Slashdot Mirror
Phish Scams Fooling 28% of Users
Etaipo writes "Anti-spam firm MailFrontier Inc has done some testing with consumers to see if they could differentiate between legitimate e-mails and phish scams. The results, to me, were pretty shocking.
The company also has provided a similar test on its web site. Get an answer wrong, and we revoke your geek license on the spot."
Personally I never cared for Phish. They attracted a lot of the same fanbase as the Dead but I just couldn't bring myself to like them. I tried, I really, really did. It's sorta sad that now that they are breaking up for good that they are scamming 28% of the population. I would have never guessed that a cool jam-band would have to resort to this sort of scheming in order to get money!
I guess after all those tours and all those basically unsuccessful albums they are in need of people's credit cards in order to support their own solo touring and promotion.
All kidding aside, I am genuinely disgusting that the authors of these articles did not call this sort of scam by a legitimate title such as "fishing" or "credit card scamming" or "you are a fucking moron for falling for the give me your Credit Card Number in an email" like it has been in the past. I wasn't aware that "scr1p+ K1dd13 sp34k" had crossed into "real journalism". I can see it now... Parents banning their children from listening to Phish because FoxNews told them that they could have their credit cards stolen.
-1 Troll for the authors of these articles.
I answered 2 incorrectly as Fraud to get an 80% score so I lose 2 geek points but gain them back for erring on the side of caution. Actually I never bother with HTML mail and just skip it. That hasn't bit my butt yet.
IT's colour schemes are giving me a seizure...
Trolling is a art,
Why did I have to provide a credit card number before the test showed me my score?
I passed with flying colors! This is an excellent quiz to send to your friends who are less internet-savvy. I found a common thread throughout all of them: "if you don't verify your account information, it will be suspended."
Homestarrunner.net -- It's Dot Com!
This test is like a Kobayashi Maru test on star trek. You have to alter the conditions to win. You can't see the details in the hyper links nore the refer information in the header.
Some of these fraud mails looked really legit and were mainly given away by the fact that their URLs went to something like fraudprevent-visa.com instead of fraudprevent.visa.com. fraudprevent-visa.com is a domain name that may or may not be affiliated with Visa, while fraudprevent.visa.com is a subdomain of Visa.com, meaning it's not 100% safe, but much more likely to be legit.
But asking people to know this difference is asking a bit much of them. What might be interesting would be a "Phisher Identifier" built into mail clients that could identify bogus or unauthorized URLs based on a very carefully maintained database of legitimate URLs.
Seems that a plug-in could be written for Outlook, Eudora, etc.
- Greg
Start a happiness pandemic
Let me be among the first to call "Bullshit" on this supposed test.
Any nerd worth his salt knows to first check the headers of the e-mail and Lookup the IP to see where the mail really came from, and/or view the source of the HTML and identify obfusicated URL redirects. Then again, any IT guy who is using HTML-enabled e-mail should have his geek license revoked in the first place.
When it's that easy, you can't even call it social engineering. It's just social nudging, and people are ready to fall for it.
The CB App. What's your 20?
Nevermind this. I'm still waiting for my money from Bill Gates and Disney for forwarding that email to everyone I know a couple years back.
Right is wrong when left is right.
-phozz
Flip back to and refresh /. to see that almost a third of email users don't have the third of a clue it would take to recognize this crap for what it is. "We has noticed a high level of suspishous attemtpts to access your account and brute force your PIN..."? Um. Okay.
Pictures at eleven.
"Ask not what your country can do for you." --John F. Kennedy
But haven't fallen.
My parents got an e-mail stating that we were charged $3000 for a new Dell laptop. Nevermind that we all use Macs.
So I check out the site... Looks professional, seems legit, but it asks for a bank account and social number on a non-secure connection... Phishy?
I checked out the root domain of the given address and ran a search to see to whom the site was registered. Definitely not a real company, an individual, and the root domain didn't exist as an accessible webpage. Not the kind of thing that is very professional. I bounced the e-mail back and dismissed it. Our credit bill the next month didn't have a Dell laptop on it. What do you know?
All it takes is some common sense to get out of these things, but perhaps real companies should start adopting S/MIME or PGP to ensure their identities to make it more apparent to a layperson.
Of course, a false company could just as easily hide behind these "foolproof" authentication mechanisms.
Help a college student
Honestly, I got through 3 examples before giving up. The real test for me is, "Is the link back to the official site? Or does it look like a link and take you to some mysterious 3rd party server?"
In this test *ALL* links pop up to a "for the purposes of this test, this link has been suspended" This makes the whole thing useless.
Anybody can copy a legit paypal or eBay email and change a few words and make it "look" real. The key is in the links and the data mining.
Is it really so surprising that as spam matures it gets better at impersonating real email? It would be useful to repeat such a test periodically to see it trend over time. Likewise, it would be interesting to see the nature of valid business email content change over time to adjust. Perhaps we can have an internet age Darwin elaborate on the mechanics.
Politicus
Do you have any data to back up this outrageous claim?
Honestly, it's pretty simple. Just never click on any link in any email. If it's from a company you deal with, type in the URL you know and love to find the information. The only one of the emails in that entire "quiz" I would have trusted was the one without any links, that simply said "go to ebay.com, click on your account." Anything else could be fake.
At the very least, copy and paste the URL rather than click it, and study it for 3 seconds before going to the site to make sure it looks like the site you think you're going to.
pretty soon we'll have "geocities.slashdot.org" with animated GIFs of flaming skulls and crappy embedded MIDI files...
Fear...
I was once fooled believing that I received a fraudulant email making me believe it came from Sony. I wrote to Sony to report the email and they told me it was legite!
What caused me to think it was fraudulant? Well, the URLs in the email was going for something like sony.<somecompany>.com. The URL did not finish with "sony.com". The only way to figure out if an email is phoney or not is to check the URLs (assuming your browser does not have the famous URL bug which shows you a legite URL but once clicked, sends you to another site while still showing the legite URL in the URL bar), but when companies use 3rd parties to email their users and provide services, they cause these confusions.
Remember the year 2000? They promised us flying cars. They delivered the PT Cruiser...
I got Verizon DSL service back in February. A month later, I got an e-mail that basically stated there was a problem applying the DSL charges to my phone bill. In the e-mail, which was sent to "Verizon Customer", they suggested I reply to the e-mail with my account name and credit card information.
I thought it was a scam, but left it in my inbox. Two weeks later my service was shutoff. Apparently the message was legit.
After I got the problem straightened out, I sent them a very nasty, yet informative, e-mail and they agreed that they will review their e-mail policies and apologized for sending such a message to begin with.
Linking to a cgi from the front page? Why don't we just find out where the server is and burn down the building instead?
I got one that looked like a family gathering invitation. They must have hacked my mom's email account. They wanted me to respond with my "rsvp." That set off my bullshit detector. I better let mom know because they keep sending me email and now they're claiming I'm going to be disowned if I don't show to my own brother's wedding. I've stopped answering the phone as well because they have sound-alikes leaving me messages and look-alikes showing up at my door. You know as soon as they get your rsvp, they empty your bank account with it. I'm not falling for it.
Here's a quickie link to the test examples. The month's almost over, and I've got plenty of bandwidth to burn. (Famous last words...)
http://www.littlecutie.net/temp/slashdot/
Stressed? Me? Of course not. Stress is what a rubber band feels before it breaks, silly.
Just viewed the source of the pages, easy enough to tell who is lying and who is not. Only 1 was marginally troublesome do to a lot of spaces in the URL which pushed the real domain name far to the right.
MORTAR COMBAT!
I got all the questions right, plus I'm getting millions of dollarz from this guy in Nigeria. Thanks for forwarding the link to us! Null
I know, I know, it's "gullible".
Normally I'd suggest that you should check the spelling in a dictionary first; but did you know that "gullible" isn't in the dictionary?
"Slashdot - News and Chat Sites Deviant". (Click "homepage" link above for details).
check it out, interesting use of frames by the perps
Anatomy of an embryonic identity-theft-by-email
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
call me a n00b, but i use hotmail and yahoo and I personally don't get spam. i think its just something people who give out their email too frivolously get
...that I would have clicked any of the links in the emails.
If I get any message that smells remotely like phish (i.e. any email that tells me to do something with my account), I go to my browser, and visit the site by manually entering the name of the website. If it then turns out to be a bogus email, I send a copy to the admins of the site, so they can track the insensitive clods down, and do whatever it is they do with them.
The IQ test would be a lot easier with access to full mail headers, too...
How's my programming? Call 1-800-DEV-NULL
We here at phishfarm offer a compehensive monitoring and blocking service to save our customers from hassle such as this. Just email all your bank account details (required for verification) to make.timesprout@rich.com and we will ensure that email soliciting for information or money will ever reach you again.
PS we have found that sending us naked pictures of your wives/girlfriends increases the accuracy and efficiency of our blocking engines so for the highest quality of service include a few piccies.
Do not try to read the dupe, thats impossible. Instead, only try to realize the truth
What truth?
There is no dupe
Oh yes, please do. Just be careful. Pent-up points can be very dangerous when loosed upon an unsuspecting populous.
(Score: -1, Stupid)
...is Social Engineering. Or Con Artistry depending on your tastes.
The average non-techie wouldn't know what a "Phish" scam was if it was sitting on their face, any more than they would know what a phreak was or why hacker, cracker, and coder all mean very different things.
I agree with GGParent. This crap should never have made it into the media. They're only going to be screwing it up.
ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
Actually, they all go to #, which doesn't actually go anywhere. I call foul on this test -- it doesn't actually matter what the content of the email says (since I have no way to know that ebay would never suspend my account for not updating my info unless I actually go and look at the fraud stuff in their faq). A phishing message is easily (and only accurately) detected by looking at the address pointed to by the links within (which is what you will see banks, etc. telling you: "if you are unsure, just manually type our URL in, or call us"). How can this test be an accurate measure of people's ability to detect phishing emails if the links (the only worthy mark of a phishing email) they've given us don't actually link to real or fake sites?
Do you really need reason for beer? Wingman Brewers
...telling her she had won a trip for two to the ESPN Espy Awards show in Hollywood on July 14th. She sent me an IM about it, and I (rather condescendingly) informed her that she was almost certainly being spammed. Well, after going to espn.com and finding that the person listed in the email was really in their PR department, and contacting her through their 800 number, guess what?
That was the coolest hotel I've ever stayed in. The show sucked, but the view from the room almost made up for it.
Quantum materiae materietur marmota monax si marmota monax materiam possit materiari?
...I won't use an email client that renders HTML. Or at least, won't let me turn that off.
When I get these mails, 95% of the time I delete them unread; no legitimate business should ever need me to "confirm my information". Every so often I look at one, and since I only see the raw HTML, it's easy to see that the images and whatnot are all being pulled from the real company site, except for the "login" link which goes to some mysterious dotted quad address.
(Side note to companies: stop letting outsiders pull images off your server; only let your own pages refer to them. It's an Apache FAQ, fer cryin' out loud.)
Every so often a friend will send me HTML mail, but I can cope. :-)
You cannot apply a technological solution to a sociological problem. (Edwards' Law)
On 14 July I got an email from "etrade@etrade.p0.com", with links like "http://etrade.p03.com/u.d?kknMAEgJGVM4rIf=50" - not a joke, that's a _REAL_ E*Trade sponsored link. I reported it to abuse@etrade.com and the SEC, and got an email back from E*Trade saying it was for real. They're using some service called "Yesmail" to distribute their scam - er - that is - their marketing. Worse, it's all about changing your account number, changing their mailing address - the only way it could have looked more like a scam is if they'd said they were E*Trade's Nigerian branch. The SEC said, more or less, 'We'll look into it, and we'll never let you know anything about it - it's all a secret. Now go away.'
On the plus side, after I sent a nastygram back to E*Trade (where I equated their email to criminal negligence) they said "I am quite sory for such concern as this email has caused. We are reviewing such feedback as you have sent in to determine how we might better tailor our emails to alleviate such concern." (Which may or may not be legalese for "Get Stuffed".)
With friends like this helping us keep the scams at bay, who the _hell_ needs enemies?
-- No No No NO, Don't tug on that! You never know what it might be attached to. - Buckaroo Banzai
Took the test, using Opera. All the links, when I hovered over them, pointed to http://survey.mailfrontier.com/survey/phishingtest /message_1/message1.htm#, which I assumed was part of their thing to not let you see the links. Got 6/10. Was somewhat puzzled, as I'm otherwise not a complete braindead dumbass. Check back at it with IE... turns out if you hover over them in IE, it actually displays the URL it's supposed to go to, meaning I'd've (double contraction, eh) gotten 10/10 most likely.
So is it taking advantage of an IE security bug, or what? (For the record, I just checked it with Firefox and it does the same thing, so this is not just Opera being a piece of crap.)
(I'll probably get modded down, and deserve it too, but I'm too amused at the moment to care.)
Work is punishment for failing to procrastinate effectively.
There were a bunch of spaces in the URL that kept the rest of the URL out of the status bar. You had to view source on the message to see the rest of the URL: http://earthlink.net@some.domain.kr/stuff.
the link in the middle goes to:
i ma ges/CVS/
http://www.earthlink.net@curvet.co.kr/curvetdb/
I think that's probably not legit.
And the muscular cyborg German dudes dance with sexy French Canadians
The test was completly meaningless as you couldn't do all the correct things you SHOULD to to check the authenticity of an email.
It encorages people to base decisions based on *hunches*, which is utterly retarded. You could take a genunine email and alter the URL and you'd never know you'd been duped if you went by the examples in this test - you'd just think it looked real, click on the URL, login and end up being scammed.
This 'test' is utterly worthless as a result. You *can't* tell just by looking at the surface content of an HTML rendered email. If you can't look at the email headers or the URLs you have no way of knowing all of them arn't spoofed.
Even though the displayed html component is wrong, the actual links that they reference are all owned and operated by earthlink.net.
So even though there are 2 typos, it wouldn't be the first time that a valid company screwed up in that fashion.
After doing nslookups on the names, and doing whois on the returned ip addresses, all the entries appear to be under earthlink.net's control.
So I placed it as legit, although typos were included.
The only major typo that wasn't actually owned by Earthlink was the wwwearthlink.net entry - which was owned by Interserver, Inc.
However, the URL that was referenced by the text that was displayed was www.earthlink.net which was correct.
So, if it was supposed to be fraudulent, the referenced URL was a typo.
Either way, I win - it was okay!!!!
Who is general failure, and why is he reading my hard drive?
I was going to use AC to reply but I have to say I agree with the parent. I don't agree with all of his language (cowering below letterheads and such), but I do agree that a good deal of people suffering from this are already poor. I say this because the rich are neither seriously hurt monitarily or are treated like dirt by credit card companies (those who ultimately decide who pays for the fraudulent purchases). You try getting Visa to erase that $3000 purchase off your card when you're already struggling just to pay off the interest on your debt to them. Trust me, it's hard.
On the other hand, consider that in this test, subjects were actively thinking about whether or not these emails were fraud. They had advance warning that they might be exposed to fraud. That doesn't happen in the real world...the general assumption when you get an email from a service to which you subscribe is, "Oh, this service I use is trying to contact me about something important."
It's kind of like April Fool's Day. Play a prank on somebody on April Fool's Day, when they're expecting it, and they might not fall for it, because they're on the lookout. On any other day, the same prank might succeed easily, because the victim is caught off gaurd.
We don't have a state-run media we have a media-run state.
I got 10/10 and didn't check any IP addresses, Headers, or domain names. I think most of the scams are extremely obvious. 1) Any email with a link that asks you to enter you credit card information in the linked page is bogus. 2) An email that gives you instructions on how to log on to the company website manually to enter details is ok. If you enter www.paypal.com into your browser yourself, you know its the legit site. 3) Major grammar/spelling mistakes mean its a hoax. 4) Emails that contain an enormous amount of legal information have a higher likelihood of being legit. 5) Emails with information about maintaining account security have a higher likelihood of being correct. Most companies will now try to avoid sending emails that resemble phishing scams (no links to enter your credit card information). So it should become easier to spot scams now.
I am using Mozilla 1.6 on Linux, and none of the links work, nor do they show anything in the status bar. I think the test is broken for Mozilla. Since when did Slashdot become a hangout for Windows users that pretend to be Linux zealots?
You're right, but most people don't know how to check the headers, much less look up the IP. But the two easiest checks against these type of messages weren't available in the test:
1) Does it make sense that I would get this? If I don't use US Bank, for instance, it's obvious it's fraud. But for the sake of the test, I think they assume you're involved with those companies, and that's okay.
2) More importantly, they don't let you check where the links are going to. If I rollover "www.paypal.com" and in the little bar in my browser it says "www.paypal.com," I know it's alright. But if it says "ccnums.steal-this-suckers-identity.com"...
c-hack.com |
If that's so, then why did we all score so high (I got a 90% -- I thought the "paypal shipping" one [#9] was a fraud)?
The reason is that there's one way you can tell: ALL the frauds had text saying "click this link" The two legitimate ones other than #9 told you to sign in, but didn't provide a link. (although they did provide other hyperlinks -- just not to the login page)
#9 fooled me because it had a link to click.
"[Regarding the 'cloud,'] ownership was what made America different than Russia." -- Woz
Just want to point out that two of the "legitimate" emails on the web survey could easily have been fraudulent. These are the "Don't lose your MSN Hotmail account!" email and the "Your credit card ending in 2008 will expire soon." email.
i ".
In fact, I've seen a version very similar to the credit card expiration link that warns about typing in the URL but then goes ahead and provides a clickable link anyway. When you look at the code, the link actually goes to a completely different URL than what is displayed, using the old trickery of "http://paypal.com@12356789/cgi-bin/trickedyou.cg
For those not familiar with the trick, "paypal.com" in the above url is the login name the web browser is instructed to provide to the web server while 12356789 is the decimal representation of the web server IP address.
Only the shipping notice fails to smell fraudulent. Even that could be rigged if you wanted to, by having the tracking link require you to "open a free UPS tracking account."
Of course, if they'd provided the entire emails instead of just the html representation, any techie could have sorted it out. But not the mere mortals.
Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion.
I counted them all as fraud because of the Javascript mouseovers for links.
What you missed is that one of the links uses whitespace to obfuscate the real destination: 'http://www.earthlink.net{whitespace_removed_for_l ameness_filter}@curvet.co.kr/curvetdb/images/CVS/'
The spaces move the end of the URL past the end of most status lines.
Here's an idea:
Mozilla plug in that traps HTML anchors, and if they don't match what they are linking to, shows a popup -
"Are you sure you want to click this link? Because it really points to here..."
It could even attach a danger level to the popup. e.g. a mouseover status bar change to another URL would be questionable, as would dodgy characters in the URL to cause problems (there was one with a % in it floating around a while ago). Maybe even a database of fraudulent websites? It would have to remember the false positives to prevent annoyance.
Just an idea. Somebody might have already done it. I wouldn't know where to start to write it, but if this was a software patent - it wouldn't matter.. snigger
Why? The links are not working.
:)
All the fraud-mails I get refer to illegitimate websites or servers in China or Russia.
An other way to check the validity of the mail is to check the mailheaders and see is they are correct.
But still I scored 70%
The funny thing is I would have scored 100% is this was for real. Why? I don't do PayPal, Visa, Earthlink and so on
And GENERAL MOBUTU is not my african friend, so I'm not falling for his sweet talk either...
Privacy is terrorism.
The _only_ way to tell the real thing from the fake is to look at the actual URL the link points to.
The morons who run the test changed them all to point to their own site; so every one of them is clearly fake.
Relying on any other content in the email is just stupid; the phishers will just improve their spelling and wording until it starts fooling enough people again.
This isn't new.
Member of Orkut? Annoyed with spam?
If the email says to login then update your information with out providing a link it's probably okay, if they provide you a link and it looks technicle then stay away.
500 dollar reward for tip(s) leading to the arrest of the person(s) who stole my sig.