Slashdot Mirror

← Back to Stories (view on slashdot.org)

Phishing Steals Spotlight at MIT Conference

Posted by ryuzaki0 on from the beware-of-pork dept.

Bob Brown writes "Companies are coping with spam, but phishing is another matter altogether, according to researchers at the annual MIT Spam Conference this week. From the article: "The response rate for phishing e-mails is much higher than for spam, says Paul Judge, CTO of messaging security maker CipherTrust. So while spammers have to send more and more unsolicited e-mail these days, as anti-spam filters get better at identifying and blocking spam, phishing attacks are well enough disguised that a higher percentage get through such filters, and more recipients click on them, he says."

5 of 74 comments (clear)

  1. Uh, duh? by Siberwulf · · Score: 4, Insightful

    The response rate for phishing e-mails is much higher than for spam, says Paul Judge, CTO of messaging security maker CipherTrust.

    Gee, I wonder why...

    Which would you click on? (Under the assumption you're a BoA customer)

    Cl1ck H33RE F0R S|0ft V1A_GR_A!!!!!

    or

    Click here to update your account information.

    Its a matter of logic. You can expect people to fall for things that look legitimate, not the things that just look utterly retarded, like most spam these days.

    1. Re:Uh, duh? by BACPro · · Score: 3, Insightful

      Other than the obvious differences pointed out by the PP, I always click the phishing emails and seed them with false data.

      The value of the database must go down where there is invalid info in it...

  2. Phishing is no joke... by random_amber · · Score: 3, Insightful

    Especially if they catch you off guard. I consider myself as savvy as most on /. but even I've done double-takes on some of the better phishing schemes...esp when they catch me at a particularly hectic moment AND the email comes from some place I had been dealing with that very day.

    I've never fallen for one obviously, but just the fact I have to stop and check things out for Kosherability shows how insidious phishing has become. There is just no way someone like my wife who is just savvy enough to browse the web and read email could spot the difference (which is why i severely restrict her browsing/email habits, but not every newbie is so lucky to have the surf-nazi on their back!)

    There is a LOT of potential here for the unscrupulous. I don't even think phishing has even remotely reached its peak yet.

    Random_Amber

  3. We simply aren't doing enough to stop phishing by StevenMaurer · · Score: 4, Insightful
    Sure, phishers are more clever than spammers. There's more money involved, so it attracts organized crime. Still, there are some pretty basic things both Mozilla Thunderbird and MS could do to combat the problem:
    1. Bring up a warning dialog whenever you click on an email link whose body goes to a different domain than the text.
    2. Make that warning dialog in large RED LETTERS talking about the likelihood that it is a SCAM - if the referenced text is formatted like a hyperlink and points to a different address
    3. Hardcode in the top 100 sites subject to phishing, with a comparative of the hypertext links to known addresses. References to the site name in the text will cause the email client to check all embedded hyperlinks against their official published versions
    4. Set up a cooperative site for email clients that have direct internet access to automatically check against w/o hardcoding.

    Phishing is easier than spam to combat because it is constrained by the requirement to look authentic. And that can be used to virtually eliminate it.
  4. Companies could do more to prevent phishing by lorcha · · Score: 5, Insightful
    You have to admit that the companies themselves are making it as difficult as possible to spot phishing. For instance, look at the Citibank valid list of URLs:

    1. web.da-us.citibank.com
    2. www.citi.com
    3. www.citibank.com
    4. www.myciti.com
    5. www.citibankonline.com
    6. www.citibank.com/us/cards
    7. www.accountonline.com
    8. www.citicards.com
    9. www.thankyouredemptions.com
    10. www.studentloan.com
    11. studentloan.citibank.com
    12. citibusinessonline.di-us.citibank.com
    13. citibusinessonline.com
    14. citibusiness.com
    15. www.citimortgage.com
    16. www2.citimortgage.com
    17. www.smithbarney.com
    18. www.benefitaccess.com

    Well, excuse me if I can't keep all your fscking domains straight, Citibank! How am I supposed to spot a phishing attack when you have 18 URLs on your list of valid ones? I think you could do a lot to help folks spot phishing emails if you would restrict yourself to your citibank.com domain. Then folks could remember, "You want citibank? Go to citibank.com."

    --
    "Avoid employing unlucky people - throw half of the pile of CVs in the bin without reading them." -- David Brent