Slashdot Mirror
Why Phishing Works
h0neyp0t writes "Harvard and Berkeley have released a study that shows why phishing attacks work (pdf). When asked if a phishing site was legit or a spoof, 23% of users use only the content of the website to make the decision! The majority of users ignore the address and SSL indicators in the browser. Some users think that favicons and lock icons in HTML are more important indicators. The paper hints that the proposed IE7 security indicators and multi-colored address bar will also suffer a similar fate. This study is brought to you by the people who developed the security skins Firefox extension."
Phishing works because people don't understand (nor do they want to) the basics of the technology they use (example: Jerry Taylor).
This guy's the limit!
As long as users will have physical control over their machines and chose what or what not to open, it will be like VM-based rootkits, an NP-Complete (and hardly solvable) problem.
It works because it plays on the concept that seeing is believing; and most people will trust their eyes over their minds any day of the week.
The world according to SComps
Humanity is doomed.
John
Instead of visable UI, there would be electrodes that you attach to your sex parts before surfing. Legitimate sites with valid certs and no nonsense in the HTML would generate an electric shock which the user would definitely notice. Illegitimate sites would not generate the shock, informing the user not to enter personal data.
Ahhh...the great dumpster continuum. Many a free computer will be found there. -- sowth (748135)
People are stupid. Total knuckle biters. Every one of them.
...
That is all
Think of the average internet user. I'm surprised that 77% are actually looking at more than just the content. It's probably because the media has made a big thing about it (as they should).
-8, why do you ask?
I think anyone who uses outlook to schedule meetings should know this, especially if they are in a global org.
-nB
whois gawk date unzip strip find touch finger mount join nice man top fsck grep eject more yes exit umount sleep dump
"There's a sucker born every minute." Listen, we can put an evil Devil's face on the browser, along with flashing neon lights and big signs that say "WARNING: This site is suspicious", and a gloved hand that comes out of the monitor and slaps the user silly, and you know what? People will still fall for these scams! It's not people like you and me that are the targets of phishing. Ask your grandmother what a URL is, and (with some exceptions, of course) you'll get a blank stare. Heck, ask the cute cocktail waitress at your local bar, and you'll get the same response (and I wonder why I can't get a date...). That's what we're up against.
Don't get me wrong, I applaud these researchers and all other approaches to making the web a safer place, but in the end, at some point you have to trust that the user is going to take resposibility for their actions. The best we can do is bring the percentages down. The problem is it is so cheap to set up a phishing web site, that even if only one in several thousand potential targets fall for it, that's usually enough to ensure a profit.
My guitar chord generator.
the phishers or the idiots who follow them.
>
> Phishing works because people don't understand (nor do they want to) the basics of the technology they use (example: Jerry Taylor).
Funny you should mention him, though.
"I do not follow instructions that show up when a website that I am not familiar with appears on my computer and I do not think anyone with experience would do so either."
- Jerry Taylor
Even a blind squirrel finds a nut from time to time!
Although in the case of Jerry, it's more like even a blind seal finding a club :)
Because 99% of (l)users are retarded...
When the suspect site, for arguement's sake let us say it was a credit card scam (since i had one of those a couple of days ago) asks for EVERYTHING--card #, PIN, security code, mother's maiden name, login name, and LOGIN PASSWORD, alarm bells should go off in your head. Also, it is highly unlikely that someone is going to give you a carrot on the end of a stick(in this case, $20 for a simple 3 question blurb about how the site was running or some bs like that) without a big catch involved. The obvious catch being that IT'S A SCAM.
Geez, i would feel sorry for these duped people, but it's getting harder and harder to.
To disrupt or completely stop this from happening is currently an impossible Herculean task.
Even netting one person can result in thousands of dollars worth of damages. If one in every one million phishing works, of course they'll keep doing it.
My work here is dung.
People believe what they see, even when they shouldn't.
People believe what they hear, even when it shouldn't be there.
And people's experience shows that 99 percent of everything they see on the Internet must be true, or it wouldn't be written down, like for example the obvious Fact that not only is the Moon made of Yellow Cheese, but it's quite tasty.
-- Tigger warning: This post may contain tiggers! --
It works because a lot of people are idiots.
Including the ones who needed to do a study to figure that out.
Did it have to do with daylight savings time? I for one am amazed how many people actually didn't know that many devices adapt automatically (newer DVD, VCR and TV). Oh, and if they don't, they often have a switch "DST active" or not. Examples: the PlayStation2 and many cellphones.
Heck, my cellphone has a timezone setting and I'm sure only 0.1% of the population has it set correctly.
Ahhh...the great dumpster continuum. Many a free computer will be found there. -- sowth (748135)
With news of the obvious (to us geeks) like this, it won't take long for the US Congress to enact on-line voting.
"Dauh, I thought I voted for the other guy when I clicked his picture in the e-mail reminding me to vote!"
I lost my sig...
People fall for phishing because:
- Most are not tech savvy, and have no idea the difference between http and https, don't look at the links they click on, and can't tell a spoofed URL from a real one on sight.
- Most people are pretty gullible. They believe what they're told, whether by a newscaster, the President, scientists, or the glowing pixels of a web page. Critical reasoning skills are lacking.
- Most people are pretty stupid. They get an email purportedly from their bank telling them they need to update their information for security purposes or have lost their bank account number, or something equally unlikely, and don't question it. They don't call their local bank branch to verify it, they simply click.
- Most people believe the Internet is infallible. They think every person who has a blog or web page knows what they are talking about. They think if a page looks a little like what they normally see when they bank online, that it's the same thing, even though the URLs to the links are all wrong.
You can't protect people from themselves, although our Congress tries to do this every day by passing inane laws that protect no one but the large corporations and billionaires. People who go online will continue to be duped as long as no concerted effort is made to educate them. Cue the PSAs.GetOuttaMySpace - The Anti-Social Network
Light a fire, and the man stays warm till it is put off, set him on fire, and he stays warm for his lifetime.
These sites are no different to traditional confidence tricksters that knock on your door and pretend to be something their not with phoney ID's. It took many years for Joe Public to be fully aware of those scams too. Just need to elevate the public's awareness of the whole issue. The paper whilst interesting is slightly obvious, after all if the Phishing emails didn't work we wouldn't still be getting 10's or 100's on our mail servers everyday.
I remember the one time I almost thought that I fell for a phishing scam.
I got an email saying that my student loan company needed some more information to give me the loan. I had to log into thier website to check out what exactly it was and what I needed to send in.
I just clicked the link in the email and typed my login information (of which the username is my SSN) and got a message to the effect of 'password incorrect, please try again.'
I did this two or three times with some of the different passwords that I usually use...and then I thought about it.
Oh fuck! The address bar said 'www.terri.org' and my bank was Chase. I freaked out, thinking that I'd fallen for it...
Turns out terri is the company that processes the loan or whatever and I had just mistyped the password. But I reminded myself to not be so trusting on the internet, and always re-type the site in for things like that...
Because apparently I can get 23% of people on the internet to send me their personal information if I set up an Apache server at my house, and send out a couple emails.
If you want to see how gullible or just plain stupid people are, check out the story in my Journal titled, 'Renowned psychiatrist bilked by Nigerian scam'. It was rejected by the editors so I plunked in my Journal.
Even after the guy knew it was a scam and promised his son he wouldn't send any more money, he still did it anyway!
Maybe a bit different than a phishing scam but along the same lines.
We will bankrupt ourselves in the vain search for absolute security. -- Dwight D. Eisenhower
I don't know what I blame more - the thief or the victim. Why does it upset you, slashbot?
In stunning outcome of research on security indicates that people are weakest link in security chain.
Other amazing developments include discovery water is wet, fire is hot, the sky is blue.
Film at 11!
There is no "-1 offended" or "-1 you don't agree with me" mod options for a reason.
The home page for my housemate's Web browser was set to Yahoo, so whenever she needed to enter a URL, she just entered it into the Yahoo search field. It worked... most of the time. I mean she'd get a list of Web pages and one of them would be the right one. But it makes my teeth itch just thinking about it. She didn't seem to understand what a URL was at all.
Check out Acutrust. I recently reviewed it for my employer and it looks very interesting.
For Anti-Phishing to work it needs a UI with support right down into the SSL layer.
Currently it's next to impossible to diferentiate things on the web. It's the great equalizer, and as we are finding, it makes things *too* equal. You are on equal footing with a bank when trying to convince people to enter finantial information. We need a bit more structure, a few more checks and balances.
set softtabstop=4 shiftwidth=4 expandtab nocp worlddomination
Con-artists are older than recorded time. Snake-oil salesmen, crooked used-car lots, (snail) mail scams and their ilk are likely at least as prevalent even in our quasi-"Information Age".
How many educated people have bought a lemon? I've known otherwise educated, extremely intelligent college-educated (students and grads alike) who've done this. Perhaps everyone should be fully educated about the hazards of auto-buying, phishing web-sites and maybe get a medical degree for proper evaluation of physicians while they're at it.
The answer is not pamphlets and FAQs. If anything these "easy answers" only propogate the problem of people being too damn trusting. Seek your own understanding.
/* MAGIC THEATRE
ENTRANCE NOT FOR EVERYBODY
MADMEN ONLY */
I was caught by a phishing scam once at my old company.
An email was sent out that looked exactly like an official email and was linked to a page that looked exactly like the employee intranet page.
I let my guard down just a tiny bit and got snagged.
Phishing works because people are sometimes stupid and frequently lazy.
Execute? [Y/N] _
Phishing works because most people are suckers.
On a related topic, I was trying to pay my Bank of America bill online yesterday and they had some new security system (called "SiteKey", I think. Probably (r)(tm) and whatever) where it gives me some picture and also had me provide 3 answers to 3 questions (like lost password questions). Now, I kind of went through it quickly, but I was under the impression that whenever I login, it was supposed to show me the picture (my Site Key) and told me not to use the site if I don't see it, but since I signed up, it doesn't show me the site key. I'm hoping that whatever is broken about it they fix... Not that I really care if someone hacks it. All they can really do online is pay my bill which they're welcome to do.
A few months ago, my sister freaked out when someone broke into her PayPal account.
I didn't find out until just a week or two ago that this was the direct result of her falling for a phishing attack - and that my mom fell for it too! They're lucky I live 12 hours away so I could smack them both upside the head. I'm not exactly shocked that my mom fell for it, but my sister should really know better.
Warning: Apple/Nintendo fangirl. Likes her electronics cute & cuddly. May be rabid.
Due to MySQL database problems we have lost your password. Please Enter your Login and new Password below.
Login:
Password:
Well, perhaps an unpopular opinion, but I don't see why favicons need to be shown for the current page anyway. It makes sense for bookmarks, but it seems showing it on the current page is just asking for this kind of confusion. How about just showing a generic icon until a site is bookmarked?
if I didn't just assume every bit of unexpected e-mail was a scam. Ask me to actually prove it, and I'd have some problems. For example, I got a notice from "ebay" saying my on-file credit card was about to expire. I chucked the e-mail, but when I logged on to ebay a few days later, I noticed that the credit card on file was indeed expired. I just deleted the info rather than updating anything, but it's only paranoia that keeps me from getting caught.
Listen, we can put an evil Devil's face on the browser, along with flashing neon lights and big signs that say "WARNING: This site is suspicious", and a gloved hand that comes out of the monitor and slaps the user silly, and you know what? People will still fall for these scams!
From the article summary: Some users think that favicons and lock icons in HTML are more important indicators.
Want to take a guess why they think that "lock icon" is so important? Because for years they've been told by "tooltips", every "consumer reporter", etc that they should look for it, "when shopping online". It's not the user's fault that they've been given information that was at best incomplete; nobody told them "the lock just means your connection to the other computer can't be decoded."
Compound this with all the problems in Outlook, IE, Windows...well...the deck is rather stacked against them. Not to mention, it used to be a lot tougher to get an SSL cert...
As some other posters pointed out, "these were above average users, we're doomed". If your "above average users" are fooled/tricked, then the operating system/email client/browser is failing, not the user.
Please help metamoderate.
"the purpose of any scientific study is to prove what everyone already knows"
upon the advice of my lawyer, i have no sig at this time
From the synopsis (and echoed in the paper): "The paper hints that the proposed IE7 security indicators and multi-colored address bar will also suffer a similar fate."
While I don't mind taking a swipe at M$ft from time to time, I find it difficult to imagine how a brightly colored red address bar (even one outside the focus of attention) with "Phishing Website" written on it will be ignored.
The only thing (and I am keeping in mind users that are not extremely tech savvy) that would be more obvious would be a "arm-like" device attached to one's monitor that points to the "Phishing Website" text displayed on the screen and whacks you on the top of your head if you still proceed to enter all your personal information in.
Listen, we can put an evil Devil's face on the browser, along with flashing neon lights and big signs that say "WARNING: This site is suspicious", and a gloved hand that comes out of the monitor and slaps the user silly, and you know what? People will still fall for these scams!
From the article summary: Some users think that favicons and lock icons in HTML are more important indicators.
As some other posters pointed out, "these were above average users, we're doomed". Not exactly the world's best parallel- but if "above average" users set themselves on fire using your company's fireplace, would you say, "MAN! We have REALLY stupid users"? Maybe your manual gives improper instructions. Maybe you have a defect. If your "above average users" are fooled/tricked, then the operating system/email client/browser is failing, not the user.
Also, want to take a guess why they think that "lock icon" is so important? Because for years they've been told by "tooltips", every "consumer reporter", etc that they should look for it, "when shopping online". It's not the user's fault that they've been given information that was at best incomplete; nobody told them "the lock just means your connection to the other computer can't be decoded."
Compound this with all the problems in Outlook, IE, Windows...well...the deck is rather stacked against them. Not to mention, it used to be a lot tougher to get an SSL cert...
Please help metamoderate.
I always encourage others to 'go on the offensive' and help polute phisher's databases with the awesome site: PhishFighting.com. Set a few tabs open to fill the phisher's database with useless Data, check back later and see the site is offline (likely from the attention garnered from all the bandwidth useage!
As bosses would say "It's a win-win!"
fak3r.com
I bet new measures would drop it below 20% at least, maybe 18%.
Lots of us Mail guru's have been switching to using SPF (sender policy framework) which is a separate set of DNSish records that ask mail servers who is qualified to send mail for them.
The answer to phishing is a similar setup, that queries a DNS server to check and see if this "site" is OK to mirror for this site, or accept requests.
Just a shot in the dark, but I bet something could be worked out like this.
This would eliminate alot of question whether or not a site is legit or not.
or lack thereof is what makes phishing work. I remember being taught it in High School and wondering why, since it seemed so natural and obvious, but a lot of people have trouble thinking critically, and take everything at face value. Combine that with reading skills that prevent them from recognizing bad grammar and you've got a health crop of suckers.
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
because people are stupid.
Being able to identify a phony/suspicious URL? Hardly!
I've had support calls here at the *hospital* from *doctors* who are trying to 'log in' to their computer in the Address Bar of IE.
Phishing has the highest job security rating on the planet.
Han shot first.
In defense of the clueless (NOT Jerry Taylor!) I have to ask you, how many people understand how a physical lock works? Well, all of them. You put the key in and turn it.
Few have a clue about its tumblers and other doodads and geegaws.
How many understand how a car works? "Yeah, I know how it works, you put the key in and turn it, then you drive away."
A certified Ford mechanic knows about the car's crankshaft, cylinders, pistons, fuel injectors, all the other components and how they're put together as well as you and I know how a PC and TCIP works.
You shouldn't have to know the physics of the expanding gasses in the cylinder driving the pistons (and how the valves work etc) to drive a car.
We, the nerd community, are to blame for failing to deliver something as simple as a web browser that works as easily as a door lock or a car.
And the banking industry itself should be educating the public about phishing. I get tons of mail from my bank telling me about its whiz-bang web based banking, but nary a word about phishing.
How is Average Joe supposed to know this stuff?
As to Taylor, he claims 22 years tech experience, so the man deserves more ridicule than we can possibly heap on him.
may be possible: * track the guy registering the DNS (people will less likely click on IP address & give their password, although some will :-( )
* solve mother of all online problems: SPAM. no SPAM, phishermen will have few fieshes to target
This sig doesnt exist.
Something like over 300 Americans have fallen for the Nigerian 419 schemes too. Sixty minutes did a piece on a victim several years ago. Earlier year the son of demented California college professor tried to get guardianship over his father who fell for the scheme too.
Judging by the fact I still get several of these emails a week, and used to get US mail paper letters in the 1980s; they perputrators are getting results from less than one per million emails. But someone is still making money.
Even if you wrote a phising page that stated in big, bold, blinking letters "This is a Phishing Scam, and if you fall for it we will drain your bank account", some people would still click the link and enter their data.
1
Some were just born stupid.
http://www.rinkworks.com/stupid/cs_obvious.shtml#
Who would win this election: Andrew Weiner vs Andrew Weiner's weiner.
http://www.maryanovsky.com/sasha/smokedsalmon/
You have to admit it has the best name :-)
I suspected from the very beginning that it was a Phising scam, but it took me quite a while to figure out how it was done.
They sent me an html email with a link that looked like it was going to my bank but actually went to an ip address in taiwan. The webpage they loaded created a popup window asking for login information and then used meta-refresh to load https://www.mybank.co.uk./
Their login popup was presented in a look and feel that was completely consistent with my bank, and behind it was my real banks homepage, complete with lock icon and real certificate. The popup itself had no address bar or status bar, so you couldn't see that it wasn't a secured page.
I was very impressed by the whole scam, especially since the original email even looked like an official one (in the usual style of my bank). Obviously I shouldn't have clicked the link in the html email, but apart from that and some viewing of html source, i'd never have picked up on it.
I certainly expect lay-people would have been duped.
If phishing is made legal, and people who are suckered into phishing scams have no recourse to get back their money or credit, the problem will disappear very quickly. Either people will wise up, or all the idiots will be culled. Nice, simple, natural selection.
Plus, I could make a few bucks and not worry about getting arrested.
I got a new laptop after being away from one for awhile, and got into a new usage pattern in which I frequently choose Turn off computer|Stand by. Once I accidentally hit Log off, and then chose the log off button due to the similarity in its color to the Stand by icon.
I have recently received some emails that I think may be legitimate but look like phishing attempts. Also Thunderbird thinks that it is a phising attempt.
I am a registered at the BBC Shop. I have allowed them to send me email and they have been sending some offers. Lately the links in the email seem to go to http://bbcshop.msgfocus.com/ with some unique id added. Even to the point that a link that has a text "bbcshop@bbc.co.uk" and looks like an email link is actually a link to a http request at the bbcshop.msgfocus.com.
All this was enough to make me not click any links. I did not find much information about msgfocus.com either.
It could be a phishing attempt. I really am not sure. On the other hand, the email has some personal addressing that matches the information I have given to the web store. Maybe BBC has decided to use some clueless emailing service. But my point is that if respectable web stores send emails that look like phishing attempts to their customers it will become more and more difficult to identify phishing in the future.
I am not fooled so easily. I know better than to click on TFA link..
suckers trying to pull a fast one eh??? Is this even slashdot??
gasp* I might have allready fallen into thier trap!
I'll bet they are all sitting back laughing and pointing at me with that smug hacker look on thier faces...
CURSE YOU, YOU INFERNAL PHISHERS!!!
The article shows that the technology as it is now is too confusing. why would an extra layer of complexity make things better?
Instead one should teach to make people learn the indicators: Creditcard companies should mail out phishing spam out themselves, an block every cardnumber they harvest. Lather, rinse, repeat. Only after they show in some test that they have the required knowledge should their cards be reinstated/reissued. Repeat offenders pay a pretty high reissue fee.
This space is intentionally staring blankly at you
Aha! I caught you trying to use a piss-poor phishing scam to get comments meant for my post
I am going to notify the FBI, CIA, SEC, DEA, HLS, and sue you for copyright and DMCA violations!
I will be rich, rich I say!
There is no "-1 offended" or "-1 you don't agree with me" mod options for a reason.
For the same reasons if tomorrow we just went and gave everyone a high-powered laser, 80% would burn their eye out (and probably their hand off).
The three reasons phishing works:
1) People are stupid
2) More people have computers than should have them
3) People are too lazy to learn how to properly use anything they own
Computers should require an access card for use. An "I'm smart enough to use a computer" card. Initially getting the card should require a few months of testing and certification. What you are then allowed to do with a computer is determined by what level you were certified at. Recertifications are required yearly.
Why not? A misused computer can cause as much damage to someone's property and life as a misused vehicle.
Congratulations, I could have told you that. This is why I'm glad not to be in IT support any more.
The participants of this trial were all quite normal people: most of them Windooze users, one a Mac user. Nonetheless, this is the important userbase when it comes to phishing. (Or have you ever seen a linux phreak, living in mom's basement, who has something worth stealing in his bank account?)
Well, I personally (using Opera on Linux, designing and programming small websites and having done a phishing site for educational purposes once) fell for the bank of the vvest-spoof. I explicitely looked at the location bar and didn't see the vv. Needless to say that the rest of the spoof (the html part) was just superb.
Hello greeating and God bless, friendly Slashdot reader chap bloke homeboy. I am Prince Roberto of Nigeria, and for to be further reading of this Slashdot post, I am need you for updating credit cards information in reply message, after which I be deopsit sixty millions of American dollars into your bnak accounts.
Slashdot Burying Stories About Slashdot Media Owned
Sure, Phishing works. We know it does, and some of the most technical people can be caught offguard. It goes with any forgery of any secure material, be it fake IDs, S.S. Cards, etc.
However, with regard to TFA, I have some doubts about their data. First, they use *only* 22 participants, which is a horribly low number. They give no background information of how they chose them. It could have just been 22 of their friends that they could con into playing with some web pages.
Also, there are no controls with regards to the web pages. I didn't see (in the page list) two pages that would look identical and be either spoofed or real. This, to me, would be an important piece of information to support their conclusions. I personally would have had two identical web pages shown with only the browser security indicators changing. This would come a lot closer to showing people either ignore or watch those things.
It's not that I disagree with their findings, it's just it would be a lot more believable with more people and a proper writeup of the makeup of such a group. You can't get a truly random group of people, but with larger numbers you can get closer.
Instead of laughing at the poor suckers, why not take a few minutes to educate your family about the dangers of phishing sites? I've told my family they should never respond to a URL contained in an e-mail. If the e-mail claims that your account has been compromised, or that they need to verify your account information, or whatever - don't click on the link. Call the number on the back of your credit card, call your Bank, log in to your Paypal or eBay accounts by typing in the URL you usually use. Verify, verify, verify. Once they have gotten the idea, tell them to spread the word. The fewer people who fall for phishing scams, the less money there is to be made, and the problem will eventually resolve itself.
I hope.
I suppose it's possible that some users reviewed the expired certficate and made an informed judgment that the site was still safe, but I bet many didn't even look. Phishers know this and regularly construct spoofs using invalid SSL certificates, betting that customers will trust the "gold key" and ignore the browser warning.
RichM
Data Center Knowledge
"97% of automobile owners, when asked how they determine if their automobile may need critical service soon, state that they 'see if the car won't start.' In other words, only THREE PERCENT hook it up to an auto engine analyzer!"
Any technology distinguishable from magic is insufficiently advanced.
No, seriously.
I recall hearing about a study wherein monkeys were given the option of pressing one of two buttons at mealtime. Button A would always produce normal food. Button B would infrequently produce a treat, and usually produce nothing. The monkeys always pressed Button B.
(I know, you can't let monkeys starve to death in an experiment, so it wasn't perfect perhaps, but it makes my point.)
Shifting gears just a bit -- I have wondered for a long time myself how humanity has accomplished all that it has when such a large proportion of humans (those in charge of things as well as not) are complete morons. It seems to defy logic.
Let's presume that the results of that experiment are correct. (If anyone has a link to substantiate my claim, I would appreciate it.) Monkeys gamble; they try to get something for nothing instead of going for the sure steady payoff. The inference, of course, is that humans do the same thing.
Perhaps, over the long term (and I'm talking generations long), the "gambles" that individual human beings take pay off to the benefit of humanity as a whole. Think of the vast numbers of people, in attempts to invent fireworks, who must have blown their fingers or hands or heads off. People still do it. That's individual stupidity.
But we've gone to the moon, we've sent probes to far-off planets, we have a world-girdling network of communications satellites. None of that would have been possible without the moronic work of tens of thousands of individual idiots.
So, my hypothesis is as follows:
The sum of individual stupidity is communal success.
It's not tools, or language or brain size that sets humans apart from the beasts. We are more successful as a species because we are stupider as individuals.
Web 2.0 == Giant Blogspam Circle Jerk
Kinda like physics with less math. I answer them with phoney information. My favorite name is Mr. Bomba Scari and I use the White House switchboard phone number and address. Hello, may I speak with Mr. Bomba Scari? I'm calling from Nigeria...
Also, what if I'm trying to type a long website like bankofamerica.com? How do I know I won't make a typo? And was it really supposed to be bofa.com?
My preferred way to find the correct website for a company is to google that company, make sure google doesn't complain that I spelled it wrong, and pick the first result. That always gets me to the right place.
Typing in a URL is too error-prone for my taste. You might accept that your housemate is more clever than you... ;)
"Avoid employing unlucky people - throw half of the pile of CVs in the bin without reading them." -- David Brent
I allways thought that phishing worked because it cost so little to set up and you only have to dupe one or two people to make thousands of dollars?
http://www.DaveNet.biz/
I am of the opinion that the phishers just aren't trying that hard anymore, especially when I receive four copies of the same message telling me my account is closed at a bank where I have never had an account. Or where I receive messages about my Paypal account at an e-mail address I never use Paypal with. I just don't click on links in e-mails. Period. But seriously, though, it seems now that phishers are just spamming instead of improving sophistication. It's kind of sad really. Smells a bit like desparation on their part. And no I did not RTFA. I did read the abstract.
I got "phished" a week ago from some scammer with a eBay handle of "precisionlaptops4u" looking for eBay logins. I emailed eBay and hoped they could shut the perp down. And then again yesterday I got another one. Same guy, same scam. The URL is : http://1342912795/intranet/forum/templates/subSilv er/images/wsbleh/ebay/index.html
I started looking at the problem myself and put my findings at my Bloger blog. http://mrlinuxhead.blogspot.com/
Same guy is still up, and doing it today.
I may be bad with names, but I'll never forget your IP address
It seems like everyone wants to argue that fishing works because "there will just always be so many idiots who don't understand." I think this is a pretty pessimistic, misanthropic, slightly elitist viewpoint.
It "works" because it costs the phisher almost nothing. It always takes at least one sucker, but it doesn't take an average number of suckers per 1000 people.
Suppose a phisher sents B "bait" emails and suckers N people out of W dollars each. Also suppose it costs the phisher C dollars to do all of this. So think about the efficiency... the payoff is N*W - C, so the payoff per dollar invested is something like (N*W - C)/C = N*W/C - 1 and N, W, and C may all depend on the number of baits, B. It's reasonable to assume W is constant. Suppose N *isn't* proportional to B, but is still increasing on the whole (it may saturate at some level, for example). The problem is that C is still insignificant, and certainly doesn't grow as fast as N does, so there's always a huge incentive to send LOTS of bait emails.
If the number of suckers really is a percentage, then that makes the situation worse, but getting rid of most of them doesn't fix the problem. It helps, but it might help more to focus on stopping the fact that this is "easy money" for someone with the right resources than complaining about how not everyone has the same level of skill with a computer as you do.
m0nstr42.blogspot.com
That all being said... For this particular problem I don't see why we couldn't authenticate a site using something analogous to PGP security in e-mail.
Ask me about my sig!
Well, excuse me if I can't keep all your fscking domains straight, Citibank! How am I supposed to spot a phishing attack when you have 18 URLs on your list of valid ones? I think you could do a lot to help folks spot phishing emails if you would restrict yourself to your citibank.com domain. Then folks could remember, "You want citibank? Go to citibank.com."
"Avoid employing unlucky people - throw half of the pile of CVs in the bin without reading them." -- David Brent
Phishing works because of the large number of computer experts in places like Tuttle Oklahoma. (btw the verbage in the subject was intentional.)
a il/
http://www.theregister.co.uk/2006/03/27/tuttle_em
For the follow up.
I'm sorry, I'm to tired to be witty at the moment so this message will have to do.
If all email was plain text, phishing would decrease significantly. Unfortunately, we have "helpful" things like hyperlinks in email (a well-intentioned but bad idea) that help prepetuate this type of problem. I can't recall the last time I clicked a link in an email, but I can tell you it was a long time ago.
Chances are, if the user had to copy and paste the bank's URL out of the email, it would be a lot harder to hide the fact that the URL directs to some non-official site (bankofthevvest is a counter-example, but it would still help). Most likely, people would type in the banks URL and create a bookmark. Then when they got the email they would open their browser and click the bookmark and log in. Problem eliminated.
This isn't an IE/Outlook problem only, I admit. There are a lot of mail clients that provide this same "helpful" behavior. But as with auto-executing scripts in the OUtlook preview pane, it would be better (IMO) if they didn't.
Interested in a Flash-based MAME front end? Visit mame.danzbb.com
I have a U.S. bank account, and I do my banking online.
The other day, my username and password were rejected. Since I had just been changing passwords on other sites, and assumed that I simply forgot what I set the new password to, I hit "Recover ID/Password".
Do you know what U.S. Online Banking wants to confirm you are who you say you are? Why, nothing more that your debit card number or account number, your PIN number, and your Social Security number. I shit you not.
Needless to say, I freaked. I checked it from another browser, viewed the certificate info, and even had my wife try to recover the password from our computer at home (I was at work) and it gave the same error messages and recovery options. Accessing my account info from phone wasn't working (it was after hours), and I needed to see if a check was deposited, so I bit the bullet and created a new password. That didn't work, either. Ultimately, I hit an ATM after work to check my balance.
The next day, I called U.S. Bank and talked to a human being. As it turned out, the reason I couldn't log in was because I had apparently used up my three failed login attempts, and it locked me out. (This was not stated in any error message; if it had, then I wouldn't have messed with the recovery feature.) I was also told that any further failed login attempts will automatically lock my account access, and I will have to call to have my access re-enabled.
Oh, and when I asked the nice human why they asked for such personal info, they say "that's how we can confirm that it's your account". I pointed out that many other online banks use custom question/answer challenges and that it conditions users to enter sensitive information without questioning, she gave the same response.
Needless to say, I plan on closing the accounts that I've had at U.S. Bank for over 16 years as soon as possible, and letting them know that their customer-hostile online banking solution is the reason why.
look at http://211.41.28.11/CHASE/index.htm
they use the exact same CSS and headers.. sometimes its impossible even for me (after a BS,MS in CS) to figure out which is legitimate email and which ones are not.. and given that all Banks nowadays FORCE you to go for 'electronic statements' instead of paper statements makes it even worse
-----
From: Chase Manhattan Bank
Date: Mar 30, 2006 8:26 AM
Subject: $20 Reward Survey
Dear Chase Bank Customer,
CONGRATULATIONS!
You have been chosen by the Chase Manhattan Bank online department
to take part in our quick and easy 5 question survey.
In return we will credit $20 to your account - Just for your time!
Helping us better understand how our customers feel benefits everyone.
With the information collected we can decide to direct a number of changes to improve and expand
our online service.
We kindly ask you to spare two minutes of your time
in taking part with this unique offer!
SERVICE: Chase Online® $20 Reward Survey
EXPIRATION: March - 31 - 2006
Confirm Now your $20 Reward Survey with Chase Online® Reward services.
The information you provide us is all non-sensitive and anonymous
No part of it is handed down to any third party groups.
It will be stored in our secure database for maximum of 3 days while we process the results
of this nationwide survey.
Please do not reply to this message. For any inquiries, contact Customer Service.
Document Reference: (87051203).
Copyright 1996 - 2006 Chase Bank, N.A. Member FDIC Copyright © 2006
Why not just highlight the domain in the address bar? That's the important part, is it not?
...look at your addresss bar right now: the browser is practically trying to HIDE the domain and rest of the URL. It's trying NOT to compete with the page contents... but it NEEDS to!
The domain could be shown in RED lettering (or blink 5 times, etc.) if the user has never visited that site before.
There are lots of non-obnoxious visual cues you can add to maximize the number of people paying attention to the URL they are at.
A legitimate email from Citibank contains something like 6 distinct domain names and a dozen or more hostnames for all the bits of image, URL, hosts the email traversed, etc. You cannot verify the legitimacy by "understanding DNS".
Here's what I see in my most recent "bank alert" from Citibank (legitimate message telling me of a recent paycheck deposit):
alerts@citibank.com
mail.citigroup.com
imbomr-nj02.nj.ssmb.com
imbaspam-ss02.namdmz.dmzroot.net
altgrn04.citialertgrn.da-us-grn.citicorp.com
http://www.citi.com/domain/images/36wav.gif
http://www.citibank.com/domain/images/citi36.gif
It used to be a lot worse. This has fewer domains that I remember. I recall there was also a citibank.net (I think)
scam when someone registered that it Italy several years ago.
...for those of you who live in English-speaking countries. During my ten years online, I have got the impression that 95 percent of the phishing targets the Anglosphere, especially the US. Till now, we Swedes have been safe from hazardous domestic phishing attemps. The only one that I know about is a totally unbelievable upgrade offer from the bank Nordea, spammed out last fall. Bad machine translations (à la Systran) from English seem JUST like what a Swedish bank would use, right? Imagine an American bank using not-so-American English.
BTW, I wonder what the other 12 scam sites in Dhamija's experiment looked like. vv and w *are* *so* *similar* (glance-safe URL)! And login information is *often* being asked for in non-encrypted pages (no padlock/yellow URL).
Phishers do know automatisms as well and they do verify the data automatically. They don't care if it's just 10000 or 10 million entries, heck they don't even care if a valid date is incorrectly not verified and therefore discarded.
Whatever to spill in, they'll filter it out and all valid entries are left.
However, when the phishers use a hijacked server, you'll create additional traffic, increasing the damaged of the hijacked company. Wonderful idea!
creates a legit-looking website or email that is in fact illegit to steal info from you, what's term for when a major financial company creates a illegit-looking website that is legit?
u s-response-to-my-letter.html
And what is it called when a bank like Washington Mutual informs an 80 year-old woman that she compromised her account information by simply answering "yes" over the phone when asked if her bank is located in a certain city?
http://wamublamesgrandma.blogspot.com/2006/03/wam
More often than stupidity (which seems to be the most popular explanation around here), it's just simple inexperience. Commonsense is what phishers rely on to phuck you.
A big part of the problem is that, for as much energy as these major financial institutions have put into trying to stop phishing, they've put in as much to displacing responsibility for the security of their system on to their customers who SHOULD know a lot less on such matters. In doing so, they help facilitate this crap.
I call this Microsoft's fault.
I finally understood that it wasn't just developers being lazy when I had to write a couple basic dialogs in a vbscript application for work. There are no other options. You can say whether you want ok, yes/no/cancel, and a few other possible variations, but that's it. You can't actually change the wording.
I'm not sure to what degree this occurs in their other API's and languages, but I wouldn't be surprised if in order to change the name of the icons you had to create your own custom form instead of just passing the new names as arguments, like every sane system I've used does.
This is what I did when opening a new savings account;
Clerk: "What is your email address?"
Me: "Uh, I don't use email."
Clerk: "You know, hotmail, or maybe a Yahoo account?"
Me: "Nope, don't use computers that much."
Clerk: "Ok, Do you use a cellphone?"
Me: "Nope, I like my privacy."
Ok, so I mildly (HAH!) prevaricated, but at least I insured that I can safely diregard any email that claims to be from them.
The U.S. really needs an English to Wisdom dictionary.
Why does phishing work ? Because people are f'ing ignorant, that's why. If I showed up at your door claiming to be from Shitibank or that I'm the long lost prince of southern Iowa with 15 million euros "trapped" in a swiss bank account.. are you going to believe me and fork over your banking info ? No. Hell, even the real company reps take tons of flak doing door-to-door operations. So then why is it that entering someone's home by email is suddenly "okay" and they'll immediately fork over their vitals ? I could be canvassing the neighborhood promising free money to people and still they will slam the door in my face.
Man, people are too dumb to be true nowadays.
-Billco, Fnarg.com
I'm surprised but I'm guessing this paper used students at MIT to do the research. I would think that 90% of all users didn't look at the URL bar, and if they did use it they only did a fast check to see if it was SSL and almost the same name as usual. This is important because you can still register a fake domain that looks like bank.example.com and get SSL certificates for it.
I've actually tried this on my mother in law, where I took a dump of the frontpage of her bank and placed it at bank.example.com/, she didn't notice. I believe MITM attacks will be on the rise, and they can probably be very sophisticated if you have access to the local machine.
I don't care if the site is fake or not. I didn't type in the URL = I don't trust it. It's that simple.
E-mail pretending to come from a bank? If I didn't ask them something by e-mail, they shouldn't be sending e-mail in the first place. Put it in a mail box on the online bank page. Don't have online banking? Put it on the dead tree, and send it by snail. E-mails pretending to be from a bank will be deleted without being read.
My bank (BoA) sends me emails that sound like this: "You have a new balance statement! Remember, increasing reports of identity theft means that its more important than ever that you be on top of this! Click here to sign into our secure server and validate your statement!" That mail got flagged by SpamAssassin 4 times out of 5 as a phishing scam and its no wonder why. I eventually called the bank up and asked them "Pardon me, under what circumstances would you guys send me an email?" and they told me "Either you've got mail in your bank mailbox, and we send you an email to tell you to check it, or you have a new statement scheduled". So, blimey, its actually legit! How about educating the customer to never, ever, ever click on a link and then sending out mails saying "Hiya, your bank has a statement ready. You know the web address, go there now and read it." Hurts usability, I know, but depending on how much phishing actually accomplishes it might be worth it.
Help poke pirates in the eyepatch, arr.
I mean, honestly, isn't "Harvard" supposed to mean, like, "smart" or something? The kind of people who could manage an actual decent study? (and don't any of you stat geeks start talking about mean e data thoumond a bloo a bloo bloo, because with enough in-depth thought it's quite possible to completely ignore a raging forest fire in favor of DECREASING TRENDS OF TREES or whatever)
Oh, wait, it's university, and since sometime around the second Clinton term, universities have sacrificed whatever ethics, attention to detail, and the delicate je ne suis quois loosely defined as "giving a shit about what they're supposed to be doing" that they ever had, in favor of teaching how to be as disreputable and sleazy as possible.
Simply outrageous.
There's a lot of comments about how stupid people ("the masses" in leftyspeak) are. Scams prey on the most vulnerable people in society, and the losers posting these messages seem to extract pleasure from being smarter than these people. Question for the "stupid masses" posters: when a retarded kid gets his lunch money stolen from him, do you a) laugh at him and mock him, b) steal his lunch money the next day, c) walk away indifferent or d) buy him lunch? Well, your schadenfreude would indicate that you would choose a) or b). Maybe you geeks should take your hands off your cocks for a change and do something to help the less fortunate, rather than just mock them. I seriously doubt anyone who posted one of these "stupid masses" comments ranks among the brightest in society. Geeks. Sheesh.
You can't create your own?
.NET App you can. It's much *much* easier to use one of the standard ones, of course... which is why people do it...
I'm not familiar with VBScript, but in any Windows API or
Why go to the effort of creating a new window when you could just call messageBox().
(Because it yields a vastly superior app, that's why)