Why Phishing Works

h0neyp0t writes "Harvard and Berkeley have released a study that shows why phishing attacks work (pdf). When asked if a phishing site was legit or a spoof, 23% of users use only the content of the website to make the decision! The majority of users ignore the address and SSL indicators in the browser. Some users think that favicons and lock icons in HTML are more important indicators. The paper hints that the proposed IE7 security indicators and multi-colored address bar will also suffer a similar fate. This study is brought to you by the people who developed the security skins Firefox extension."

Short answer

[gEvil+(beta)]

Phishing works because people don't understand (nor do they want to) the basics of the technology they use (example: Jerry Taylor).

Re:Short answer

[plover]

In the paper, one guy was very paranoid. He opened a second browser window, and typed the site name by hand, and did comparisons. Even he got one wrong. Phishing is a very, very hard problem to solve.

In the end, people may end up needing strong authentication tokens. When you go to the bank, you'll present your token so they know it's you. When you sign up for a new account, you'll get that account added to your token. And, when you hit a phishing web site, your token will light up and say "UNKNOWN WEB SITE".

And it could work both ways. If you use an ATM in a seedy bar, you could even ask your token to identify the legitimacy of the ATM.

The disadvantage, of course, is either a plethora of tokens (one per account) or every Tom, Dick and Harry shop wanting to use your token for marketing and tracking purposes.

Re:Short answer

[Sigma+7]

Phishing works because people don't understand (nor do they want to) the basics of the technology they use (example: Jerry Taylor).

I'd agree on the concept, but the actual cause is different. The actual reason is because people believe that the word gullible is not in the dictionary.

Recently, there was an "employment agency" that sent out paper forms to applicants which were to be filled out and mailed in with a $20 cheque for a processing fee. The forms included sections for the Social Insurance Number, Driver's License number, DOB, mother's Maiden name, and other information not normally used by employers.

Their intent was to obtain credit cards from banks with the applicant's personal information - hence, they used four different company names. The good news was that they were raided.

Re:Short answer

[daveewart]

In the paper, one guy was very paranoid. He opened a second browser window, and typed the site name by hand, and did comparisons. Even he got one wrong. Phishing is a very, very hard problem to solve.

I think the point is that, since you can copy verbatim the HTML of a web site, it is trivial to create an identical copy of any site. So, trying to look for similarities and differences between the sites is a pointless exercise.

The real way to avoid being stung by phishing scams is to know that emails from anyone asking for personal or private information, passwords, credit card numbers etc. are almost certainly fake.

Social engineering anyone?

[SComps]

It works because it plays on the concept that seeing is believing; and most people will trust their eyes over their minds any day of the week.

And this might be optimistic

[plover]

The paper hints that the people selected for the study may not adequately represent the web-surfing public -- they may be "above average".

Humanity is doomed.

Re:And this might be optimistic

[Daniel_Staal]

I recently did this caluation, and it sounds relevent here...

A common formula for the IQ of a group is to take the IQ of the highest member of the group, and divide by the number of people in the group.

The highest IQ is the US is that of Marilyn Vos Savant, estimated at 228. (That's the high estimate. Might as well give the benifit of the doubt.)

The population of the US is 295,734,134, according to the CIA world factbook.

That means the IQ of the US is 7.70962746×10^-7.

I have another theory

[jawtheshark]

It is summarized by: There's a sucker born every minute.

Re:I have another theory

[eargang]

Considering 4 to 5 children are born every second, are you saying that only 0.37% of the population consists of suckers? ...have you looked around lately?

Simply because ....

[cfortin]

People are stupid. Total knuckle biters. Every one of them.

That is all ...

Not surprising

[op12]

Think of the average internet user. I'm surprised that 77% are actually looking at more than just the content. It's probably because the media has made a big thing about it (as they should).

It's like P.T. Barnum said,

[TheCoders]

"There's a sucker born every minute." Listen, we can put an evil Devil's face on the browser, along with flashing neon lights and big signs that say "WARNING: This site is suspicious", and a gloved hand that comes out of the monitor and slaps the user silly, and you know what? People will still fall for these scams! It's not people like you and me that are the targets of phishing. Ask your grandmother what a URL is, and (with some exceptions, of course) you'll get a blank stare. Heck, ask the cute cocktail waitress at your local bar, and you'll get the same response (and I wonder why I can't get a date...). That's what we're up against.

Don't get me wrong, I applaud these researchers and all other approaches to making the web a safer place, but in the end, at some point you have to trust that the user is going to take resposibility for their actions. The best we can do is bring the percentages down. The problem is it is so cheap to set up a phishing web site, that even if only one in several thousand potential targets fall for it, that's usually enough to ensure a profit.

It's Always Going to Work

[eldavojohn]

Why Phishing Works

Phishing will always work. The intelligence and cautiousness of the population who use the internet is represented by some form of a normal curve. On the far left, a line falls for those users who will (out of innocence or ignorance) 'bite' on a phishing site. Thanks to e-mail, it is increasingly easier for phishermen (and phisherwomen) to select a random sample from this normal curve and those that fall to the left of the threshold will invariably become victims.

To disrupt or completely stop this from happening is currently an impossible Herculean task.

Even netting one person can result in thousands of dollars worth of damages. If one in every one million phishing works, of course they'll keep doing it.

Re:It's Always Going to Work

[Aspirator]

It isn't helped by some of the 'genuine' emails one receives from
supposedly reputable financial institutions.

For example I received an email purporting to be from American Express,
one of the links in it was of the form that showed
https://www.americanexpress.com/messagecenter,
however it actually pointed to
http://www65.americanexpress.com/clicktrk/Tracking ?mid=AnIdentifyingNumber&msrc=ENG-YES&url=https:// www.americanexpress.com/messagecenter

i.e It purported to be a secure link, but actually was not.
It piped the request through another (insecure) URL.

I sent it on to the American Expresses Phishing people, and got only an
automatic reply.

Finally I phoned American Express Customer service who assured me that it was real,
on the basis that they did actually send out emails like that. (!!!!)

It showed all the hallmarks of a phishing email, and yet ultimately was genuine.

How I am ever going to explain to Aunt Mary what signs to look out for
in phishing emails, while the real financial institutions send out
stuff like this, I don't know.

You're right, it is a Herculean task.

Re:The Blind Squirrel

[$RANDOMLUSER]

I've been proposing for a long time that the "Yes/No/Cancel" type dialog boxes should simply be replaced with a single "Whatever" button, as users NEVER read what the dialog box says.

DRTFA

[Billosaur]

People fall for phishing because:

1. Most are not tech savvy, and have no idea the difference between http and https, don't look at the links they click on, and can't tell a spoofed URL from a real one on sight.
2. Most people are pretty gullible. They believe what they're told, whether by a newscaster, the President, scientists, or the glowing pixels of a web page. Critical reasoning skills are lacking.
3. Most people are pretty stupid. They get an email purportedly from their bank telling them they need to update their information for security purposes or have lost their bank account number, or something equally unlikely, and don't question it. They don't call their local bank branch to verify it, they simply click.
4. Most people believe the Internet is infallible. They think every person who has a blog or web page knows what they are talking about. They think if a page looks a little like what they normally see when they bank online, that it's the same thing, even though the URLs to the links are all wrong.

You can't protect people from themselves, although our Congress tries to do this every day by passing inane laws that protect no one but the large corporations and billionaires. People who go online will continue to be duped as long as no concerted effort is made to educate them. Cue the PSAs.

Re:DRTFA

[Lumpy]

Most people are pretty stupid. They get an email purportedly from their bank telling them they need to update their information for security purposes or have lost their bank account number, or something equally unlikely, and don't question it. They don't call their local bank branch to verify it, they simply click.

Dude you seriousally underestimate the stupidity of the average human.

I have seen people at the ATM intentionally swipe their card through a "card cleaner" stuck to the wall that was a reader.

99% of the masses do not understand any of the technology they use daily in any way. They do not understand basic safety (Driving 4 feet from someone at 90mph is unsafe and stupid) and to top it off, they have to be told not to insert curling irons into a bodily orfice, and other things. Humans are too stupid to use most products safely which is why everything has a damned disclaimer on it.

I will bet you that someone in Manhattan right now is getting a bridge sold to them, and they are seriousally considering it!

I thought I did once...

[BlueCodeWarrior]

I remember the one time I almost thought that I fell for a phishing scam.

I got an email saying that my student loan company needed some more information to give me the loan. I had to log into thier website to check out what exactly it was and what I needed to send in.

I just clicked the link in the email and typed my login information (of which the username is my SSN) and got a message to the effect of 'password incorrect, please try again.'

I did this two or three times with some of the different passwords that I usually use...and then I thought about it.

Oh fuck! The address bar said 'www.terri.org' and my bank was Chase. I freaked out, thinking that I'd fallen for it...

Turns out terri is the company that processes the loan or whatever and I had just mistyped the password. But I reminded myself to not be so trusting on the internet, and always re-type the site in for things like that...

Re:I thought I did once...

[jafiwam]

Your experience is not just a failure of attention to detail of the user.

It's a complete failure of the financial institution to realize they are creating situations where it is incredibly easy to teach bad habits.

They should not be sending emails with links in them at all. (Better yet, no emails not already contained in the online banking web site where the user is already logged in.)

So a HUGE portion of this problem is there _are_ legit emails that go out where there should be NONE.

It's a little like teaching your cute little 14 year old girl with the budding boobies that all guys really do love and respect them and are all christians and tell the truth especially if they are 40 or older and have their own van. Yeah it may be true most of the time but the concequences sure are high.

A little paranoia is a GOOD THING.

A bank expecting the average user to differentiate between good emails and bad emails is just stupid, stupid, stupid. They should KNOW better. There should be flat laws against it and the problem would go away overnight.

409 scams still work so why not phishing?

[smooth+wombat]

If you want to see how gullible or just plain stupid people are, check out the story in my Journal titled, 'Renowned psychiatrist bilked by Nigerian scam'. It was rejected by the editors so I plunked in my Journal.

Even after the guy knew it was a scam and promised his son he wouldn't send any more money, he still did it anyway!

Maybe a bit different than a phishing scam but along the same lines.

The problem goes right down to the SSL layer

[egarland]

This is a post I wrote in response to the phishing site with a valid SSL cert. I'll highlight the appropriate portion for this discussion.

SSL Certificates don't have to be signed. You can create X509 self signed certs no problem. Web browsers just don't like them and pop up all kinds of warnings.

They should tier SSL certs and make the higher level ones more difficult and time consuming to get:
0 None
1 Self Signed
2 Small business
3 Mid-sized business
4 Large business
5 Financial Institution

Browsers should display a lock with a number explaining what encryption a site used (even when none is used) and could explain the rank when the icon is moused over. Then people always would have a place to look to check the rank before deciding if they should punch information in.

The original SSL design was a good first step but it is definitely showing it's age today.

For Anti-Phishing to work it needs a UI with support right down into the SSL layer.

Currently it's next to impossible to diferentiate things on the web. It's the great equalizer, and as we are finding, it makes things *too* equal. You are on equal footing with a bank when trying to convince people to enter finantial information. We need a bit more structure, a few more checks and balances.

While ISPs learn to block...

[fak3r]

I always encourage others to 'go on the offensive' and help polute phisher's databases with the awesome site: PhishFighting.com. Set a few tabs open to fill the phisher's database with useless Data, check back later and see the site is offline (likely from the attention garnered from all the bandwidth useage!

As bosses would say "It's a win-win!"

Re:The Blind Squirrel

[SdnSeraphim]

I think this is the funniest thing I have read in a long time. As a software developer for a largely computer illiterate user base, I have found that users try to get rid of dialog boxes as fast as possible, without ever reading the text. The longer the text (say over 8 words), the less likely they are to read it. Often they will always press 'yes' or always press 'no' until after a few tries they don't get the response they thought and try a different button.

I try to ask as few questions as possible. Users often don't want options, just action, and the ability to undo the action after it has happened.

Re:The Blind Squirrel

[Fareq]

In my experience, people will spend hours agonizing over little message boxes that have only an "OK" button. Seriously. People that won't read a Yes/No/Cancel will spend 15 minutes reading and re-reading the 7 words in the box that has only one option...

When I ask why, they always respond that they're not sure what to do.

When presented with a Yes/No/Cancel with 3 sentences in it, they just press enter without reading, because it's either too complicated or because it doesn't seem important. (It's just a popup box that asks a question I don't understand... but if I hit enter it goes away and I don't have to decide).

Incidentally, I partially blame all those InstallShield things that have the front screen with 3 paragraphs of text and a next button when there's really no meaningful information on the page, and nothing to do except click next to start installing the program (or cancel if you ran the installer by mistake)

From the UI side, however, I think that while OK boxes and Yes/No boxes are great, I think that OK/Cancel and Yes/No/Cancel boxes are heavily overused... If you want to ask a question where Yes/No isn't the answer, you should probably roll your own so that the buttons can be *descriptive*

Re:The Blind Squirrel

[F�an�ro]

users HATE dialog boxes. I don't know whoever thought modal dialog boxes for everything where a bright idea.

The solution for that is to always make a "save" choice per default, and then allow the user to change the choice with a nonmodal, nonblocking dialog.
If the user does not want to change anything, no action is required.

Like in firefox
"this site requires additional addons, click here to install them" displayed on top of the page (and not in a dialog box).