Why Phishing Works

h0neyp0t writes "Harvard and Berkeley have released a study that shows why phishing attacks work (pdf). When asked if a phishing site was legit or a spoof, 23% of users use only the content of the website to make the decision! The majority of users ignore the address and SSL indicators in the browser. Some users think that favicons and lock icons in HTML are more important indicators. The paper hints that the proposed IE7 security indicators and multi-colored address bar will also suffer a similar fate. This study is brought to you by the people who developed the security skins Firefox extension."

Short answer

[gEvil+(beta)]

Phishing works because people don't understand (nor do they want to) the basics of the technology they use (example: Jerry Taylor).

Re:Short answer

[plover]

In the paper, one guy was very paranoid. He opened a second browser window, and typed the site name by hand, and did comparisons. Even he got one wrong. Phishing is a very, very hard problem to solve.

In the end, people may end up needing strong authentication tokens. When you go to the bank, you'll present your token so they know it's you. When you sign up for a new account, you'll get that account added to your token. And, when you hit a phishing web site, your token will light up and say "UNKNOWN WEB SITE".

And it could work both ways. If you use an ATM in a seedy bar, you could even ask your token to identify the legitimacy of the ATM.

The disadvantage, of course, is either a plethora of tokens (one per account) or every Tom, Dick and Harry shop wanting to use your token for marketing and tracking purposes.

Re:Short answer

[Sigma+7]

Phishing works because people don't understand (nor do they want to) the basics of the technology they use (example: Jerry Taylor).

I'd agree on the concept, but the actual cause is different. The actual reason is because people believe that the word gullible is not in the dictionary.

Recently, there was an "employment agency" that sent out paper forms to applicants which were to be filled out and mailed in with a $20 cheque for a processing fee. The forms included sections for the Social Insurance Number, Driver's License number, DOB, mother's Maiden name, and other information not normally used by employers.

Their intent was to obtain credit cards from banks with the applicant's personal information - hence, they used four different company names. The good news was that they were raided.

Re:Short answer

[daveewart]

In the paper, one guy was very paranoid. He opened a second browser window, and typed the site name by hand, and did comparisons. Even he got one wrong. Phishing is a very, very hard problem to solve.

I think the point is that, since you can copy verbatim the HTML of a web site, it is trivial to create an identical copy of any site. So, trying to look for similarities and differences between the sites is a pointless exercise.

The real way to avoid being stung by phishing scams is to know that emails from anyone asking for personal or private information, passwords, credit card numbers etc. are almost certainly fake.

Re:Short answer

[rainman_bc]

What else did you expect? She'd been told that she had to do all her homework, and believed it.

Way OT now, but when I was in high school, an A was 86%, and in math and most sciences, homework counted for 10% of my grade. I was so cocky I was able to still get an A without doing any homework.

Fucked me up in University though haha...

Re:Short answer

One of the major problems with these things is there is a lot of assumption from the "computer expert" community that the people around them are savvy enough not to fall for these tricks.

Back in 1993, when my parents first got us an AOL account, I encountered IM phishers rather quickly. I didn't know what to do - they were saying there was a problem with the account, and they needed the password. I didn't know my password - my parents typed it in for me to regulate my time on the Internet. I semi-freaked out and called my mom in. And she of course didn't know any better, either, and she gave out my account's password.

We had been hooked.

Luckily, my account was not the primary account (or even a master account), and they couldn't get any billing information over the phone or anything else.

Of course, all of this was 13 years ago, before phishing was a major issue, and certainly before the sophistication of today had arisen. But the point is that there is a certain assumption that everyone who gains access to the Internet is instantly tech-savvy when that's not the case.

Slashdot people need to educate other people about being safe on the Internet, and not just on Slashdot or on forums. You need to explain to your parents, to your siblings, your friends, your co-workers - you can not assume they know anything about password security, file permissions, or any of the other "web basics." You must drill them on it constantly, ask them if they've received anything suspicious lately, send them as many (valid) warnings about viruses and phishing attempts as you can.

You have to tell the people who trust you to trust what you say, and make no exceptions. That's the only way to prevent this sort of security: stop it among the people you can get to listen to you. Educate them, and tell them to educate other people. Security needs to be passed around like a meme.

Re:Short answer

[rmstar]

My favorite passage was the one describing how users can be fooled because they do not understand the domain name system, and thus think that, for instance www.ebay-security-users.com and www.ebay.com belong to the same hierarchy. Another similar one is the one where users fail to realize that a lock icon in the "chrome part" of the browser is somehow different from the same lock icon inside of the web page.

Phishers encounter an incredibly favorable ecosystem out there, with a high density of ignorant fools with credit cards, many of them quite ready to shell out money for herbal viagra, or to help the niece of Charles Taylor get her fortune out of Nepal. No wonder phishers strive like this.

(Yeah, I know it's not Nepal)

Social engineering anyone?

[SComps]

It works because it plays on the concept that seeing is believing; and most people will trust their eyes over their minds any day of the week.

And this might be optimistic

[plover]

The paper hints that the people selected for the study may not adequately represent the web-surfing public -- they may be "above average".

Humanity is doomed.

Not surprising

[op12]

Think of the average internet user. I'm surprised that 77% are actually looking at more than just the content. It's probably because the media has made a big thing about it (as they should).

It's like P.T. Barnum said,

[TheCoders]

"There's a sucker born every minute." Listen, we can put an evil Devil's face on the browser, along with flashing neon lights and big signs that say "WARNING: This site is suspicious", and a gloved hand that comes out of the monitor and slaps the user silly, and you know what? People will still fall for these scams! It's not people like you and me that are the targets of phishing. Ask your grandmother what a URL is, and (with some exceptions, of course) you'll get a blank stare. Heck, ask the cute cocktail waitress at your local bar, and you'll get the same response (and I wonder why I can't get a date...). That's what we're up against.

Don't get me wrong, I applaud these researchers and all other approaches to making the web a safer place, but in the end, at some point you have to trust that the user is going to take resposibility for their actions. The best we can do is bring the percentages down. The problem is it is so cheap to set up a phishing web site, that even if only one in several thousand potential targets fall for it, that's usually enough to ensure a profit.

I don't know which upsets me more...

[Spy+der+Mann]

the phishers or the idiots who follow them.

common sense, people!

[Geek_3.3]

When the suspect site, for arguement's sake let us say it was a credit card scam (since i had one of those a couple of days ago) asks for EVERYTHING--card #, PIN, security code, mother's maiden name, login name, and LOGIN PASSWORD, alarm bells should go off in your head. Also, it is highly unlikely that someone is going to give you a carrot on the end of a stick(in this case, $20 for a simple 3 question blurb about how the site was running or some bs like that) without a big catch involved. The obvious catch being that IT'S A SCAM.

Geez, i would feel sorry for these duped people, but it's getting harder and harder to.

It's Always Going to Work

[eldavojohn]

Why Phishing Works

Phishing will always work. The intelligence and cautiousness of the population who use the internet is represented by some form of a normal curve. On the far left, a line falls for those users who will (out of innocence or ignorance) 'bite' on a phishing site. Thanks to e-mail, it is increasingly easier for phishermen (and phisherwomen) to select a random sample from this normal curve and those that fall to the left of the threshold will invariably become victims.

To disrupt or completely stop this from happening is currently an impossible Herculean task.

Even netting one person can result in thousands of dollars worth of damages. If one in every one million phishing works, of course they'll keep doing it.

Why phishing works

[taustin]

It works because a lot of people are idiots.

Including the ones who needed to do a study to figure that out.

Re:Why phishing works

[Tux2000]

It works because a lot of people are idiots.

Not idiots, but ignorant people who don't care and don't want to know how the technology works that they use.

Tux2000

Re:Why phishing works

[deadlinegrunt]

Otherwise known as "idiots."

I mean, really. If you fall into that category, what distinguishes you from a monkey pressing a lever?


On a long enough timeline of exposure to different situations in life we are all idiots by your criteria, instead of just being ignorant of a particular situation. Idiot has a connotation of being mentally retarded and unable to improve where being ignorant is a lack of education or knowledge.

I would not call you an idiot for being unable to descern the two terms; just ignorant - if you can't grasp this after the knowledge parted with you then you may well be an idiot. Hope this helps!

The problem goes right down to the SSL layer

[egarland]

This is a post I wrote in response to the phishing site with a valid SSL cert. I'll highlight the appropriate portion for this discussion.

SSL Certificates don't have to be signed. You can create X509 self signed certs no problem. Web browsers just don't like them and pop up all kinds of warnings.

They should tier SSL certs and make the higher level ones more difficult and time consuming to get:
0 None
1 Self Signed
2 Small business
3 Mid-sized business
4 Large business
5 Financial Institution

Browsers should display a lock with a number explaining what encryption a site used (even when none is used) and could explain the rank when the icon is moused over. Then people always would have a place to look to check the rank before deciding if they should punch information in.

The original SSL design was a good first step but it is definitely showing it's age today.

For Anti-Phishing to work it needs a UI with support right down into the SSL layer.

Currently it's next to impossible to diferentiate things on the web. It's the great equalizer, and as we are finding, it makes things *too* equal. You are on equal footing with a bank when trying to convince people to enter finantial information. We need a bit more structure, a few more checks and balances.

Nonsense

[rbowles]

Con-artists are older than recorded time. Snake-oil salesmen, crooked used-car lots, (snail) mail scams and their ilk are likely at least as prevalent even in our quasi-"Information Age".

How many educated people have bought a lemon? I've known otherwise educated, extremely intelligent college-educated (students and grads alike) who've done this. Perhaps everyone should be fully educated about the hazards of auto-buying, phishing web-sites and maybe get a medical degree for proper evaluation of physicians while they're at it.

The answer is not pamphlets and FAQs. If anything these "easy answers" only propogate the problem of people being too damn trusting. Seek your own understanding.

Re:Nonsense

[bckrispi]

The con artist is the same, but the scale is increased by an order of magnitude. If you wanted to find your mark through mail, you'd have the expense of postage and print materials. Plus the problem that once the scam is noticed, it's usually easy to trace. If you are a shady car salesman, you only have so many hours in the day to give your spiel. That, and you can usually only scam one person at a time.

Phishing is a whole new level. Crooks have instant access to *millions* of targets. Email is free. Bandwidth is cheap (or free, if you have a zombie mailing for you. And it's easy to register at offshore hosting providers, making the odds of ever being prosecuted minimal.

Take this with the knowledge that most people believe *everything* they hear on the internet if the source sounds authentic enough. I can't count the number 'urban legend' emails I get every week from friends that have been forwarded dozens of times to hundreds of people.

I fear that we have entered an "International Golden age of Fraud". It isn't going to go away.

Re:DRTFA

..and because most banks and such organizations still don't make any effort to authenticate their emails. That would go a long way towards making people more suspicious towards emails without a little key icon in the mailreader, asking them for their firstborn in exchange for continued onlinebanking availablity or such..

I don't get it, it's well inside major organization's capabilities to push for easily usable GPG or S/MIME support in email clients and webmail interfaces, yet they don't seem to be interested. Are they actually interested in having their customers spammed?

Re:I thought I did once...

[jafiwam]

Your experience is not just a failure of attention to detail of the user.

It's a complete failure of the financial institution to realize they are creating situations where it is incredibly easy to teach bad habits.

They should not be sending emails with links in them at all. (Better yet, no emails not already contained in the online banking web site where the user is already logged in.)

So a HUGE portion of this problem is there _are_ legit emails that go out where there should be NONE.

It's a little like teaching your cute little 14 year old girl with the budding boobies that all guys really do love and respect them and are all christians and tell the truth especially if they are 40 or older and have their own van. Yeah it may be true most of the time but the concequences sure are high.

A little paranoia is a GOOD THING.

A bank expecting the average user to differentiate between good emails and bad emails is just stupid, stupid, stupid. They should KNOW better. There should be flat laws against it and the problem would go away overnight.

Re:The Blind Squirrel

[SdnSeraphim]

I think this is the funniest thing I have read in a long time. As a software developer for a largely computer illiterate user base, I have found that users try to get rid of dialog boxes as fast as possible, without ever reading the text. The longer the text (say over 8 words), the less likely they are to read it. Often they will always press 'yes' or always press 'no' until after a few tries they don't get the response they thought and try a different button.

I try to ask as few questions as possible. Users often don't want options, just action, and the ability to undo the action after it has happened.

Re:The Blind Squirrel

[Fareq]

In my experience, people will spend hours agonizing over little message boxes that have only an "OK" button. Seriously. People that won't read a Yes/No/Cancel will spend 15 minutes reading and re-reading the 7 words in the box that has only one option...

When I ask why, they always respond that they're not sure what to do.

When presented with a Yes/No/Cancel with 3 sentences in it, they just press enter without reading, because it's either too complicated or because it doesn't seem important. (It's just a popup box that asks a question I don't understand... but if I hit enter it goes away and I don't have to decide).

Incidentally, I partially blame all those InstallShield things that have the front screen with 3 paragraphs of text and a next button when there's really no meaningful information on the page, and nothing to do except click next to start installing the program (or cancel if you ran the installer by mistake)

From the UI side, however, I think that while OK boxes and Yes/No boxes are great, I think that OK/Cancel and Yes/No/Cancel boxes are heavily overused... If you want to ask a question where Yes/No isn't the answer, you should probably roll your own so that the buttons can be *descriptive*

Re:In defense of the clueless

What if people bought cars like they do computers?

General Motors doesn't have a "help line" for people who don't know how to drive, because people don't buy cars like they buy computers -- but imagine if they did . . .

HELPLINE: "General Motors Helpline, how can I help you?"
CUSTOMER: "I got in my car and closed the door, and nothing happened!"
HELPLINE: "Did you put the key in the ignition slot and turn it?"
CUSTOMER: "What's an ignition?"
HELPLINE: "It's a starter motor that draws current from your battery and turns over the engine."
CUSTOMER: "Ignition? Motor? Battery? Engine? How come I have to know all of these technical terms just to use my car?"

HELPLINE: "General Motors Helpline, how can I help you?"
CUSTOMER: "My car ran fine for a week, and now it won't go anywhere!"
HELPLINE: "Is the gas tank empty?"
CUSTOMER: "Huh? How do I know?"
HELPLINE: "There's a little guage on the front panel, with a needle, and markings from 'E' to 'F.' Where is the needle pointing?"
CUSTOMER: "It's pointing to 'E.' What does that mean?"
HELPLINE: "It means that you have to visit a gasoline vendor, and purchase some more gasoline. You can install it yourself, or pay the vendor to install it for you."
CUSTOMER: "What!? I paid $12,000 for this car! Now you tell me that I have to keep buying more components? I want a car that comes with everything built in!"

HELPLINE: "General Motors Helpline, how can I help you?"
CUSTOMER: "Your car sucks!"
HELPLINE: "What's wrong?"
CUSTOMER: "It crashed, that's what went wrong!"
HELPLINE: "What were you doing?"
CUSTOMER: "I wanted to run faster, so I pushed the accelerator pedal all the way to the floor. It worked for a while, and then it crashed -- and now it won't start!"
HELPLINE: "It's your responsibility if you misuse the product. What do you expect us to do about it?"
CUSTOMER: "I want you to send me one of the latest versions that doesn't crash anymore!"

HELPLINE: "General Motors Helpline, how can I help you?"
CUSTOMER: "Hi! I just bought my first car, and I chose your car because it has automatic transmission, cruise control, power steering, power brakes, and power door locks."
HELPLINE: "Thanks for buying our car. How can I help you?"
CUSTOMER: "How do I work it?"
HELPLINE: "Do you know how to drive?"
CUSTOMER: "Do I know how to what?"
HELPLINE: "Do you know how to drive?"
CUSTOMER: "I'm not a technical person! I just want to go places in my car!"

Re:The Blind Squirrel

[F�an�ro]

users HATE dialog boxes. I don't know whoever thought modal dialog boxes for everything where a bright idea.

The solution for that is to always make a "save" choice per default, and then allow the user to change the choice with a nonmodal, nonblocking dialog.
If the user does not want to change anything, no action is required.

Like in firefox
"this site requires additional addons, click here to install them" displayed on top of the page (and not in a dialog box).