Slashdot Mirror
Phish Scams Fooling 28% of Users
Etaipo writes "Anti-spam firm MailFrontier Inc has done some testing with consumers to see if they could differentiate between legitimate e-mails and phish scams. The results, to me, were pretty shocking.
The company also has provided a similar test on its web site. Get an answer wrong, and we revoke your geek license on the spot."
But haven't fallen.
My parents got an e-mail stating that we were charged $3000 for a new Dell laptop. Nevermind that we all use Macs.
So I check out the site... Looks professional, seems legit, but it asks for a bank account and social number on a non-secure connection... Phishy?
I checked out the root domain of the given address and ran a search to see to whom the site was registered. Definitely not a real company, an individual, and the root domain didn't exist as an accessible webpage. Not the kind of thing that is very professional. I bounced the e-mail back and dismissed it. Our credit bill the next month didn't have a Dell laptop on it. What do you know?
All it takes is some common sense to get out of these things, but perhaps real companies should start adopting S/MIME or PGP to ensure their identities to make it more apparent to a layperson.
Of course, a false company could just as easily hide behind these "foolproof" authentication mechanisms.
Help a college student
Honestly, I got through 3 examples before giving up. The real test for me is, "Is the link back to the official site? Or does it look like a link and take you to some mysterious 3rd party server?"
In this test *ALL* links pop up to a "for the purposes of this test, this link has been suspended" This makes the whole thing useless.
Anybody can copy a legit paypal or eBay email and change a few words and make it "look" real. The key is in the links and the data mining.
Honestly, it's pretty simple. Just never click on any link in any email. If it's from a company you deal with, type in the URL you know and love to find the information. The only one of the emails in that entire "quiz" I would have trusted was the one without any links, that simply said "go to ebay.com, click on your account." Anything else could be fake.
At the very least, copy and paste the URL rather than click it, and study it for 3 seconds before going to the site to make sure it looks like the site you think you're going to.
One of the common tricks I use to tell if someone is phishing is to compare the actual URL link with the one displayed in the test. That is, does the HREF match what's printed on the screen? If not, hit delete faster than a fat girl running towards chocolate. Easiest way to tell as the e-mails are looking more and more legitimate.
I got one for PayPal asking me to update my account information that had a bad link. Also got me since I had just moved and was in the habit of updating account information for sites!
Here's a quickie link to the test examples. The month's almost over, and I've got plenty of bandwidth to burn. (Famous last words...)
http://www.littlecutie.net/temp/slashdot/
Stressed? Me? Of course not. Stress is what a rubber band feels before it breaks, silly.
Just viewed the source of the pages, easy enough to tell who is lying and who is not. Only 1 was marginally troublesome do to a lot of spaces in the URL which pushed the real domain name far to the right.
MORTAR COMBAT!
Its exactly the same way you detect phone scams. If they call you, its a fraud. But if they let you look up the company in a phone book and call them, then it is legitimate.
Of course who do you trust to maintain said database/algorithm if it's not open source? This is one of the many (many) cases where I would think open source is the only option.
/.'ers, I'm sure), and those who can't could use something like what was proposed to filter out some of the more technically-incompetent scams. It's better than nothing, I suppose.
:P), that way people HAVE to type in visa.com (or cut and paste, at least JavaScript can't be used to hide the real URL this way), and they'd have a much better chance of actually dealing with VISA. Inconvenient? Yeah. So's sorting out your finances after an identity theft incident.
Of course there would be numerous roadblocks to implementing this sort of thing, not the least of which being HTML rendering quirks in Outlook, Eudora, etc. that would have to be thoroughly accounted for.
I'll stick to doing things by hand (I didn't miss any, like most
Best bet is probably to just write a plugin (or set a preference) that completely disables hyperlinks in email messages (using mutt or disabling HTML email, which is the devil, works too
Identity theft scares the shit out of my (non-technical) parents. Last time I was home to visit they grilled me on the subject for an hour or two. It seems like it might be one of the few things that people might fear enough to be willing to inconvenience themselves slightly in the name of security.
It's about damn time we found something like that, besides fucking airport security.
Game... blouses.
check it out, interesting use of frames by the perps
Anatomy of an embryonic identity-theft-by-email
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
...is Social Engineering. Or Con Artistry depending on your tastes.
The average non-techie wouldn't know what a "Phish" scam was if it was sitting on their face, any more than they would know what a phreak was or why hacker, cracker, and coder all mean very different things.
I agree with GGParent. This crap should never have made it into the media. They're only going to be screwing it up.
ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
If you didn't find that funny, then you definately won't find this funny.
You might be interested in Spoofstick it shows you the "real" domain url for whatever webpage your connected to.
though, I never follow the links, I do browse to the site just in case.
I was a little angry at paypal for doing this because the fact that legitimate companies DO send emails with links, the average joe or jane lets down their defences to actual phish emails.
This sucks for me because my girlfriend and family are non-geek persons and I have to explain to them to never NEVER follow links from emails because of this reason and they probably think I'm some kind of paranoid freak because of it.
Conserve Oil, Recycle, Boycott Walmart
Umm, they had a JavaScript that should show the target link in the Status line. You shouldn't be clicking the link to see where it goes, anyway.
Am using IE, since I'm at work. Maybe their mouseover script doesn't work in your particular browser.
Of course, you could just view the source code to see the 'real' target links
That being said, I got 9/10. I missed the earthlink fraud one, dammit. Good thing I don't use Earthlink...
Phil
1st email:
This one just tell you to log into the MSN site, it
doesn't provide a bogus link or anything.
2nd email:
This one does provide a link, plus for some reason
the url args flag my personal danger
heuristics. The jagged do this or else tone of
the email also doesn't seem like it originates
from a company that relies on it's customers
3rd email:
It doesn't seem that ebay would hire a third
party to create an ID system that the users
would have to shell out money for. That mixed
with the external link give it away.
4th email:
I personally hope a bank doesn't deal with
security issues by relying on internet
communication, but it doesn't sound right for
a bank to contact a hacked account victim
through email. Plus the 4 appended to the www
part of the url makes it seem that it could
possibly be a false url.
5th email:
This email does not provide an external link
tells you to go to the paypal. It also helps
that the email also says to always type in the
url manually.
6th email:
Again with the threatening tone, but more
clearly does this yell fraud when at the
bottom of the email there is a blurb that
says that "This is a promotional message from
EarthLink". Definate cut and paste job.
7th email:
see 3rd email
8th email:
threatening tone..., external url
9th email:
It helps that I've seem emails like this, but
in this email you are not asked to provide any
data, except for the tracking number in the
url, which they provided.
and lastly, the 10th email:
A button! A button can be used to hide the url
from the casual user, and looking at the html
shows that it goes to www.service-visa.net,
which doesn't seem right for a COMmercial
enterprise to have.
On 14 July I got an email from "etrade@etrade.p0.com", with links like "http://etrade.p03.com/u.d?kknMAEgJGVM4rIf=50" - not a joke, that's a _REAL_ E*Trade sponsored link. I reported it to abuse@etrade.com and the SEC, and got an email back from E*Trade saying it was for real. They're using some service called "Yesmail" to distribute their scam - er - that is - their marketing. Worse, it's all about changing your account number, changing their mailing address - the only way it could have looked more like a scam is if they'd said they were E*Trade's Nigerian branch. The SEC said, more or less, 'We'll look into it, and we'll never let you know anything about it - it's all a secret. Now go away.'
On the plus side, after I sent a nastygram back to E*Trade (where I equated their email to criminal negligence) they said "I am quite sory for such concern as this email has caused. We are reviewing such feedback as you have sent in to determine how we might better tailor our emails to alleviate such concern." (Which may or may not be legalese for "Get Stuffed".)
With friends like this helping us keep the scams at bay, who the _hell_ needs enemies?
-- No No No NO, Don't tug on that! You never know what it might be attached to. - Buckaroo Banzai
Took the test, using Opera. All the links, when I hovered over them, pointed to http://survey.mailfrontier.com/survey/phishingtest /message_1/message1.htm#, which I assumed was part of their thing to not let you see the links. Got 6/10. Was somewhat puzzled, as I'm otherwise not a complete braindead dumbass. Check back at it with IE... turns out if you hover over them in IE, it actually displays the URL it's supposed to go to, meaning I'd've (double contraction, eh) gotten 10/10 most likely.
So is it taking advantage of an IE security bug, or what? (For the record, I just checked it with Firefox and it does the same thing, so this is not just Opera being a piece of crap.)
(I'll probably get modded down, and deserve it too, but I'm too amused at the moment to care.)
Work is punishment for failing to procrastinate effectively.
There were a bunch of spaces in the URL that kept the rest of the URL out of the status bar. You had to view source on the message to see the rest of the URL: http://earthlink.net@some.domain.kr/stuff.
They didn't show up in Mozilla. Switched to IE and they worked. They were using IE-specific javascript to put the link text in the status bar.
the link in the middle goes to:
i ma ges/CVS/
http://www.earthlink.net@curvet.co.kr/curvetdb/
I think that's probably not legit.
And the muscular cyborg German dudes dance with sexy French Canadians
Even though the displayed html component is wrong, the actual links that they reference are all owned and operated by earthlink.net.
So even though there are 2 typos, it wouldn't be the first time that a valid company screwed up in that fashion.
After doing nslookups on the names, and doing whois on the returned ip addresses, all the entries appear to be under earthlink.net's control.
So I placed it as legit, although typos were included.
The only major typo that wasn't actually owned by Earthlink was the wwwearthlink.net entry - which was owned by Interserver, Inc.
However, the URL that was referenced by the text that was displayed was www.earthlink.net which was correct.
So, if it was supposed to be fraudulent, the referenced URL was a typo.
Either way, I win - it was okay!!!!
Who is general failure, and why is he reading my hard drive?
I got 10/10 and didn't check any IP addresses, Headers, or domain names. I think most of the scams are extremely obvious. 1) Any email with a link that asks you to enter you credit card information in the linked page is bogus. 2) An email that gives you instructions on how to log on to the company website manually to enter details is ok. If you enter www.paypal.com into your browser yourself, you know its the legit site. 3) Major grammar/spelling mistakes mean its a hoax. 4) Emails that contain an enormous amount of legal information have a higher likelihood of being legit. 5) Emails with information about maintaining account security have a higher likelihood of being correct. Most companies will now try to avoid sending emails that resemble phishing scams (no links to enter your credit card information). So it should become easier to spot scams now.
Do you have Mozilla set up to forbid javascript from modifying the status bar (as you should)? If you do , then whether or not the javascript is IE specific, it still wouldn't show the bogus link. I had to view source to see what they wanted to appear down there (mainly because I forgot about that setting until most of the way through the quiz).
"From my cold, dead hands you damn, dirty apes!" - CH
There are hacks around to make the new models use the old Graffiti. Thank goodness.
Besides, Mozilla would have warned if that had been a real link:
0 %20%20%20% 20%20%20%20%20%20%20%20
You are about to log into the site "curvet.co.kr" with the username
"www%2Eearthlink%2Enet%20%20%20%20%20%2
but the website does not require authentication. This may be an attempt to trick you.
Is "curvet.co.kr" the site you want to visit?
If you look carefully at that message, you'll see the link is not to www.earthlink.net, but rather it is to curvet.co.kr:
i ma ges/CVS/
http://www.earthlink.net@curvet.co.kr/curvetdb/
Seems pretty clearly not a legitimate link, and therefore fraud, to me.
What you missed is that one of the links uses whitespace to obfuscate the real destination: 'http://www.earthlink.net{whitespace_removed_for_l ameness_filter}@curvet.co.kr/curvetdb/images/CVS/'
The spaces move the end of the URL past the end of most status lines.
If the email says to login then update your information with out providing a link it's probably okay, if they provide you a link and it looks technicle then stay away.
500 dollar reward for tip(s) leading to the arrest of the person(s) who stole my sig.
I almost never open HTML e-mail, but if you do, you also have to be aware that even if you hover over a link and check the status bar for a location that may not be show the actual destination once it's clicked.
You can always use the onmouseover and onmouseout events in javascript to change the status bar text to override the default behavior (unless javascript is disabled in mail). To be completely sure, you have to check the HTML source, which isn't hard to do; but I think it's easier to verify headers.
Even if you click a link or even load some images, your e-mail address may be marked as "good" for further spamming purposes. Bottom line - don't open HTML e-mails - if you do, load them with javascript and images turned off and always verify headers if it looks at least a little suspicious. KMail handles it like this by default, and I think it's a good security practice.