People Suck at Spotting Phishing

JohnGrahamCumming writes "Initial results at SpamOrHam.org show that people don't fare well when trying to spot spams and phishes. This blog entry shows some actual spams and phishes that people fell for, as well as genuine messages that they think are spam." The thing about these s[cp]ams is that they must work sometimes. When I see the messages, I can't fathom 'how'.

Re:if it's done well, and some are

[aussersterne]

I used to work inside eBay and saw some of the best-crafted phishes around. The phishers used to use our system to get as many official eBay messages as they could, just to be able to clone each of them and have a phish that was "real" in origin so that they could catch people. We gradually had to eliminate email that led back to the site. Some still presents a problem and is being exploited (i.e. the mail forwarding system that buyers/sellers use to communicate is currently being exploited by phishers).

One thing you didn't mention that might even get some slashdotters is that the "@" symbol in a URL is used by most browsers in a way (for authentication) that makes it possible to also spoof domains in a phish link. Try going typing this address (into your URL bar and you'll see what I mean:

http://www.ebay.com@64.236.24.12

Firefox presents a warning in this case because you're being redirected to a site that doesn't require authentication (CNN.com) yet you've provided authentication information. If the destination site (i.e. phish destination) had been crafted to require authentication and accept "www.ebay.com" as valid data, you'd get no warning.

Some of these URLs+site combinations had *very* well-crafted URLs using tricks like this that would almost certainly fool most users who had been told "don't click on a link unless it says it's going to 'ebay.com' in the status bar."

Re:if it's done well, and some are

[FireFury03]

How do these people avoid getting busted? They have IP addresses that point directly to the fake server. Finding out who owns the servers and where it is should be fairly elementary.

Because the person who owns the server is almost always some home user who plugged their Windows box directly into the internet. In the same way as compromised boxes are used to send spam, perform DDoS attacks, etc they are also used to run web servers for phishers.

How do these people NOT get busted, and busted hard?

As much as I like the idea of throwing people in jail who have too little clue to secure their machines, I'm afraid I don't think it'll do a lot to stop the phishers.

Re:So... idiots get taken for their money?

[KIFulgore]

That is true, I get more "unwanted" emails than "unsolicited" (though I always look forward to daily /. updates). I do feel bad for people that think they can just take their PC home, plug it in, and start using it like a toaster or washing machine. My parents repeatedly ask me if there's a program I can install, or a filter I can set up, to "get rid of all the spam." First off, I'm sure I'd be a billionaire if I could do that. Secondly, it's tough to make people (especially parents) understand there's nothing "magic" about a spam message that marks it as such. It's just another dishonest and/or annoying scam artists, the likes of which you run into every day. Hard for people to keep in mind there's other people at the end of that inter-web wire... not all of them friendly.

Re:if it's done well, and some are

[fishbot]

Some of these URLs+site combinations had *very* well-crafted URLs using tricks like this that would almost certainly fool most users who had been told "don't click on a link unless it says it's going to 'ebay.com' in the status bar."

That's why this is flawed advice, and it's why I don't give it. Instead, I tell people that they should NEVER click the link, even if it looks genuine. Instead, they should open their browser, type in the address or click their bookmark, and log in to their account.

This will prove most scams immediately (e.g. if you can log in, then your account has obviously NOT been suspended ...), and the ones it doesn't will be easy to verify. If there is no warning that matches the email and you are still not convinced, phone them up or use the online support tools directly.

Basically, the rule is the same as for unsolicited phone calls: always be the one to initiate the communication. If you phone your bank using the number on your statement, then you've got through to the right place. If you type the URL on your statement into the address bar, you've got to the right place. If you let somebody else initiate the communication, either by phoning you, sending email, fax, or whatever, and you trust them not to lie, then you're as good as caught already.

Re:if it's done well, and some are

[tlhIngan]

I've seen about two or three that were good.

The best one yet is where the target link went to a website, and through some javascript, put an image over the URL bar! The image had the right URL in it, and if you moved the window around, the image moved too (though, because it was javascript, the image movement lagged a bit, so depending on how fast you moved the window, you could see the real URL, then the image jumped over it). The reason I spotted it? the image was off by several pixels either way - I thought the text was a few pixels too low in the addressbar (and it was too far left - it went over the icon left of the URL bar). (This was in IE. In Mozilla/Firefox, when I could get it to work, the image was in the completely wrong place). That was probably 1 in 1000, though.

The other smart ones actually do verify the information you give them, too. I suppose for those, signing up with false eBay accounts and using that is good. (Good way to get rid of negative feedback accounts).

The less-good ones had an image that was clickable. Discovered only because text that isn't normally clickable is.

The vast majority are very poorly crafted emails, though. Spelling errors, sending more than one to the same email address (If you receive 3 or 4 Paypal or eBay phishes, it kinda gives the whole game away). And they don't hide the URL at all - just plain old non-redirector links. Phishing has reached the realm of the idiots.

Luckily, eBay and Paypal have several characteristics I've noticed in their legit emails:

1) If you use a separate email account for eBay and Paypal from your regular email, well, that is clue #1 if you receive an eBay or Paypal email in an account that isn't what you use for eBay and Paypal.
2) eBay emails will *always* include your eBay username in the email, not the email address. Paypal emails will include your real name as registered. This detail is almost always impossible to get directly unless you've conducted business with the target through eBay or Paypal.
3) eBay and Paypal use specific From addresses - all eBay item questions do *not* come from aw-confirm (that's only used by the bid confirmation system).
4) For eBay specifically, if you get a phish for an item, the item description is always included, while phishes just give you the item number (because the item description will tell you "fake" immediately). In addition, all eBay messages appear in the "My eBay" message section. If unsure, log in to eBay and check there.

Funny feeling

[shumacher]

I completed about four tests before I started to get the feeling that I was actually working on training their filter. I felt like I should be charging a fee. Most of the tests are bogus. One email asked me to add some addresses to the "TW mailing list". I don't have context - in this scenario, do I work for an employer who has a "TW mailing list"? Do I manage it? The answer has everything to do with the way I'd rank it. In fact, most of the emails referred to specific people, and knowing or not knowing them would control the rating on the email.

Re:if it's done well, and some are

[pNutz]

Be sure NOT to do this with IE. All phishig sites I have visited were chock full of browser exploits. You will almost always be prompted to install an ActiveX control or just have one pushed through an IE vulnerability for you (many fools are unpatched). McAfee was nice enough to tell me that it stopped IE from running a trojan from the temp folder without even asking me.

I'd imagine they are doing this with Firefox vulnerabilities as well.