Slashdot Mirror
Phish Scams Fooling 28% of Users
Etaipo writes "Anti-spam firm MailFrontier Inc has done some testing with consumers to see if they could differentiate between legitimate e-mails and phish scams. The results, to me, were pretty shocking.
The company also has provided a similar test on its web site. Get an answer wrong, and we revoke your geek license on the spot."
Personally I never cared for Phish. They attracted a lot of the same fanbase as the Dead but I just couldn't bring myself to like them. I tried, I really, really did. It's sorta sad that now that they are breaking up for good that they are scamming 28% of the population. I would have never guessed that a cool jam-band would have to resort to this sort of scheming in order to get money!
I guess after all those tours and all those basically unsuccessful albums they are in need of people's credit cards in order to support their own solo touring and promotion.
All kidding aside, I am genuinely disgusting that the authors of these articles did not call this sort of scam by a legitimate title such as "fishing" or "credit card scamming" or "you are a fucking moron for falling for the give me your Credit Card Number in an email" like it has been in the past. I wasn't aware that "scr1p+ K1dd13 sp34k" had crossed into "real journalism". I can see it now... Parents banning their children from listening to Phish because FoxNews told them that they could have their credit cards stolen.
-1 Troll for the authors of these articles.
I answered 2 incorrectly as Fraud to get an 80% score so I lose 2 geek points but gain them back for erring on the side of caution. Actually I never bother with HTML mail and just skip it. That hasn't bit my butt yet.
IT's colour schemes are giving me a seizure...
Trolling is a art,
Why did I have to provide a credit card number before the test showed me my score?
I passed with flying colors! This is an excellent quiz to send to your friends who are less internet-savvy. I found a common thread throughout all of them: "if you don't verify your account information, it will be suspended."
Homestarrunner.net -- It's Dot Com!
This test is like a Kobayashi Maru test on star trek. You have to alter the conditions to win. You can't see the details in the hyper links nore the refer information in the header.
Some of these fraud mails looked really legit and were mainly given away by the fact that their URLs went to something like fraudprevent-visa.com instead of fraudprevent.visa.com. fraudprevent-visa.com is a domain name that may or may not be affiliated with Visa, while fraudprevent.visa.com is a subdomain of Visa.com, meaning it's not 100% safe, but much more likely to be legit.
But asking people to know this difference is asking a bit much of them. What might be interesting would be a "Phisher Identifier" built into mail clients that could identify bogus or unauthorized URLs based on a very carefully maintained database of legitimate URLs.
Seems that a plug-in could be written for Outlook, Eudora, etc.
- Greg
Start a happiness pandemic
Let me be among the first to call "Bullshit" on this supposed test.
Any nerd worth his salt knows to first check the headers of the e-mail and Lookup the IP to see where the mail really came from, and/or view the source of the HTML and identify obfusicated URL redirects. Then again, any IT guy who is using HTML-enabled e-mail should have his geek license revoked in the first place.
When it's that easy, you can't even call it social engineering. It's just social nudging, and people are ready to fall for it.
The CB App. What's your 20?
Pictures at eleven.
"Ask not what your country can do for you." --John F. Kennedy
But haven't fallen.
My parents got an e-mail stating that we were charged $3000 for a new Dell laptop. Nevermind that we all use Macs.
So I check out the site... Looks professional, seems legit, but it asks for a bank account and social number on a non-secure connection... Phishy?
I checked out the root domain of the given address and ran a search to see to whom the site was registered. Definitely not a real company, an individual, and the root domain didn't exist as an accessible webpage. Not the kind of thing that is very professional. I bounced the e-mail back and dismissed it. Our credit bill the next month didn't have a Dell laptop on it. What do you know?
All it takes is some common sense to get out of these things, but perhaps real companies should start adopting S/MIME or PGP to ensure their identities to make it more apparent to a layperson.
Of course, a false company could just as easily hide behind these "foolproof" authentication mechanisms.
Help a college student
Honestly, I got through 3 examples before giving up. The real test for me is, "Is the link back to the official site? Or does it look like a link and take you to some mysterious 3rd party server?"
In this test *ALL* links pop up to a "for the purposes of this test, this link has been suspended" This makes the whole thing useless.
Anybody can copy a legit paypal or eBay email and change a few words and make it "look" real. The key is in the links and the data mining.
Is it really so surprising that as spam matures it gets better at impersonating real email? It would be useful to repeat such a test periodically to see it trend over time. Likewise, it would be interesting to see the nature of valid business email content change over time to adjust. Perhaps we can have an internet age Darwin elaborate on the mechanics.
Politicus
Honestly, it's pretty simple. Just never click on any link in any email. If it's from a company you deal with, type in the URL you know and love to find the information. The only one of the emails in that entire "quiz" I would have trusted was the one without any links, that simply said "go to ebay.com, click on your account." Anything else could be fake.
At the very least, copy and paste the URL rather than click it, and study it for 3 seconds before going to the site to make sure it looks like the site you think you're going to.
I got Verizon DSL service back in February. A month later, I got an e-mail that basically stated there was a problem applying the DSL charges to my phone bill. In the e-mail, which was sent to "Verizon Customer", they suggested I reply to the e-mail with my account name and credit card information.
I thought it was a scam, but left it in my inbox. Two weeks later my service was shutoff. Apparently the message was legit.
After I got the problem straightened out, I sent them a very nasty, yet informative, e-mail and they agreed that they will review their e-mail policies and apologized for sending such a message to begin with.
Linking to a cgi from the front page? Why don't we just find out where the server is and burn down the building instead?
Here's a quickie link to the test examples. The month's almost over, and I've got plenty of bandwidth to burn. (Famous last words...)
http://www.littlecutie.net/temp/slashdot/
Stressed? Me? Of course not. Stress is what a rubber band feels before it breaks, silly.
I know, I know, it's "gullible".
Normally I'd suggest that you should check the spelling in a dictionary first; but did you know that "gullible" isn't in the dictionary?
"Slashdot - News and Chat Sites Deviant". (Click "homepage" link above for details).
...is Social Engineering. Or Con Artistry depending on your tastes.
The average non-techie wouldn't know what a "Phish" scam was if it was sitting on their face, any more than they would know what a phreak was or why hacker, cracker, and coder all mean very different things.
I agree with GGParent. This crap should never have made it into the media. They're only going to be screwing it up.
ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
...I won't use an email client that renders HTML. Or at least, won't let me turn that off.
When I get these mails, 95% of the time I delete them unread; no legitimate business should ever need me to "confirm my information". Every so often I look at one, and since I only see the raw HTML, it's easy to see that the images and whatnot are all being pulled from the real company site, except for the "login" link which goes to some mysterious dotted quad address.
(Side note to companies: stop letting outsiders pull images off your server; only let your own pages refer to them. It's an Apache FAQ, fer cryin' out loud.)
Every so often a friend will send me HTML mail, but I can cope. :-)
You cannot apply a technological solution to a sociological problem. (Edwards' Law)
Took the test, using Opera. All the links, when I hovered over them, pointed to http://survey.mailfrontier.com/survey/phishingtest /message_1/message1.htm#, which I assumed was part of their thing to not let you see the links. Got 6/10. Was somewhat puzzled, as I'm otherwise not a complete braindead dumbass. Check back at it with IE... turns out if you hover over them in IE, it actually displays the URL it's supposed to go to, meaning I'd've (double contraction, eh) gotten 10/10 most likely.
So is it taking advantage of an IE security bug, or what? (For the record, I just checked it with Firefox and it does the same thing, so this is not just Opera being a piece of crap.)
(I'll probably get modded down, and deserve it too, but I'm too amused at the moment to care.)
Work is punishment for failing to procrastinate effectively.
There were a bunch of spaces in the URL that kept the rest of the URL out of the status bar. You had to view source on the message to see the rest of the URL: http://earthlink.net@some.domain.kr/stuff.
The test was completly meaningless as you couldn't do all the correct things you SHOULD to to check the authenticity of an email.
It encorages people to base decisions based on *hunches*, which is utterly retarded. You could take a genunine email and alter the URL and you'd never know you'd been duped if you went by the examples in this test - you'd just think it looked real, click on the URL, login and end up being scammed.
This 'test' is utterly worthless as a result. You *can't* tell just by looking at the surface content of an HTML rendered email. If you can't look at the email headers or the URLs you have no way of knowing all of them arn't spoofed.
I was going to use AC to reply but I have to say I agree with the parent. I don't agree with all of his language (cowering below letterheads and such), but I do agree that a good deal of people suffering from this are already poor. I say this because the rich are neither seriously hurt monitarily or are treated like dirt by credit card companies (those who ultimately decide who pays for the fraudulent purchases). You try getting Visa to erase that $3000 purchase off your card when you're already struggling just to pay off the interest on your debt to them. Trust me, it's hard.
On the other hand, consider that in this test, subjects were actively thinking about whether or not these emails were fraud. They had advance warning that they might be exposed to fraud. That doesn't happen in the real world...the general assumption when you get an email from a service to which you subscribe is, "Oh, this service I use is trying to contact me about something important."
It's kind of like April Fool's Day. Play a prank on somebody on April Fool's Day, when they're expecting it, and they might not fall for it, because they're on the lookout. On any other day, the same prank might succeed easily, because the victim is caught off gaurd.
We don't have a state-run media we have a media-run state.
I counted them all as fraud because of the Javascript mouseovers for links.
This isn't new.
Member of Orkut? Annoyed with spam?