubbish (kind of a double bluff).
True, but if you're too stupid to notice that you're logging into yahoo.somebodyelsesdomain.com when you're giving out your info then you probably shouldn't be allowed near the internet.
The real problem is the first click, the one that delivers a payload that just takes over the box, and that problem is for the most part, non-existent in any OS other than Windows / IE
--- It is not the things we do which we regret the most, but the things which we don't do.
Just because you think you have a foolproof phish finder doesn't mean it will continue to be foolproof. Even if they haven't already done it, (I thought they had) the bad guys will find a way to spoof a legitimate looking address.
Currently, a company wanting you to update your information should ask you to log into your account the normal way using a fresh browser. Clicking on a link in the email is probably poison. (or is it poisson, my french spelling ain't that great.)
In a world of Ad-driven economies, with commercials and ads created for their hidden details to pass legal inspection, why would anyone expect illegal and invalid scams to not catch the eye of a consumer.
I drive by apartment complexes daily with "FREE RENT" written all over them. That is an oxymoron. Legal passed it, but it is another language than the english I was taught. It is a non-email scam.
Scams can simply be beat by the removal of obfuscation from society. The blinders are on. I just wish I was as untrusting as I and all others should be. I do not trust email. I do not trust web-sites. I still use 800 numbers off my billing.
wake up and move on
Your Slashdot Account has been Suspended! Please click here to correct the problem.
"Can there be a Klein bottle that is an efficient and effective beer pitcher?"
I responded that #6 was legitimate, so only got a 90%. It looks legit to me. The visible link as well as the rollover link point to the earthlink.net domain. How is this one fraud???
These people might have just thought they were clever. "Say, I didn't buy anything through PayPal..."
It is usually much easier than that. Look at the To: list on the email. Is it sent to several other userids that are very similar to yours? Or is it set to someone other than you that doesn't look like a distribution list? If your ISP, Bank, whoever is sending YOU an email, they will send it to you and only you (more than likely). I usually don't even have to go to the headers to spot these bogus emails.
But I agree with you about the HTML. I still use PINE as my main email client at home. Light, fast, remotely accessible. I have tried others, but have always come back to it.
I wish the site wasn't slashdotted, I'd like to see that test.
My beliefs do not require that you agree with them.
For those who want to take the test, here is a working (for now) link to the test off their main page:t est.cgi ?themailfrontierphishingiqtest
http://survey.mailfrontier.com/survey/quiz
The site doesn't work with Mozilla. First, the JavaScript doesn't display the real link when you move the mouse over the link, so you have to look at the HTML source to figure it out. Second, when you submit your answers, it just reloads the quiz.
I have a pretty simple (and accidental) solution. I never click on links in email! Rather, I open the web browser and go to the vendor's site as I always would.
Why? Because I use evolution on a linux box for email and IE on a PC for web. A KVM makes this pretty easy. Why do I do this? 'cause linux web browsers blow and windows mail clients suck.
To believe half of what we read in print and none in email.
Oddly enough, the test says the email from paypal that talks about a credit card ending with the number 2008 is legit, even though I have no credit matching that criteria.
The point of the above is that I can't necessarily tell if an email sent to someone else is legit or not. If I were to have received the email (assuming I dealt with those companies), my response would be to login to the website (without following a link in the email) to take any necessary action. If the website doesn't ask/tell me the same thing as the email, the email is a fraud.
Get an answer wrong, and we revoke your geek license on the spot.
But if you actually manage to establish a reliable connection to the test during the Slashdotting, you can get it back.
The article said that people thought an actual email from the FTC was fraudulent. I'm fairly sure that the FTC has never sent me a legitimate email. For that matter, any email of this sort that I'm not expecting in almost certainly fraudulent, especially if some third party doing a survey knows about it.
The closest I can imagine to them actually having a legitimate email in this survey is if they paid participants during the study using their PayPal accounts, such that money had actually been deposited in people's accounts like the email said.
- Checking the mail headers
- Checking where the links go
In this test, I do not see the mail headers, and none of the links go anywhere. In fraudulent emails from Verizon, they often go to www.ver1zon.com or to www.veri.zon.com. I can't tell where the original links went with this test... this is like a road test for a drivers license in which I do not have access to a car.Of course, these techniques will be unusable when we have Unicoded domains and we can have www.microsoft.com with an omicron, but that is a separate issue.
On 14 July I got an email from "etrade@etrade.p0.com", with links like "http://etrade.p03.com/u.d?kknMAEgJGVM4rIf=50" - not a joke, that's a _REAL_ E*Trade sponsored link. I reported it to abuse@etrade.com and the SEC, and got an email back from E*Trade saying it was for real. They're using some service called "Yesmail" to distribute their scam - er - that is - their marketing. Worse, it's all about changing your account number, changing their mailing address - the only way it could have looked more like a scam is if they'd said they were E*Trade's Nigerian branch. The SEC said, more or less, 'We'll look into it, and we'll never let you know anything about it - it's all a secret. Now go away.'
On the plus side, after I sent a nastygram back to E*Trade (where I equated their email to criminal negligence) they said "I am quite sory for such concern as this email has caused. We are reviewing such feedback as you have sent in to determine how we might better tailor our emails to alleviate such concern." (Which may or may not be legalese for "Get Stuffed".)
With friends like this helping us keep the scams at bay, who the _hell_ needs enemies?
-- No No No NO, Don't tug on that! You never know what it might be attached to. - Buckaroo Banzai
hahaha, try to get to their top 10 links, you end up with a form asking for your information and the text
Provide an email address and we'll send you the report.
"Top Ten Tips for Finding a Phish"
hahahaha, gold
Took the test, using Opera. All the links, when I hovered over them, pointed to http://survey.mailfrontier.com/survey/phishingtest /message_1/message1.htm#, which I assumed was part of their thing to not let you see the links. Got 6/10. Was somewhat puzzled, as I'm otherwise not a complete braindead dumbass. Check back at it with IE... turns out if you hover over them in IE, it actually displays the URL it's supposed to go to, meaning I'd've (double contraction, eh) gotten 10/10 most likely.
So is it taking advantage of an IE security bug, or what? (For the record, I just checked it with Firefox and it does the same thing, so this is not just Opera being a piece of crap.)
(I'll probably get modded down, and deserve it too, but I'm too amused at the moment to care.)
Work is punishment for failing to procrastinate effectively.
I actually go to the trouble of notifying companies I do business with when I see phishing attempts. Conveniently, I have a relatively spam-free address to give to real people. I don't use it on Slashdot. I don't post to Usenet from it. And I have yet to see any phishing activity there. I have other addresses that get phishing attempts by the dozen.
I got 100%, too. Where's my prize? j/k This is an excellent way to drive home the point to family, friends, co-workers, etc. about the perils of clicking on anything and everything that comes up. Of course, there is that big red button on my computer. The beautiful shiny button. The jolly candy-like button.
It's all fun and games until someone loses the key to the handcuffs.
What I don't understand is how the Earthlink question (number 6) is a fraud.
The status bar indicates all of the links go to the earthlink.net domain.
Almost got "hooked" myself by a paypal phish - looked exactly like those account emails, had a https link. Wasn't until I stopped and looked closely at the server name and address that I realized it didnt' belong to paypal. The SSL sert matched the server, but not, of course, paypal. Also, the "account" numbers didn't actually match mine. Paypal says they'll always include the last four numbers, or something like that, and this was pretty well done to look a lot like that. Worst of all, it was a two stage phish - the first screen only had you "log in". The second stage asked for account numbers and confirmation (AFTER a very paypalish "click here to pay us even more money for something you don't need" add). What got me curious was that I typed the wrong password, and it still put me through to the account page.
www.voiceofthehive.com - Beekeeping and Honeybees for those who don't.
If it asks for nothing, or is leading to nothing it is probably a real email. if it asks for credit card, address, your phone #, your anything and it wasn't expected its probably a scam.
for instance they said 30% fooled by a paypal email saying your account was debited. well if you'd just bought something for 29.99 and it said that "payed mr x 29.99" you would know it was not a scam because a) it was expected and b) its not asking for anything!
fraudster's have an agenda.
Perhaps it is because of how much I've neutered Javascript on my copy of Mozilla, but I cannot meaningfully take the test - what ever mechanism they are using to allow the "hover over the link to see the link" doesn't work, so I cannot check the link.
Of course, they also don't show you the full message headers, and the messages are shown as HTML messages - something I also have turned off.
So most of the first cut tests I use to check a message are disallowed - this would be like taking a test on electromagnetic theory without being allowed to use math symbols.
www.eFax.com are spammers
Back a couple of months ago I wrote a review of earthlink's free toolbar with their scam blocker product.
it actually is pretty decent, and offers a pretty-good first line of defense, provided people clearly see it as just that: a line of defense. They oughta more clearly communicate that this will not protect them from all phishing scams.
Extraordinary Vacations. Exceptional Prices
You're assuming that it's that blatant.
Some e-bay scams are ebay-update.com for example. Easy enough to see how someone could take that for real.
Well I guessed all the frauds. Then again I guessed that the MSN and Paypal e-mails were frauds.....
My hyperlinks aren't worth the paper they're printed on.
Hell, I use it all the time. Of course, I read it using Unix mush, and a wetware-based html render engine. =) If they can infect that with a virus, I'm already in trouble by definition. I must say, it does make most of the phish and spam stand out.
My main objection to the test: ALL the URLs all failed my initial "phishing" test-- does the HTML text visible match the underlying source hyperlink? For the test, they were all linked to "#" with an a OnClick popup. The "mouse over" trick to show you what it's nominally linking to doesn't work in Safari.
Oddly, I was still able to get 10/10 due to sublteties in style difference between the legits and the fakes (which I wish I could concisely quantify). Given the department I work for emphasizes the importance of both communication and ethics, I find it interesting that there seems a link here between poor verbal skills and criminal intent. I wonder if it's because the more eloquent have better ways to scam a living, or perhaps because so many of the scammers are non-native English speakers of limited fluency....
//Information does not want to be free; it wants to breed.
I grant you Merriam-Webster may not be definitive, but it's here (variant gullable included too, while I'm at it.)
I haven't seen this mentioned. Maybe I'm wrong about this. I've seen plenty of other answers which showed it was fraudulent, but they seemed more complicated than necessary.
The second I saw it was from Visa I knew it was fraud because no one has an account with Visa. You have an account with a bank. For example, you might have a Citibank Visa. You don't deal with Visa, you deal with Citibank.
This is a *moronic quiz* (and no I haven't taken it - I refuse to on the grounds the permise is so retarded, but I did look it over carefully).
In this quiz, your not allowed to examine the URLs (to see if the 'links' point to where they appear to)...*boggle*. That's exactly what you SHOULD do.
I've had a couple of emails over the last year asking me to 'check my account details' and 'login or it will be suspended', thinking they sounded suspicious I checked them out, the domains in the URLs and the RIPE records to make sure the IP's the hostnames pointed to matched up with the company in question. Both sounded very suspicious, but turned out to be completely geninue becase I know how to check them (whois netsol, RIPE, ARIN (et al), host/dig are you friends - well not netsol they are cu^W^W...).
If I'd simply dismissed those two emails out of hand I would have locked myself out of accounts I find most useful. Encoraging people to base decisions on *hunches* when it's staightforward to check the facts and make an informed decision is completely irresponsible.
This test completly misses the oppertunity to educate people in a really meaningful way by allowing you to actually example the 'emails' in full, because it would be bloody obvious to tell the fraudulent ones apart from the geniune ones, just as it is in reality.
If you are directed to a URL like https://www.paypal.com/ - which you recognise as the offical website for the company in question, you may as well assume it's legitimate. However, if the link actually takes you to a URL like http://www.paypal.ru/,or if they email you from an address like/solicit replies to paypal@yahoo.com - your fairly obviously being shafted. Really it's not rocket science.
I had this when I was directed to a site called www.ups-europe.es from a guy in Spain, who I'd been in contact with via eBay. One quick 'whois' check showed clearly dubious registration details for the domain, and the whois against ripe.net against the IP the hostname pointed to showed the site was hosted on a virtual server at an el-cheapo ~10 Euro-a-month consumer hosting company (not the sort of setup a UPS site which handles fanancial transaction services is going to be hosted on). So I strung him along, got some details out of him, and eventually handed everything over the police when I was done playing with the guy.
The point here should be to teach people how to check for themselves (and make it easier for them too, though better software design), not to encourage people to make decisions like this based on 'their feelings' about an email.
Yes, many people took a legit email from the Federal Trade Commission as fraud.
But if you think about it, how many people receive emails from the FTC? How do we know what it's suppose to look like?
This was a dumb slash dot article.
How are you supposed to determine whether the message is fraud or not when all the link URLs have been changed to something meaningless?
Don't trust any unsolicited requests for money, property or personal information. If everyone did this, scammers would get nothing and as an added bonus, telemarketers, spammers and other unsolicited push scumbag marketeers would go away because their advertising would have zero return.
The test was completly meaningless as you couldn't do all the correct things you SHOULD to to check the authenticity of an email.
It encorages people to base decisions based on *hunches*, which is utterly retarded. You could take a genunine email and alter the URL and you'd never know you'd been duped if you went by the examples in this test - you'd just think it looked real, click on the URL, login and end up being scammed.
This 'test' is utterly worthless as a result. You *can't* tell just by looking at the surface content of an HTML rendered email. If you can't look at the email headers or the URLs you have no way of knowing all of them arn't spoofed.
Based on the e-mail content alone. Using Mozilla 1.6
www.facebook.com/DareDefendOurRights
www.fairtax.org
Mozilla Firefox recently added some nice anti-phishing features to the 1.0 branch. Some features include:
-Display of the site domain name in the status bar while in secure mode. (Bug #245406)
-A warning box that displays when a site is using unnecessary http authentication in the URL (ex. http://example.net@example.com/ ) (Bug #232567)
I believe it is a good thing that Firefox is starting to implement some anti-phish features and hope that other browsers will start doing the same.
[NOTE: You will have to cut and paste the above links due to bugzilla.mozilla.org rejecting slashdot.org referrers.]
-Valen
I also got 90% by being too cautious. I thought the microsoft one looked funny. But this wasn't a valid test since we couldn't see the target URLs
OOKAY. Now, as a few of you have pointed out, the test is in the LINKS, the information that the so-called experts that designed this test *REMOVED* from the email(s) in the first place.
Is their idea that we should rely on spelling to identify bogus email? What if the Nigerian Scammers learn to spell, should we believe them, too? And what if they get email from G. W. Bush, is that implicitly a scam because the man can't spell?
This is *PATHETIC*. The user has to learn how to check the URLs (and then actually do check them), in order to tell wether an email that asks you to provide confidential information is legitimate or not.
And if you determine that the email may be legitimate, you STILL do not click on the link, you go to the site directly, by using your pretty fingers and typing yourself Ebay/Paypal/etc in your browser (which better not be IE - and can Outlook too while you are at it) and logging in yourself. If you need to verify something, the system will prompt you for it once you are in.
This test is a shameful steaming pile, and I will certainly not EVER recommend, use or purchase any products from the company that released it!
--- "I didn't think anyone would understand it" -Prof. Bob Muller
...for Slashdotting the servers. /.-spirit, I'll comment without having RTFA!
In true
I have received a quite a few of these like most people, and after what - 10 to 15 years on the 'net - I'm still not sure what to think when VISA tells me my card is revoked due to fraudulent use and I have to go to a web site to check it. If the mail is sufficiently advanced, I write my bank with a copy to phishing@visa.com to avoid any financial losses in case there is any truth in it. I never, ever, go to the URL.
It's just plain ol' fun to get messages that my mail account at my personal domain is revoked (and I know who has root 'xcept me), or that I am apparently sending Windows virii to some guy in Australia (no, Sir, I do not run Wine that frequently).
What is the sound of one hand clapping?
cat
Did anyone else think it was weird that the Hotmail one was sent to a non-hotmail address? I marked it as bogus just in case. There went my perfect 10.
Rik
Even though the displayed html component is wrong, the actual links that they reference are all owned and operated by earthlink.net.
So even though there are 2 typos, it wouldn't be the first time that a valid company screwed up in that fashion.
After doing nslookups on the names, and doing whois on the returned ip addresses, all the entries appear to be under earthlink.net's control.
So I placed it as legit, although typos were included.
The only major typo that wasn't actually owned by Earthlink was the wwwearthlink.net entry - which was owned by Interserver, Inc.
However, the URL that was referenced by the text that was displayed was www.earthlink.net which was correct.
So, if it was supposed to be fraudulent, the referenced URL was a typo.
Either way, I win - it was okay!!!!
Who is general failure, and why is he reading my hard drive?
Use what I wrote and use and avoid the hassle/security risks of malware and phishing:
SpamByte: Game Over, Spammers/Computer Crackers.
Register.com sent email to all registrants telling them to log in and update their information, because of new ICANN regulations. It was sent by a 3rd-party mailing company, but I called register.com's phone support, and they said that it was in fact real. Of course, when I went to check my info, I typed it in rather than using the link from the email.
They need a bonehead-of-the-year award for that little stunt.
I just put fraud on all 10 on the questions but i only got 70%....but i would never have been exposed to fraud if i deleted all of those e-mails. Makes you wonder how slanted thier test results are...anyway the funny thing is that i use linux and they said an e-mail link to microsoft is not a fraud....who are they kidding :)
stendec@gmail.com
The Hotmail one tripped me up too, since I wasn't sure if *everything* under *.msn.com was really trustworthy. For all I knew it could have been some MSN user's home page about to redirect me to another fraudulent site. It's better to be too cautious, though.
On the other hand, consider that in this test, subjects were actively thinking about whether or not these emails were fraud. They had advance warning that they might be exposed to fraud. That doesn't happen in the real world...the general assumption when you get an email from a service to which you subscribe is, "Oh, this service I use is trying to contact me about something important."
It's kind of like April Fool's Day. Play a prank on somebody on April Fool's Day, when they're expecting it, and they might not fall for it, because they're on the lookout. On any other day, the same prank might succeed easily, because the victim is caught off gaurd.
We don't have a state-run media we have a media-run state.
Although the phishing test was cool, I don't think it was all that accurate. The first thing, one said the earthlink email was a fraud but the link I saw was http://www.earthlink.net. So unless someone stole their domain, it's not much of a fraud. Second, I didn't see any examples that were close to what I have actually seen in email. Things like http://citibank.com@somedomain.tv/scampage.html, for one example.
all the links say "Go to: # on this page" when moused over.
http://slashdot.org/~Seth%20Finklestein
I got number 6 wrong. The Earthlink one. I failed to notice that "failure" was spelled without an an "i" on the third line of text. As such, I am turning in my geek license. I'm allowed to re-apply for it, right? Question: If I chose two e-mails to be fraudulent, when they were really legit, I don't get docked for that, right? I know I got them wrong, but I should get props for playing it safe.
I got 10/10 and didn't check any IP addresses, Headers, or domain names. I think most of the scams are extremely obvious. 1) Any email with a link that asks you to enter you credit card information in the linked page is bogus. 2) An email that gives you instructions on how to log on to the company website manually to enter details is ok. If you enter www.paypal.com into your browser yourself, you know its the legit site. 3) Major grammar/spelling mistakes mean its a hoax. 4) Emails that contain an enormous amount of legal information have a higher likelihood of being legit. 5) Emails with information about maintaining account security have a higher likelihood of being correct. Most companies will now try to avoid sending emails that resemble phishing scams (no links to enter your credit card information). So it should become easier to spot scams now.
I am using Mozilla 1.6 on Linux, and none of the links work, nor do they show anything in the status bar. I think the test is broken for Mozilla. Since when did Slashdot become a hangout for Windows users that pretend to be Linux zealots?
Interesting idea, but if I can't see the mail headers and have to look at the message in HTML format instead of text, yeah, *then* it could actually become hard to distinguish between phishing expeditions/scams and real mail, in some cases.
Every expression is true, for a given value of 'true'
You're right, but most people don't know how to check the headers, much less look up the IP. But the two easiest checks against these type of messages weren't available in the test:
1) Does it make sense that I would get this? If I don't use US Bank, for instance, it's obvious it's fraud. But for the sake of the test, I think they assume you're involved with those companies, and that's okay.
2) More importantly, they don't let you check where the links are going to. If I rollover "www.paypal.com" and in the little bar in my browser it says "www.paypal.com," I know it's alright. But if it says "ccnums.steal-this-suckers-identity.com"...
c-hack.com |
I know if I ran a business, I'd really hate to have a competitor able to buy a "mistake" in the plugin that prevented my site being reachable...
And, regardless, a means of verifying that the remote party is who they claim to be already exists. It's called PKI, and it's available at an https link near you.
Although the contents of the original email can sometimes indicate a scam, most often it is the content of the linked URL or the address of the linked URL which gives it away. If the address of the URL is hosted on the domain (such as PayPal), the phishing scam would also require the phisher to hack the domain in question.
The test disabled the links so no one would click them but they tried to give it the same effect by using mouseovers. Mozilla Firefox didn't show the mouseovers for some reason. I had to view the page source to determine if the link displayed matched the address it as actually taking you. I'm surprised so many people here have actually been fooled.
Learn HTML.
h tm (eBay #8)
I don't think anyone will go far with this link:
https://ebay.com/account_verify/cgi/index.
If you click on the link in TFA, you get right in.
But I wasn't sure about the rules for finding the good and bad. Others have mentioned the lack of URLs so that made it more difficult to inspect the links; that's what I generally do.
So without that info I had to improvise.
Anything that had no link (5) or a well-known link (1) I considered OK.
Anything that ran a CGI and had no independently verifiable info I considered suspect (2,4,7)
Anything that threatened to "nuke" an account and had a link I considered suspect (3,6,8)
(9) was tricky. However, since it didn't ask for information and was already personalized with information that could be verified independently (that is, ship-to, etc.) it seemed OK.
(10) had a blind link and no personal info.
IF THE STUDY WAS CONDUCTED LIKE THE WEB TEST THEN IT IS INVALID
Of major importance in judging fraudulent mail is knowing the policies of the company that the mail purports to be from. That is information that I don't have if you just show me mail from a company I don't deal with.
I read through the first 5 messages (all of which I judged correctly) before deciding that the rest must be frauds, seeing as i don't have dealings with MSN, citibank, paypal, earthlink etc. how could an email to me about paypal be legit when i don't use paypal?
If that's so, then why did we all score so high (I got a 90% -- I thought the "paypal shipping" one [#9] was a fraud)?
The reason is that there's one way you can tell: ALL the frauds had text saying "click this link" The two legitimate ones other than #9 told you to sign in, but didn't provide a link. (although they did provide other hyperlinks -- just not to the login page)
#9 fooled me because it had a link to click.
"[Regarding the 'cloud,'] ownership was what made America different than Russia." -- Woz
I'd like to thank all the stupid users at my workplace for this honor. If it weren't for them constantly sending me their suspect emails, asking "is this real or fake?" I wouldn't have been able to get 10/10! Finally I can take comfort in knowing that when a user emails me a virus infected email, asking "is this a virus" even when their anti-virus software has clearly marked it as a virus, I can say with confidence, Yes it is! Now don't ever send it to me again because you're the 9th dumb fsck who sent me the same message!
... CORRECT
... CORRECT
... CORRECT
... CORRECT
... CORRECT
... CORRECT
... CORRECT
... CORRECT
... CORRECT
... CORRECT
1. Microsoft Email Link
Legitimate
2. PayPal Email Link
Fraud
3. eBay Email Link
Fraud
4. US Bank Email Link
Fraud
5. PayPal Email Link
Legitimate
6. Earthlink Email Link
Fraud
7. Citibank Email Link
Fraud
8. eBay Email Link
Fraud
9. Paypal Email Link
Legitimate
10. Visa Email Link
Fraud
You got 10 out of 10 correct, or 100 %
Apparently there is some javascript that is intentionally obscuring the urls when I mouseover in firefox -- definite red flag in my books. So I right click the URLs to force them to display, and every single one points to somewhere other than the claim -- they all go to survey.mailfrontier.com. Sounds like mailfrontier.com is trying a massive phishing scam.
Sheesh. If you're going to try a test like this at least try to make it realiztic. The first thing I do is look at the actual link source. Only if that seems legit would I bother to spend time actually reading the message.
...I got a 100% just by asking the question "Are they actually trying to get any personal info from me?" If yes, then mark as scam. The only excecption is if the e-mail instructs me to manually log in to the correct site (as in the MSN e-mail) to update my info.
Human being (n.): A genetically human, genetically distinct, functioning organism.
The only way a true geek can tell if an email is a fraud is by checking where the links go. In the test all the links had been redirected, so the test results are a tad skewed if they include the false "frauds."
That is, I was fairly sure that one of the links looked an awful lot like a real eamil I had received, so I rated it as non-fraud.
All the others I rated as frauds because "if I cannot validate the link targets, it is classified as fraud no matter where it came from." So I miss-marked a couple of the "legit" ones as frauds.
Does that mean I cannot tell the difference? No, it means that I use the "if you don't know, don't trust it" rule.
Besides, at those prices, "legitamate offers" from the provider were sufficently outrageous to set off my "rippoff" detector.
If a real company wan't to charge me an unrealistic fee for a trivial service, it's a fraud email even if it *ISN'T* "phishing" 8-)
Innocent people shouldn't be forced to pay for inferior software development.
--"Code Complete" Microsoft Press
Just want to point out that two of the "legitimate" emails on the web survey could easily have been fraudulent. These are the "Don't lose your MSN Hotmail account!" email and the "Your credit card ending in 2008 will expire soon." email.
i ".
In fact, I've seen a version very similar to the credit card expiration link that warns about typing in the URL but then goes ahead and provides a clickable link anyway. When you look at the code, the link actually goes to a completely different URL than what is displayed, using the old trickery of "http://paypal.com@12356789/cgi-bin/trickedyou.cg
For those not familiar with the trick, "paypal.com" in the above url is the login name the web browser is instructed to provide to the web server while 12356789 is the decimal representation of the web server IP address.
Only the shipping notice fails to smell fraudulent. Even that could be rigged if you wanted to, by having the tracking link require you to "open a free UPS tracking account."
Of course, if they'd provided the entire emails instead of just the html representation, any techie could have sorted it out. But not the mere mortals.
Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion.
Take away my Geek License, I'm ready for a hot date!
I notified PayPal and the hosting company immediately.
After snooping around the site a bit I found the file it was logging all the info to. The first entry was the scammer testing the page. The IP traced back to an .ru domain.
I couldn't believe how many people were falling for the scam. In about two hours there were over 200 legitimate looking records with another 50 flames from people who recognized the scam.
The whole time I was emailing the newest additions to the list to let them know they got scammed. Some of them thought I was trying to scam them and wanted proof. A little cut-n-paste from the log let them know I wasn't lying.
After a few hours the host got the site shut down but I'm still amazed at how many people fell for a seemingly obvious scam.
Granted they did not provide the headers, but they did provide the actual links from the emails, they were just scripted as javascript mouseovers just in case someone might be stupid enough to actually click on one and fill in thier CC details or something. By looking at the links it is easy enough to tell for ceartain which ones were frauds. And yes, the status bar change does not work in Mozilla or Firefox, but you can tell by viewing the source, or the easy way, highlighting the link right clicking on it and selecting view selection source from the context menu.
Windows is a bonfire, Linux is the sun. Linux only looks smaller if you lack perspective.
I mean we can all point and laugh at the relative patent uselessness of phishing attacks against the clueful and caffeined at the moment, but what about when the sophistication grows to the point where the plaintext is utterly indistinguishable from the genuine article, man in the middle attacks or genuinely technically ingenius phishing is a scary concept in light of the lack of crypto current in e-mail based business transactions.
Just a thought.
Therefore, none of them were actually scams. All the links went nowhere, and they were for some reason trying to trick us into thinking they went to some suspicious web site.
Normally, a scam would have the actual link to the suspicious web site, and then use JavaScript to trick us into thinking it's the real site.
They fail it.
Karma: It's all a bunch of tree-huggin' hippy crap!
The correct answer was they were all possible fakes. The test itself is wrong as there are holes in IE and Windows that would allow any one of these items to actually deliver your confidential answer to an unknown destination. At this time, given the unfixed number of bugs in IE and Windows, and given the typical users unknown patch level - the correct answer is to NEVER submit such details in a solicited e-mail.
I counted them all as fraud because of the Javascript mouseovers for links.
That will work unless the phisher is using a man in the middle attack, DNS cache poisoning, or broken into your ISP's DNS server and replaced it with one that will redirect you to his or her own phishing site. Heck, a good phisher could break into the root DNS servers themselves, so even a whois and nslookup wouldn't detect it. Of course, the best phishers would just tap the T1 (or whatever) line at the company and redirect you from there. Without actually going to ebay/citibank/etc and physically inspecting the line for wiretaps, there would be no way to detect it.
I scored 100% (10 out of 10). This is an excellent was to test your wits. Any nerd can check the e-mail headers or HTML links. This test isn't about that skill. It's all about whether you can read between the lines and feret out the legitimate messages from the scams based on the body text. Anyone can avoid being scammed by not going on-line, not answering the telephone, not talking to another person. The real skill lies in reading someone face to face or the story the tell/write.
signature pending slashdot approval
I voted that they were all frauds because the onMouseOver displays a message different to the actual links. I think that because they didn't explain that they modified the e-mail and the onMouseOver display text wasn't in the original e-mail. That probably explains the low results they are getting
X-Has-Sig: yes
You might think it is funny that the site requires Internet Explorer; I would say it's appropriate. Who gets caught by these scams anyway? IE users.
This is a really stupid test. The headers are missing, so it's impossible to say with certainty whether or not each message is forged.
Apparently the point of this test is to teach email newbies how to guess whether an email is fraudulent or not based on its content. This is the wrong way to do it. One should not guess.
The correct thing to do would be to teach Microsoft Outlook etc users how to view the full RFC822 headers, and teach them the meaning of 'Received:' lines, and thereby give them the tools they need to find out for sure whether mail is fraudulent.
It proves little to show that 28% of users can't pick fraudulent email when the information enabling them to pick it properly is missing. This is addressing the wrong problem entirely.
What you missed is that one of the links uses whitespace to obfuscate the real destination: 'http://www.earthlink.net{whitespace_removed_for_l ameness_filter}@curvet.co.kr/curvetdb/images/CVS/'
The spaces move the end of the URL past the end of most status lines.
I was actually a little disappointed in the test, every single phish was easily spotted because the links in hrefs contained in the HTML source didn't match up with either the sender's domain or the displayed link. Its pretty clear from the results that HTML email is a dangerous thing. I'm really shocked that anyone who was familiar with this sort of con would get less than 100% correct. You can't spot a phish by content, you have to scan the source.
See, the online test is frustrating: you roll over the links and they're all dummies telling you not to click. Being able to see the actual link target is at least half the technique in spotting phish mails. Otherwise you're just looking for questionable policy claims or spelling errors, since these days the graphic design of phish mails is impeccable.
I agree the test was mostly pointless. However, the point they seemed to be making was that any message that contains a linke that says "click here to give us information!" is almost always bogus.
The one msssage from PayPal that said you needed to give them information because your credit card information was about to expire didn't give you a link - it gave you instructions, starting with "type http://paypal.com into your browser". This way, there should be no mistaking where you're actually going.
Even if they'd left things in like the headers and the actual links, your average user wouldn't know what to look for anyways. Most people don't know that "http://earthlink.net@hacker.com/phish.cgi" doesn't actually go to Earthlink. Even then, unless they actually look at the source HTML, it's easy for a phisher to come up with a legitimiate looking, but completely bogus URL that will be too long to be fully displayed at the bottom of your browser window
Seriously. You're so *good* at detecting bogus emails. How did you score? (without doing any googling!)
None of the mails in that test have illegitimate from or to addresses.
Go on, explain how you would detect the 3 "legitimate" emails in that test...
The fact that it (actually) originates within the Evil Empire means you should probably NOT click it, for _any_ reason.
The quiz "answer", that the MSN email is legitimate, is therefore incorrect. MSN is an illegitimate network, run by a criminal organization. MailFrontier is hardly the last word on what you do or do not want in your computer.
Expect the Empire to play on people's fear. That's all they have left. The whole monopoly is now supported by the Fear, Uncertainty and Doubt that, if you install Linux on your PC, it will either melt down, be impossible to use, or you will be sued by sco.
I "missed" that question, too.
Exceeding the recommended torque is not recommended.
One of the most important things you can do for email (not just applied to phishing, but also for establishing the legitimacy of identities) is to learn how to read email headers. If you're unsure about an email, check the headers -- the vital part is the IP address within [square] or (curly) brackets on the topmost Received: lines. You can trust top Received lines, but ones after your ISP's hop can be forged.
The host name of the connecting mail peer will usually appear beside the [IP] address. Beware of forgeable host names. The best check, by far, is to do a WHOIS lookup on the IP that sent you the email and see if it makes sense.
e.g. VISA, Paypal, real banks, etc. will never deliver mail through a cable customer IP! Expect the IP to belong to the company. It's really simple to check, and unforgeable.
Here's an idea:
Mozilla plug in that traps HTML anchors, and if they don't match what they are linking to, shows a popup -
"Are you sure you want to click this link? Because it really points to here..."
It could even attach a danger level to the popup. e.g. a mouseover status bar change to another URL would be questionable, as would dodgy characters in the URL to cause problems (there was one with a % in it floating around a while ago). Maybe even a database of fraudulent websites? It would have to remember the false positives to prevent annoyance.
Just an idea. Somebody might have already done it. I wouldn't know where to start to write it, but if this was a software patent - it wouldn't matter.. snigger
One of my filters or browser settings was killing the onMouseOver status changer, so the test more or less fell flat. Does this score me over 100%?
do I get to keep my geek cred?
Actually I get the citi bank email all the time and it is usually from somewhere in China. I also get the 419 letters, which are usually quite funny. They have been updating them recently.
Sounds like someone's bitter about failing the test!
Damn spaces.
Perhaps instead of displaying the URL, email clients should ONLY display the domain the URL goes to...
Why? The links are not working.
:)
All the fraud-mails I get refer to illegitimate websites or servers in China or Russia.
An other way to check the validity of the mail is to check the mailheaders and see is they are correct.
But still I scored 70%
The funny thing is I would have scored 100% is this was for real. Why? I don't do PayPal, Visa, Earthlink and so on
And GENERAL MOBUTU is not my african friend, so I'm not falling for his sweet talk either...
Privacy is terrorism.
The _only_ way to tell the real thing from the fake is to look at the actual URL the link points to.
The morons who run the test changed them all to point to their own site; so every one of them is clearly fake.
Relying on any other content in the email is just stupid; the phishers will just improve their spelling and wording until it starts fooling enough people again.
It's obvious to me that you're using all the wrong methods to check authenticity. Ordinary users shouldn't be looking at the html content of their emails, they should be educated that the contents of an authentic email require them log into their account (no link provided, if you're a subscriber you should already know how to get there), and them click the "do the necessary job" button.
Starbucks, Harbuckle of Breath.
And, yes, nothing is unbreakable, but if you truly cared about the remote possiblity that someone would go to that much trouble, you'd care a lot more about the much greater possiblity that someone would crack a server your data is located on, and you'd be living off the grid with your own generator and shooting at tax collectors.
If corporations are people, aren't stockholders guilty of slavery?
It would've been funny if you had to register with your email address to take this test.
There's never enough when you have too little
Funny .... All of the links pointed to "http://survey.mailfrontier.com/". How am I supposed to determine if a message is legit, if I can't check the target ?
:(
In short : this test is BOGUS.
And why would I click on the "legitimate" message hyperlinks?
I don't trust any of these messages, therefore I'm not clicking on ANY hyperlink in such a message, ESPECIALLY if they all go to the same place which these do.
This means I got a 70% score because I clicked "fraud" on all of them.
Actually my score is 100% because I was properly suspicious of links that did not go to the proper domains.
The idiots who made this test tell you to scroll over the links. I did. They were wrong links, so I marked them all as fraudulent. How is this wrong?
It's not.
You should be wary of even clicking on a link that DOES go to the proper domain when you get this sort of message. How do you know a session or domain hijack is not in operation?
If somebody wants me to change my info even just by going directly to their site, they better have SSL running.
Richard Steven Hack - This sig is TOO GODDAMN SHORT TO DO ANYTHING USEFUL WITH! MORONS!
And that was correct.
Exactly what I did.
Particularly since they TELL you to mouseover the links. If they hadn't said that, I might have tried to interpret the displayed links, but probably would have marked them all frauds anyway if I couldn't be sure from examination.
Richard Steven Hack - This sig is TOO GODDAMN SHORT TO DO ANYTHING USEFUL WITH! MORONS!
This isn't new.
Member of Orkut? Annoyed with spam?
I took the test thing. Apparently I failed it by Slashdot standards because I thought the first message ( http://survey.mailfrontier.com/survey/phishingtest /message_1/message1.htm ) was a fraud and it's not. I mean, I know the link said msn.com, but... asking you for money, threatening you if you don't pay them for the extras, sending you advertisement to a non-MSN account when they're an e-mail provider when their little policy on the bottom says that they only send you update info... how the hell is that an official e-mail? Does Hotmail suck that hard?
Wayne: "It sucks rhino!"
Garth: "It sucks blue whale!"
Wayne: "It sucks Wookie!"
Garth: "Wait a minute, Wayne, a blue whale is bigger than a Wookie."
Wayne: "Oh, I'm sorry, Garth, I thought we were going for obscurity."
When I get an html email, if I, for whatever reason, wanted to go to that companies site, I never click links from the email. I always go manually type the url in my browser (never IE). I never trust http links in any email ever.
No, it's teaching someone to follow their hunches, and anything that requires you to "reverify" or to "check the status of your account" via a link you cannot easily determine where that link goes is good enough to be suspicious. It's really doing a good job of telling users: "BE SUSPICIOUS."
:)
They are trying to teach people that NONE of the sites that house your personal info will EVER send you a "please verify" in email. They don't need to. People need to be told that. If they do tell you to access your account information, they do not provide a link, but instructions on how to get to it.
Most importantly, there is no such thing as completely harmless email... if you're a Windows user.
It's the Stay-Puft Marshmallow Man.
. . . one had to take it using an insecure browser? There's some humor there, somewhere.
Without headers, working links (to harmless, locally hosted copies of the original pages), or context, I'd be surprised if anyone gets a perfect score.
Newsflash! 30% of gold watch buyers cannot distinguish between a real and a fake timepiece, when shown a black and white photocopy of a photograph of an advertizement. Watchmakers band together to demand something be done to protect our economy from this growing threat.
And, while we're at it - setting up a loaded quiz in order to frighten people and then requiring their names and email addresses in order to offer security advice may not be fraud, but it sure isn't a friendly way to do business.
If the email says to login then update your information with out providing a link it's probably okay, if they provide you a link and it looks technicle then stay away.
500 dollar reward for tip(s) leading to the arrest of the person(s) who stole my sig.
And yes, this is the result of my first try....
... CORRECT
... CORRECT
... CORRECT
... CORRECT
... CORRECT
... CORRECT
... CORRECT
... CORRECT
... CORRECT
... CORRECT
1. Microsoft Email Link
Legitimate
2. PayPal Email Link
Fraud
3. eBay Email Link
Fraud
4. US Bank Email Link
Fraud
5. PayPal Email Link
Legitimate
6. Earthlink Email Link
Fraud
7. Citibank Email Link
Fraud
8. eBay Email Link
Fraud
9. Paypal Email Link
Legitimate
10. Visa Email Link
Fraud
You got 10 out of 10 correct, or 100 %
Actually, I never tried detecting phish attempts without being able to examine the links, until now. I can see how people could fall for them. Makes me want to start a two day class at the local community college. No Phishing 101
Basically, the link has a boatload of spaces after it. You only see the first part, because the ending scrolls off the viewbar. Personally, I took the fact that the URL shown in text did not match the viewbar as a warning sign. That, and the fact that I don't subscribe to EarthLink. =)
If you view the source, you'll see this quite plainly:
<a href="http://www.earthlink.net
@curvet.co.kr/curvetdb/images/CVS/">
[The original test used java, but I made this HTML for clarity.]
--LordPixie
Uh the links aren't SUPPOSED to work. This is the whole point of the test: to see if you can spot invalid links. None of the links should work (if they do, something is very wrong!).
It's a good test - I got them all right, by one simple rule - if it tells me to type in a URL, it's probably good. If it asks me to 'confirm' info and gives me a link to click, which I may not be able to see the totality of, it's a fraud.
And I have never had accounts with any of the services to even know what a legit one might look like.
One of their fraud emails has a link to:-
d th=800,height=600,left=" + iMyWidth + ",top=" + iMyHeight + ",screenX=" + iMyWidth + ",screenY=" + iMyHeight + ""); pop.focus();}b le,scrollbars,width=800,height=600,left=" + iMyWidth + ",top=" + iMyHeight + ",screenX=" + iMyWidth + ",screenY=" + iMyHeight + ""); pop.focus();}
http://secure-ebay.com/aw-cgi/eBayISAPI.php AND ITS STILL UP!!!
secure-ebay.com = [ 208.42.94.181 ]
Domain Name.......... secure-ebay.com
Organisation Name.... Jose C. Hernandez
Organisation Address. 302 Joelson Rd
Organisation Address. Umpqua
Organisation Address. 97486
Organisation Address. OR
Organisation Address. UNITED STATES
Admin Email.......... secure01eby@yahoo.com
Admin Phone.......... 1.5416724954
Admin Fax............
WTF??
The link has a bit of javascript which brings up the ebay logon screen, resizes it to full screen and then pops up its own window to ask for account details with this function:-
function popMe() {
var iMyWidth;
var iMyHeight;
iMyWidth = (window.screen.width/2) - (400 + 10);
iMyHeight = (window.screen.height/2)- (300 + 50);
if (navigator.appName=='Microsoft Internet Explorer') {var pop = window.open("sys.php","ini","menubar,resizable,wi
else {var pop = window.open("eBayISAPI.dll","ini","menubar,resiza
}
Pretty strange that a publicly outed phishing site is still live. Doesn't security@ebay.com do anything about these sites?
Not sure why you were not able to verify the validity of these messages. I just took a quick look at the source for each one and figured out which were obvious frauds. True I had to go as far as check the who is on some of the links to make sure they were fraudulent, but that's what any smart person should do before offering any personal information based on an unsolicited message (email, phone call, snail mail etc.)
Having worked for a few years for a major phone company I am well aware of social Enginering and know that this type of phishing has been around alot longer than the internet. So just as a general warning to everyone is NEVER give out information when someone contacts you, simply let them know that you will contact the office and get the information update if you need to.
You could take a genunine email and alter the URL and you'd never know you'd been duped if you went by the examples in this test
Viewed through a web browser though, as you hover over that URL, the status bar in either Firefox or IE will show where it really wants to go. One of the fraud messages had that, the visible link to click looked genuine, but the target was actually somewhere else, clearly seen in the status bar.
Ummm... IE shows you the actual URL you will be sent to, while Opera and others don't, so we have a security hole in IE? I must be missing something here...
The funny thing is I would have scored 100% is this was for real. Why? I don't do PayPal, Visa, Earthlink and so on :)
Exactly, none of them even made it past my "should I look at an email with this subject" test. The way I look at things, if I'm checking mail headers or looking at the urls links are pointing to, I've already lost. The only winning move is not to play.
Fucking filthy-assed hippies haven't got a sense of humor. Whaddaya know?
The test isnt valid. Technically they are all fake, becuase they werent emailed *by* the supposed institution, directly to the person they are a subject of.
With no full headers, and the 'links' all link back to the same site, wether the messages are supposed to be 'fake', or 'legit'. The information presented isnt enough to confirm that any of them are legit.
Yes, there are some clues, for instance, paypal emails will *always* have your full real name, never 'Dear Paypal User' or any crock like that. *But*, those are only clues. The only real way to confirm a message *is* legitimate, is to look at the full headers, and confirm where your email system got the message.
Another good tactic, if you think some warning about your paypal/eBay/bank/etc account is real, is to go to your banks site (dont use any links in the email - type the URL in directly, or use a bookmark that *you* set *after* typing the URL in directly, login, and see if there is anything noted there.) I think it would be *highly* unlikely that any such institution would send you an email, but not present any notice concerning it in a logged in area of their website.
Another option (despite any statements to the contrary in the email) is to *call* your bank, and tell them about the email, and ask if its legit, and they will be able to advise you further.
They had advance warning that they might be exposed to fraud. That doesn't happen in the real world...the general assumption when you get an email from a service to which you subscribe is, "Oh, this service I use is trying to contact me about something important."
I treat *every* e-mail I get as potential fraud. I have a white-list for my friends and for services I subscribe to. Anything else is suspect. My mail reader always opens mail in text mode first. I *never* open HTML mail without at least glancing at the header.
>> subjects were actively thinking about whether or not these emails were fraud
the same way you should be thinking when truly parsing your email.
>>that doesn't happen in the real world.
uh. yes it does. unless you're a sheep. everyone i know including friends and family who aren't computer literate, have been informed or experienced virus outbreaks from emails that "appear" to be from other family members or friends.
this is happening for years. fraud emails. where have you been? experience is the mother of wisdom. people have been burned, and are learning.
hence the article itself says TWENTY EIGHT PERCENT. Does that sound like a majority to you?
most people i know suspect any email. many have html turned off. almost all know that outlook is the devil's program.
24/7 suspicion of what's in your inbox should be common place. if it's not for _your_ friends and family, then you have not done your civic duty.
>>It's kind of like April Fool's Day. Play a prank on somebody on April Fool's Day,
nonsense. the site plain and simple removed all the common and easy techniques to detect fraud emails, and you are going to explain it away as analagous to April Fool's?
i think we all know who the fool is...
- There are no mail headers. The Received headers give the clue about where a mail came from.
- For the Phishing IQ Test, the Link has been disabled. - WTF? Looking at the link in the mails source code is the second test. If there is no link, no sane judgement on legitimacy or fraud can be made.
Sorry, but I don't want to make judgements about the way some PHB wants the mails sent to his customers look like. I'll stick to the facts - the Received headers and the link.This "test" is basically useless.
All the links point to the page your on. If the layout, grammar, and wording appear correct on the mail then the next test is the links and there are a number of ways to verify the link/page your on.
If answering in complete honesty I'd have to say ever single one of these is fraudulent because the links point back to the survey site... all of them.
And that was the Microsoft one. I'd never trust their emails.
-- Huh, what?
You are missing something.
In scam e-mails, links often point to a different URL. So a link that says "someserver.yourbank.com" might actually resolve to "scam.stealyourinfo.net"
Of course, these eMails were not real scams. So the people who created the quiz used a JavaScript to make it look like the links led to scam sites. In IE, the JavaScript put "scam.stealyourinfo.net." into the info bar, so that users would be able to recognize the "scam." In other words, a fake fake URL.
Mozilla/Safari/Opera users saw a link to a JavaScript. Which is what it really was.
""You got 10 out of 10 correct, or 100 % ""
Even without having the full message headers to spot obivious scams, I got 'em all right.
You can spot most plishing scams by asking the simple question; Why would the company in question email this to me, instead just showing the same thing when I log into the website in question next time?
Also if the message asks you to do something by click something instead of just going to the website in question like you always do, it's most likely a scam.
And if the email tries to scare you by account closures, its very much a scam.
Only example that fails these rules is the stupid Hotmail warning thingy, but that I knew to be legimate since I know MS is that stupid in handling the whole thing. And even it doesn't fail the second bit - there is no 'sign up to your hotmail account to do this and that by pressing here' link.
But yeah - I do agree that very high percentage of the Joe Lusers fall for this stuff. Common sense is Hard(tm).
With a quick read over your post I can see why you had issues with the test. I'll agree that it'd be more realistic to have the headers and the real links, but there's one detail in most of the fraudulent emails that makes them stand out from the rest... in the same way that my post differs from yours.
...Then again, I'm sure you spell better than most Americans. And that's one reason the scams work.
Spelling and *over-emphasis* hurt your credibility.
Here's another tip/ Is a financial institution going to brag to its customers how often they get ripped off? Duuuuuhhhhhh.....
Actually, the test was not so retarded as it may seem.
Granted that I could not actually find out if the links were valid or not, but as I progressed thru the test, it should became obvious that any mail that asks you to "Click on this link to update your data" is suspect. For first timers it was an excellent way to learn whats crap and whats not.
All major sites that have sensitive data *always* recommend that you type out their address by hand. No clicks. Any mail that asks you to click something is a Bad Thing...
Any mail that claims to be thru secure connection and doesnt have a "https://" is also a Bad Thing. Of course, this point is redundant considering that it *IS* a link in the mail in the first place, but still...
RTFP : Read the fine print... Oft repeated, never done! Wont give much of a clue, but the real ones will tell you that its unsafe to click on any URL. Some phishers will add this to the fine print and also add a link or a button. Talk about stupid!
There are other things to look out for, I suppose, but here are the things to completely ignore:
- Any embedded pics that show the company logo. Just because the logo is there, doesnt mean its a valid email. Hell, I could make a nice MSN email for you, and you wouldnt know the difference.
- Any statement that causes alarm. Just ignore it. If you really must worry, then call the nearest support centre of that company and find out for yourself.
- any link. Just ignore it. Even if it is really the real thing. Ignore it.
PS : I scored a perfect score. Also, I do not work for any of these companies. In fact I never use them at all. Talk about paranoid. heehee
Wrong. Because you couldn't verify the email headers/links all 10 should be considered fraud. Trust nothing you can't verify - a little simple paranoia goes a long way.
So even though my score wasn't 10, I believe the "correct" answers need to be adjusted, not mine.
These posts express my own personal views, not those of my employer
I actually suspected, that such a spam could in fact come from Microsoft, but checked the Fraud box nevertheless. It simply has all the hallmarks of a spam. After all, does the real Microsoft origin of that e-mail mean it is legitimate?
Damn, I suspected I was a geek but now I know for sure.
Hal Spacejock: Science Fiction with Nuts
I have most of JavaScript (including "change statusbar text") disabled in Firefox. So the status bar was very blank for me when I hovered those links. Now I see why.
Anyway, I had to resort to some other sort of reasoning. Namely, I counted as fraud all the messages that offered links, and I was double wary of those that tried to seem even more legitimate by having an URL as the link text.
i ate crayons when i was a kid and now i have two braincells and the blue ones taste nicer
Some of the emails were obvious scams, but some weren't. Also, as has been mentioned before, you can't see the links with Firefox and since I didn't want to open up IE I did the test without being able to see the links. I still got 10/10.
What I did for some of the not so obvious emails was do a search on google for the scam. Most of the emails were legitmate scams (oxymoron?) that were well documented by the internet community. At first I wasn't going to use google becuase I figured it was cheating but that is exactly how I would approach an email that I receive that I don't think is a scam but want to make sure. It is always better to be safe then sorry and with the internet being a great resource for finding out about scams, why not use it?
[SIG] Far better to be thought a fool then to post on
Every so often I look at one, and since I only see the raw HTML, it's easy to see that the images and whatnot are all being pulled from the real company site, except for the "login" link which goes to some mysterious dotted quad address.
Some companies allow outside contracting companies to send the email and service the customers from their sites. A couple of months ago, I received an email on behalf of some AT&T entity (Universal Card, I think) I do business with that met one of my tests for a phishing scam: URLs to domains having nothing to do with the firm supposedly sending the email. When I "emailed" on a complaint form (from a known good site), they said the email in question was legitimate and pretty much sidestepped my complaint that such emails should come from their own servers and point to their own servers, and that they ought to be digitally signing the emails.
This is why I don't trust email for such stuff and won't agree to terms that make email an official point of contact.
"Who controls the past controls the future. Who controls the present controls the past." -- George Orwell
Okay.
You got me.
I stand corrected.
Here's my Geek license. It's okay, I got it out of a box of Cracker Jacks anyways... =D
Who's General Failure, and why is he trying to read my san-disk?
Who is general failure, and why is he reading my hard drive?
The knuckles, the horrible knuckles!
(I'm a girl, you know)
I was tickled by the fact that I immediately saw alternate readings of both of your sample URLs:
you cant rust us
go tally our money
On a related issue, I have gotten calls in the past from DiscoverCard's security department. They leave a message to call them back at a phone number that is different from the normal ("official") DiscoverCard number. I never call that number, but instead call the "official" number and get tranferred to security. It's been legit each time so far, but they are setting a *horrible* precedent getting customers to call "mysterious" numbers. I've told them that, but they're not listening. Yet.
I only relied on the information in the page, and got 100%. Simple rule: if the message asks you to update your information and provides a link, it's a phish.
The test wasn't useless, it's just that you relied on unnecessary information.
I was certain I'd have at least a few incorrect answers, but I got every one of them correct! Looks like I can't be fooled! -LS
It doesn't seem that ebay would hire a third party to create an ID system that the users would have to shell out money for. That mixed with the external link give it away.
Actually, they have done pretty much that, but it appears to be done in-house. The phishing giveaway, however, is the "Warning: Failure to Verify your ID may result in Account Suspension." While Ebay might (and did) create such as system, they would not make it mandatory unless fraud was not only rampant, but nigh universal. The funky URL is an incidental side clue; I got all 10 correct without even the URLs-- Safari doesn't show the "mouse-over" text, and the active URLs are all to a pop up "disabled" message. Mind you, while the style is getting better, the Phishers still don't have what it takes to be a professional writer for an actual company-- which would allow them a better way to earn a dishonest living.
For example, consider from number two: "It has come to our attention that your PayPal account information needs to be updated as part of our continuing commitment to protect your account and to reduce the instance of fraud on our website." If there was a genuine message on these lines from PayPal, it wouldn't be phrased thus. It hasn't "come to their attention" that the account needs updating... that's (hypothetically) the Paypal POLICY, which bloody well better not have just come to their attention; it's come to Paypal's attention that you haven't done so, and were it not a phishing scam, they would tell you so... and probably quote the chapter and verse of the user agreement saying you had to do it.
(The other rted flags for me were: message 4, the "connection secured" logo on an e-mail and the "Mail sent to this address cannot be answered"; message 6 "We regret to inform you, that we were unable"-- a misplaced comma; message 7, no rational connection as to how monthly validation contributes to "Best Possible" service; message 8, "you dont leave us any choice"; message 10, your records being out of date is not a "problem with our services".)
On the other hand, thanks to our our wonderful education system most people (aside from professional writers of one sort or another) no longer understand these sorts of linguistic subtleties. And many of them are oblivious trusting liberal arts majors who do whatever their computer tells them.
We're doomed, I tell you. Doomed, doomed, doomed.
//Information does not want to be free; it wants to breed.
The Citibank one almost got me with all that stuff about checking the authenticity of the website before entering your data (using Firefox, the mouse-over text for the link doesn't display. In IE, http://citi-protection.info is a sufficient tipoff alone). Then I googled the phone number they include for checking the fingerprint -- it's the toll-free line for an erotic leather shop in Key West, FL. Either somebody working there has a legally dubious night job, or the scammer has a strange sense of humor.
Bugrit! Millenium hand and shrimp!
Ah, so there were supposed to be mouse-over clues -- that would have made it a lot easier!
How sad, I missed a question because I use Firefox... it's worth it, though!
"[Regarding the 'cloud,'] ownership was what made America different than Russia." -- Woz
Most of the clues you can normally use to determine whether a message is legit
have been stripped out. The hard-to-forge headers, such as the Received:
headers, are absent for the test. The links have been altered so that
viewing the source won't tell you anything about where the link in the
actual message would have taken you. (The links in the test don't take
you anywhere, but you can't even tell from the javascript source where the
links were supposed to point originally; it's impossible for a spammer to
do this in a real spam.) Thus, the test questions are all II (Insufficient
Information to determine an answer) in my book. Their resulting failure
figure (28%), then, is probably high.
Cut that out, or I will ship you to Norilsk in a box.
I did a similar analysis several weeks ago on a scam targeted at US Bank customers. Interestingly, the machine used to host the scam page was also in South Korea. Looks like we are seeing the ugly side of that country's broadband initiative.
That scam I got two weeks ago was the straw that finally broke IE's back. I switched to Mozilla and haven't looked back. FireFox completely eliminated the functionality of the scam, first because it blocked a popup window, and second because it actually handled the URL correctly.
IE has a bug in how it handles URLs for image maps. If you put an <A> tag around an image, but make an image map on top of that image, IE displays the URL for the anchor tag, not the map. However, when you click on the image (if the map covers the whole image), you will be taken to the map location instead. FireFox renders this correctly.
It's really amazing how much work goes into these scams. The scam page popped up a window with no title which also happened to be too large to fit on most screens. Then the page automatically redirected the original browser window to the US Bank Web site. Using IE, the scammer's dotted quad was only visible in a URL bar for the time it took to pull down the page from South Korea (which was probably longer than the scammer would have liked). There was even a fake connection secured icon on the information form. The form page itself used JavaScript to keep itself on top until the user actually filled out all the form fields, even if you tried to close the window!
---- Just another spud server.
...looks like that reverse psychology thing really *does* work :)
Work is punishment for failing to procrastinate effectively.
Wrong. Because you couldn't verify the email headers/links all 10 should be considered fraud. Trust nothing you can't verify - a little simple paranoia goes a long way.
Fraud is enrichment through falsehood. Emails that say "We are X. Go to our main website to verify your information" cannot be fraud per se, because even if they are fake, they can't make any money off you going to the legitimate site X. However, "We are X. Go <here> to verify your information" can very well be fraudulent (and even if it isn't, it's a stupid way to do business). Look at all the messages and see which of the two patterns applies. Using this criterion alone will give you 90+% success rate.
Using this criterion alone will give you 90+% success rate.
90% is no where near good enough. It only takes one scammer getting your details for you to lose your money.
These posts express my own personal views, not those of my employer
Using this criterion alone will give you 90+% success rate.
90% is no where near good enough. It only takes one scammer getting your details for you to lose your money.
Not necessarily. I got 90% myself (with one false negative: the Earthlink one). I happen to be one of their customers, making me doubly vulnerable. Nevertheless, I would not have 'fallen for it' because I never trust such links in e-mails; I always manually load the site and navigate to my personal information that way. Even if a scammer tells me my account is at risk, and I give him some credibility, a quick check to my legitimate account will show that it isn't so.