Phishing Steals Spotlight at MIT Conference

Bob Brown writes "Companies are coping with spam, but phishing is another matter altogether, according to researchers at the annual MIT Spam Conference this week. From the article: "The response rate for phishing e-mails is much higher than for spam, says Paul Judge, CTO of messaging security maker CipherTrust. So while spammers have to send more and more unsolicited e-mail these days, as anti-spam filters get better at identifying and blocking spam, phishing attacks are well enough disguised that a higher percentage get through such filters, and more recipients click on them, he says."

Uh, duh?

[Siberwulf]

The response rate for phishing e-mails is much higher than for spam, says Paul Judge, CTO of messaging security maker CipherTrust.

Gee, I wonder why...

Which would you click on? (Under the assumption you're a BoA customer)

Cl1ck H33RE F0R S|0ft V1A_GR_A!!!!!

or

Click here to update your account information.

Its a matter of logic. You can expect people to fall for things that look legitimate, not the things that just look utterly retarded, like most spam these days.

Geez. Will it never end?

[BigZaphod]

First phishing steals identities and now its stealing spotlights, too? And not just any spotlights, either - but MIT spotlights! This has got to stop...

Help stop them, by reporting them

[WyrdOne]

http://reportphish.org/

Also, those of you who use GMail, there is a "Report Phishing" option under "More Options"

Re:Help stop them, by reporting them

[The+Outbreak+Monkey]

Alternatively you can help stop them by flooding them with usless information by using this site: http://www.phishfighting.com/. Check it out. It is bad ass.

Temporary e-mail

[Dekortage]

From the article: Among these were a proposal to improve Bayesian filter accuracy, a system for generating temporary e-mail addresses so that a person's preferred address doesn't have to be given out, spam filters based on adaptive neural networks, a new message-verification platform. (emphasis added)

This is called "keyed e-mail". I have used a keyed email system from Zoemail in the past and it works very, very well for this purpose. There is some extra time required for managing the keys, but the idea works great for me. (and no I do not work for them... I just think the technology works.)

Why not cryptographically authenticate e-mail?

[fortinbras47]

The technology is there (PGP etc.. etc...) but as far as I can tell, hardly anyone besides comp security lists use it.

If you visit a website and initiate an SSL session, the public-private key cryptography (along with the public root certificates imbedded in your browser) will verify that the website you're visiting is really who they say they are. (Or at least that Verisign thinks they are legit.)

I don't see why companies don't make a similar effort to cryptographically authenticate their e-mail. People use PGP for security advisories etc......, but I don't understand why all e-mail coming from my bank, coming from Paypal etc... shouldn't be signed.

If there was a portion of your e-mail window at the bottom right hand of your screen that said stuff like:
"This is an authentic e-mail from BankOfBlanBlah signed on 3/31/06 at 3:52PM" or "This is an unsigned e-mail. It is possible that this e-mail is fraudulent." or "This e-mail has an incorrect signature. It is highly possible that its contents are fraudulent."

My rough guess that e-mail authentication isn't done because (1) programmers are lazy and sending plain text is easier to program and (2) The way you do e-mail auth in e-mail clients is all different and a huge mess from a usability standpoint.

It might put at least a dent in some of this phishing stuff if people expected all e-mail from e-bay, paypal, their bank, amazon etc... to be signed.

We simply aren't doing enough to stop phishing

[StevenMaurer]

Sure, phishers are more clever than spammers. There's more money involved, so it attracts organized crime. Still, there are some pretty basic things both Mozilla Thunderbird and MS could do to combat the problem:

1. Bring up a warning dialog whenever you click on an email link whose body goes to a different domain than the text.
2. Make that warning dialog in large RED LETTERS talking about the likelihood that it is a SCAM - if the referenced text is formatted like a hyperlink and points to a different address
3. Hardcode in the top 100 sites subject to phishing, with a comparative of the hypertext links to known addresses. References to the site name in the text will cause the email client to check all embedded hyperlinks against their official published versions
4. Set up a cooperative site for email clients that have direct internet access to automatically check against w/o hardcoding.

Phishing is easier than spam to combat because it is constrained by the requirement to look authentic. And that can be used to virtually eliminate it.

Companies could do more to prevent phishing

[lorcha]

You have to admit that the companies themselves are making it as difficult as possible to spot phishing. For instance, look at the Citibank valid list of URLs:

1. web.da-us.citibank.com
2. www.citi.com
3. www.citibank.com
4. www.myciti.com
5. www.citibankonline.com
6. www.citibank.com/us/cards
7. www.accountonline.com
8. www.citicards.com
9. www.thankyouredemptions.com
10. www.studentloan.com
11. studentloan.citibank.com
12. citibusinessonline.di-us.citibank.com
13. citibusinessonline.com
14. citibusiness.com
15. www.citimortgage.com
16. www2.citimortgage.com
17. www.smithbarney.com
18. www.benefitaccess.com

Well, excuse me if I can't keep all your fscking domains straight, Citibank! How am I supposed to spot a phishing attack when you have 18 URLs on your list of valid ones? I think you could do a lot to help folks spot phishing emails if you would restrict yourself to your citibank.com domain. Then folks could remember, "You want citibank? Go to citibank.com."