Slashdot Mirror

← Back to Stories (view on slashdot.org)

Why Phishing Works

Posted by ryuzaki0 on from the lower-your-expectations dept.

h0neyp0t writes "Harvard and Berkeley have released a study that shows why phishing attacks work (pdf). When asked if a phishing site was legit or a spoof, 23% of users use only the content of the website to make the decision! The majority of users ignore the address and SSL indicators in the browser. Some users think that favicons and lock icons in HTML are more important indicators. The paper hints that the proposed IE7 security indicators and multi-colored address bar will also suffer a similar fate. This study is brought to you by the people who developed the security skins Firefox extension."

2 of 293 comments (clear)

  1. While ISPs learn to block... by fak3r · · Score: 5, Informative

    I always encourage others to 'go on the offensive' and help polute phisher's databases with the awesome site: PhishFighting.com. Set a few tabs open to fill the phisher's database with useless Data, check back later and see the site is offline (likely from the attention garnered from all the bandwidth useage!

    As bosses would say "It's a win-win!"

    --
    fak3r.com
  2. Re:It's Always Going to Work by Aspirator · · Score: 4, Informative

    It isn't helped by some of the 'genuine' emails one receives from
    supposedly reputable financial institutions.

    For example I received an email purporting to be from American Express,
    one of the links in it was of the form that showed
    https://www.americanexpress.com/messagecenter,
    however it actually pointed to
    http://www65.americanexpress.com/clicktrk/Tracking ?mid=AnIdentifyingNumber&msrc=ENG-YES&url=https:// www.americanexpress.com/messagecenter

    i.e It purported to be a secure link, but actually was not.
    It piped the request through another (insecure) URL.

    I sent it on to the American Expresses Phishing people, and got only an
    automatic reply.

    Finally I phoned American Express Customer service who assured me that it was real,
    on the basis that they did actually send out emails like that. (!!!!)

    It showed all the hallmarks of a phishing email, and yet ultimately was genuine.

    How I am ever going to explain to Aunt Mary what signs to look out for
    in phishing emails, while the real financial institutions send out
    stuff like this, I don't know.

    You're right, it is a Herculean task.