Slashdot Mirror

← Back to Stories (view on slashdot.org)

Phishing Steals Spotlight at MIT Conference

Posted by ryuzaki0 on from the beware-of-pork dept.

Bob Brown writes "Companies are coping with spam, but phishing is another matter altogether, according to researchers at the annual MIT Spam Conference this week. From the article: "The response rate for phishing e-mails is much higher than for spam, says Paul Judge, CTO of messaging security maker CipherTrust. So while spammers have to send more and more unsolicited e-mail these days, as anti-spam filters get better at identifying and blocking spam, phishing attacks are well enough disguised that a higher percentage get through such filters, and more recipients click on them, he says."

9 of 74 comments (clear)

  1. Phishing emails look legit by Nightspirit · · Score: 2, Interesting

    I keep getting chase banking emails, even though I don't have an account with chase.

    The emails say something to the effect of "bla bla, because of recent security issues, you have to reset your password or your account will be closed within 24 hours."

    The thing is, these emails I've been getting lately look professional and legit. If I was a grandma or ininformed parent I would have clicked on them and likely have my credit account wiped. The email address states "blabla@chase.com" and even the spoofing address looks legit.

    Don't know what we can do about it other than educate people to call their banks and confirm, log onto the banks real address, and not click on any address in an email.

  2. Re:Help stop them, by reporting them by The+Outbreak+Monkey · · Score: 4, Interesting

    Alternatively you can help stop them by flooding them with usless information by using this site: http://www.phishfighting.com/. Check it out. It is bad ass.

  3. Re:Uh, duh? by RajivSLK · · Score: 2, Interesting

    The purpose of a well crafted spam email is to market something or convey a message. Our filters are getting pretty good at indentifying this kind of thing. But the whole point of a phising email is to look as much as possible like a legitimate peice of mail. That's the scam and it's fooling the filters too.

  4. Fear is more effective the greed by imkonen · · Score: 3, Interesting

    I've gotten a few phishing emails, and man...when they guess a bank/credit card I actually use, my heart just jumps. I mean...I'm aware of phishing, and I know how to safely confirm whether the email is legit or not if I can't tell by looking at it, but there's always that second or two of real panic when I read the part about "problem with my account" and worry that it could be real. Spam I can safely ignore: even if some spam offers are legitamately good deals, they're still mostly just trying to sell me things I don't need to buy. I can safely ignore a regular spam and not worry I'm going to regret it later. But I can't do that if the message says my bank account has a problem. I have to deal with it right then and there...even if dealing with it just means proving to myself the email is bogus. So putting myself in the shoes of a less internet savy type who may not have heard of "phishing", I'm not the least bit surprised phishing emails get more hits.

  5. Re:Why not cryptographically authenticate e-mail? by jonniesmokes · · Score: 2, Interesting

    Obviously, this is where email as a whole is headed. In fact all IP services should eventually be encrypted. The government won't like it because it'll be harder to eavesdrop, but its the only solution to the problem.

    I'm surprised that Microsoft didn't lead the pack with a feature in MS Outlook, and work directly with all the certificate issuers or even directly with the financial companies. But maybe they were under pressure from Washington, DC not to implement encrypted email. If they had done it, it'd be a pretty compelling feature. Redmond, are you listening? Google, are you working on this? Yahoo, want to steal my heart?

    The weak point is the mail client. Hotmail, gmail, and yahoo could be changed fairly simply, but getting everyone to configure their Thunderbird, Outlook and others would be a bit of work. In order to avoid spoofed financial identities, the best would be for all clients of financial institutions to have a financial public key they only give out to banks and such. That way even if you get an email from Ch4s3 B4nK, with a valid looking certificate, you aren't fooled into thinking you have done business with them. Because only the real Chase Bank would have your financial public key. There are still exploits and there will always be, but what we have right now is completely unprotected.

    Having a high fidelity database of public keys from your financial institutions would also accomplish the above, but its hard not to be fooled from a look-alike bank. I want to avoid relying too much on any certificate company's honesty. A semi-private financial public key would accomplish a lot - sort of like giving out a unique email to your bank so that they know to send you email only at that address - but its better when you can keep it secret.

  6. Newsflash: people are stupid by mabu · · Score: 2, Interesting

    The phishing scam works because people are stupid. There is no amount of technology you can employ to save an idiot from himself. This is the sad reality.

    The best way to deal with this is to promote a healthy dose of cynacism amongst the populace.

    Well, another way is to force ISPs to filter port 25 traffic on broadband and eliminate the value of zombie PCs being part of the scam network.

  7. My first phishing experience... by antdude · · Score: 2, Interesting

    It was related to my Yahoo! account. It was like 3:30 AM in the morning and I was half asleep. A friend of mine IM'ed me to check out his Web site. It took me to some Yahoo! looking site. Stupid me wasn't paying attention to the URL and stuff. It required me to log in like Yahoo! always does. So I did and it didn't work. I tried again. Then, I got disconnected from Yahoo! Messenger. I couldn't log back in. At first, I thought it was just a mainteance time.

    In the day time, I tried to connect, but failed. Then, it hit me. I got TRICKED! Damn social engineering. I also found out my other friends got the same IMs from my friend and me. Damn phishers.

    So pay attention even if you're super tired. They're getting you at your weakness! Good thing this account was only for IM and Launch.com.

    --
    Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
  8. Re:Why not cryptographically authenticate e-mail? by Jim+Fenton · · Score: 2, Interesting

    The biggest problem with the classic signature systems (e.g., PGP, S/MIME) is that they don't have quite the right key management model. Anyone can create a PGP key with any mail address they want, and sign messages. Similarly, anyone can get a certificate for an email address they have (perhaps an employer), but when they leave the company, does the certificate get revoked? No; the employer may not even know of its existence.

    Signature schemes designed for this purpose, like DKIM, are actually a signature from the domain owner, not the author. While the domain owner may delegate a signing key to an individual in certain cases, they retain the ability to revoke the key at any time.

  9. Re:Why not cryptographically authenticate e-mail? by grahammm · · Score: 2, Interesting

    Yet the banks and other institutions could send their key signature/digest, by snail mail, as part of the account opening process. Or even have it either on display or available on CD from the branches. That way the user could be confident of the key used to sign the email.