People Suck at Spotting Phishing

JohnGrahamCumming writes "Initial results at SpamOrHam.org show that people don't fare well when trying to spot spams and phishes. This blog entry shows some actual spams and phishes that people fell for, as well as genuine messages that they think are spam." The thing about these s[cp]ams is that they must work sometimes. When I see the messages, I can't fathom 'how'.

Re:This really shouldn't be a surprise

[gstoddart]

While it would be nice if there was a test or three that a person was required to take in order to do anything online... the fact that anyone is able to buy a PC and plug it into the internet means that there are a lot of... uninformed people out there.

That might be a little harsh. We're seeing increasingly sophisticated phishing stuff -- right down to building a look-alike site of the bank which they are pretending to be.

I think it's getting increasingly difficult for even people who know what they're looking for to spot.

Yes, people need to learn the basics of how to spot and avoid spam and phishing. But, the increasing sophistication of the bad guys makes it a difficult thing to always identify.

Cheers

Mail programs need better IP filters

[davidwr]

Email clients and servers need to start automatically looking at the chain of IP addresses or domains in the headers, and rating them accordingly.

If any header lies, e.g. IP address mismatches with domain name, or two successive Received-by headers don't have consistent information, then RED ALERT.

If the From domain doesn't appear in top-most received line, YELLOW ALERT. If it doesn't appear in any line, RED ALERT.

If the top-most received line's address is from a known spamming domain or open relay, RED ALERT.

If any previous mail-server, such as your ISP's, tagged the message with YELLOW or RED alerts, your alert should be at least this high.

Note that red and yellow alerts don't necessarily indicate spam. They are simply one of many indicators of spam, and should be used as input to the spam/ham decision-making process.

Re:if it's done well, and some are

[Asphalt]

It seems that even if I got duped into believing that some email written in broken English was from my bank, and even if I went ahead and logged in to the phony site, once I got there I'd see that it wasn't really my bank's site. At that point I could change my account information or cancel my credit card or whatever, and the info the phishers had harvested from me wouldn't be of any use to them.

I have clicked on several obvious phish emailed specifically to see what happened.

I would usually enter completely bogus information into it like:

Usernname: Bunghole
Password: eatmenowyoubuttmuch

It would take me to a plain page that simply said "Thank you for verifying your information!" or somethign similar and generic.

Every now and then it would redirect me to the real site.

I've never actually gotten into anything that looked like an account site. Once you provide the username/password, they are done with you and the phish ends there.

Sometimes it is fun to play around with the phishing scams. If everone who knew what they were clicked on them, and provided useless and inaccurate info, Phishing scams would become so overhwhwlmed with usueless information that they just might have to come up with another idea.

Do your part! Screw with a scammer.

Re:Most Phishing Is Simple To Stop

[jekewa]

This method of phish detection has its flaws, too. It'd be pretty easy for said phisher to set up a self-certified SSL site, that the phish would accept even if it weren't trusted third-party verified.

It's pretty easy to tell the phish from the non-phish, as I don't bank or shop at most of the places the phishers send my way. Also, should I receive an e-mail from my bank (which they already said they wouldn't send me--believing that snail mail is more secure and less likely to be abused), and I feel the need to get there to deal with whatever the message may be saying, I'm surely not going to click a link. Heck, I probably wouldn't even visit the bank during the same session for fear of some kind of redirect spyware that they tried to sneak into the session.

Looking at the URL and seeing "ebay.somewhere.ch" instead of "ebay.com" isn't secure enough anyway, as it's trivial to spoof the status bar with the hover-over text.

The only way to avoid being phished is to not trust any e-mail that has anything to do with anything related to money, savings, charge cards, or deals that are too good to be true--they are too good to be true. A good runner-up is to find a black-hole mail service (i.e., get your own domain name) and set up an account for each vendor you deal with, with a less-than-likely phishable address (e.g. nvrSp4mMy-ebay@mydomain.us). Then, never give your "real" e-mail address to any site you don't explicitly trust. Or even use the same black-hole method for sites you do trust--like slashdot@mydomain.us), instead opting for a black hole e-mail address; this also helps identify who compromised your identity.

While some software is sometimes better at recognizing these things than others (I seldom get phish-mail at my GMail account, as they're recognized and flagged by the other users first), we still can't rely on an automated method to stop these things. It is on the individual to be responsible with their own information.

"I am not who I seem to be," is the safest way to present yourself to the generally anonymous Internet. That's the way they're presenting themselves.

Re:if it's done well, and some are

[gutnor]

For most webusers ( read Mom and Pop ) understanding the structure of a webaddress is completely mad. The first step is to explain why

www.ebay.com is not the same company as www.ebay.com.checkyouraccount.ru because they have to read the address backward and seriously

www.ebay.com.checkyouraccount.ru/~level1/level2/ch ecklogin?user=testuser

becomes really insane !

The problem is that after you ( painfully ) trained them, you notice that a lot of websites use insane url like that and yet perfectly valid one !

Example: Hotmail login
http://login.live.com/login.srf?...
after several loop through passport.com, ...

and I also have to train my parents to use whois ???

And don't forget that I had first to explain what is a 'OS', 'program' and finally what a 'browser' is.

To result of all the lessons is that my father turned into an Internet paranoid. He is convinced his machine crawled under spywares and that every single website is a phishing attempt.
And now, when he needs to access his bank account, I need to connect myself from my machine and tell him the result over the phone. The same when he need to buy something. He never uses his machine for anything remotly personal.

That's real sad.

Re:Most Phishing Is Simple To Stop

[jekewa]

Exactly. If something malicious was going to be added, it's too late once you read the message. The only reason to feel any degree of safety in ending your browser session and trying in a new one is the potential that the JVM that hosted the JavaScript bad tool has died. In a real bad scenario, some rootkit may be applied to the system and then you're completely hosed.

In the general, low-tech phishing scheme, though, you've just received an e-mail that looks like its legitimately from an organization with whom you do business, and they hope to steal your login and password, or name and SSN by directing you to a look-alike web site, which will give you a "password failed" message. Too late for you now.

I was outlining the not-gonna-happen scenario where one might believe an unwanted/unsolicited e-mail from what looks like an actual bank/other vendor and try to act on that information.

I personally feel a little safer not using Windows, which is the general target of most phishing, or IE when I do have to use Windows. I also have 4 PCs on my KVM, and would most likely follow-up on a separate system entirely...