People Suck at Spotting Phishing

JohnGrahamCumming writes "Initial results at SpamOrHam.org show that people don't fare well when trying to spot spams and phishes. This blog entry shows some actual spams and phishes that people fell for, as well as genuine messages that they think are spam." The thing about these s[cp]ams is that they must work sometimes. When I see the messages, I can't fathom 'how'.

if it's done well, and some are

[yagu]

I've seen more sophisticated phishing examples by far, and some are indistinguishable from what might be the real thing. The distinguishing factor from a genuine missive is the best phishes have links to bogus addresses (sometimes denoted with only an IP address), and the destination site asks for information company's won't ask for from an e-mail.

One of the best phishes I've seen was sent to me -- it was ostensibly from my phone company, and it described a problem with my on-line bill pay (I don't). The letter was nicely formatted with the colors and icons of my phone company. The link was a giveaway, when I rolled over it, I could see the IP address, not a phone company web-site.

I researched this a bit more, went to my phone company's web site, and downloaded their graphics. A bit-for-bit comparison of their icons, etc., and the phishers showed them to be identical. (Interestingly, this puts phishers also in the position of being guilty of more crime: copyright violations.)

Had my suspicions not been raised by the fact I wasn't participating in on-line bill pay and the phish indicated that problem, and had I not seen the IP address by rolling over the link (which I only did because of above suspicion), I easily could have been convinced I was dealing with a real e-mail (NOTE: this was two years ago, before phishing had become real big, and it was my first incident.)

I can easily believe many, if not most could fall for well crafted phishing expeditions. I would agree with the cited article, those are weak examples unlikely to catch savvy users (though they still could catch the naive, of which there are millions!). (And, I would claim some of the examples really are nothing more than SPAM.)

Re:if it's done well, and some are

[Asphalt]

I can easily believe many, if not most could fall for well crafted phishing expeditions. I would agree with the cited article, those are weak examples unlikely to catch savvy users (though they still could catch the naive, of which there are millions!). (And, I would claim some of the examples really are nothing more than SPAM.)

I agree with you. Some are sophisticated, but the link is ALWAYS a give away. It is either some kind of redirect, an IP address, or a Bogus URL altogether.

Then again, how many people that use AOL know what an IP address is? 10 ... 20%?

Fine, they obviously do work.

But, this is what I don't understand ...

How do these people avoid getting busted? They have IP addresses that point directly to the fake server. Finding out who owns the servers and where it is should be fairly elementary.

I mean, Sony/BMG can track down the exact studio apartment in Chicago of someone who downloaded "Ooops, I Did It Again", but we have people conducting massive financial and wire fraud with blatantly displayed IP addresses, and we can't just go an snatch them by the by the head and give them a solid flogging?

Okay, so many are in another countries. But how many countries DON'T have laws against this?

Post a threat against the President, and the Secret Service would be at your door with K-Y and rubber gloves in 3 minutes and 21 seconds. Attempt global financial fraud, broadcast your IP, and everything is cool?

How do these people NOT get busted, and busted hard?

I don't get it.

Re:if it's done well, and some are

[aussersterne]

I used to work inside eBay and saw some of the best-crafted phishes around. The phishers used to use our system to get as many official eBay messages as they could, just to be able to clone each of them and have a phish that was "real" in origin so that they could catch people. We gradually had to eliminate email that led back to the site. Some still presents a problem and is being exploited (i.e. the mail forwarding system that buyers/sellers use to communicate is currently being exploited by phishers).

One thing you didn't mention that might even get some slashdotters is that the "@" symbol in a URL is used by most browsers in a way (for authentication) that makes it possible to also spoof domains in a phish link. Try going typing this address (into your URL bar and you'll see what I mean:

http://www.ebay.com@64.236.24.12

Firefox presents a warning in this case because you're being redirected to a site that doesn't require authentication (CNN.com) yet you've provided authentication information. If the destination site (i.e. phish destination) had been crafted to require authentication and accept "www.ebay.com" as valid data, you'd get no warning.

Some of these URLs+site combinations had *very* well-crafted URLs using tricks like this that would almost certainly fool most users who had been told "don't click on a link unless it says it's going to 'ebay.com' in the status bar."

Re:if it's done well, and some are

[FireFury03]

How do these people avoid getting busted? They have IP addresses that point directly to the fake server. Finding out who owns the servers and where it is should be fairly elementary.

Because the person who owns the server is almost always some home user who plugged their Windows box directly into the internet. In the same way as compromised boxes are used to send spam, perform DDoS attacks, etc they are also used to run web servers for phishers.

How do these people NOT get busted, and busted hard?

As much as I like the idea of throwing people in jail who have too little clue to secure their machines, I'm afraid I don't think it'll do a lot to stop the phishers.

Re:if it's done well, and some are

[HunterZ]

[i]Windoz lusers most likely, that sh*t just promotes stupidity.

*BSD 4 lyfe![/i]

Sounds like BSD doesn't help much in that department either.

Re:if it's done well, and some are

[fishbot]

Some of these URLs+site combinations had *very* well-crafted URLs using tricks like this that would almost certainly fool most users who had been told "don't click on a link unless it says it's going to 'ebay.com' in the status bar."

That's why this is flawed advice, and it's why I don't give it. Instead, I tell people that they should NEVER click the link, even if it looks genuine. Instead, they should open their browser, type in the address or click their bookmark, and log in to their account.

This will prove most scams immediately (e.g. if you can log in, then your account has obviously NOT been suspended ...), and the ones it doesn't will be easy to verify. If there is no warning that matches the email and you are still not convinced, phone them up or use the online support tools directly.

Basically, the rule is the same as for unsolicited phone calls: always be the one to initiate the communication. If you phone your bank using the number on your statement, then you've got through to the right place. If you type the URL on your statement into the address bar, you've got to the right place. If you let somebody else initiate the communication, either by phoning you, sending email, fax, or whatever, and you trust them not to lie, then you're as good as caught already.

Re:if it's done well, and some are

[tlhIngan]

I've seen about two or three that were good.

The best one yet is where the target link went to a website, and through some javascript, put an image over the URL bar! The image had the right URL in it, and if you moved the window around, the image moved too (though, because it was javascript, the image movement lagged a bit, so depending on how fast you moved the window, you could see the real URL, then the image jumped over it). The reason I spotted it? the image was off by several pixels either way - I thought the text was a few pixels too low in the addressbar (and it was too far left - it went over the icon left of the URL bar). (This was in IE. In Mozilla/Firefox, when I could get it to work, the image was in the completely wrong place). That was probably 1 in 1000, though.

The other smart ones actually do verify the information you give them, too. I suppose for those, signing up with false eBay accounts and using that is good. (Good way to get rid of negative feedback accounts).

The less-good ones had an image that was clickable. Discovered only because text that isn't normally clickable is.

The vast majority are very poorly crafted emails, though. Spelling errors, sending more than one to the same email address (If you receive 3 or 4 Paypal or eBay phishes, it kinda gives the whole game away). And they don't hide the URL at all - just plain old non-redirector links. Phishing has reached the realm of the idiots.

Luckily, eBay and Paypal have several characteristics I've noticed in their legit emails:

1) If you use a separate email account for eBay and Paypal from your regular email, well, that is clue #1 if you receive an eBay or Paypal email in an account that isn't what you use for eBay and Paypal.
2) eBay emails will *always* include your eBay username in the email, not the email address. Paypal emails will include your real name as registered. This detail is almost always impossible to get directly unless you've conducted business with the target through eBay or Paypal.
3) eBay and Paypal use specific From addresses - all eBay item questions do *not* come from aw-confirm (that's only used by the bid confirmation system).
4) For eBay specifically, if you get a phish for an item, the item description is always included, while phishes just give you the item number (because the item description will tell you "fake" immediately). In addition, all eBay messages appear in the "My eBay" message section. If unsure, log in to eBay and check there.

Re:if it's done well, and some are

[Asphalt]

It seems that even if I got duped into believing that some email written in broken English was from my bank, and even if I went ahead and logged in to the phony site, once I got there I'd see that it wasn't really my bank's site. At that point I could change my account information or cancel my credit card or whatever, and the info the phishers had harvested from me wouldn't be of any use to them.

I have clicked on several obvious phish emailed specifically to see what happened.

I would usually enter completely bogus information into it like:

Usernname: Bunghole
Password: eatmenowyoubuttmuch

It would take me to a plain page that simply said "Thank you for verifying your information!" or somethign similar and generic.

Every now and then it would redirect me to the real site.

I've never actually gotten into anything that looked like an account site. Once you provide the username/password, they are done with you and the phish ends there.

Sometimes it is fun to play around with the phishing scams. If everone who knew what they were clicked on them, and provided useless and inaccurate info, Phishing scams would become so overhwhwlmed with usueless information that they just might have to come up with another idea.

Do your part! Screw with a scammer.

A little off

[Golias]

He finds it strange that people called that message from "Keith" to be spam... but the thing is, if you have no idea who "Keith" is, it probably IS spam... and if you do know him, you probably would not mark it as such.

The same goes for the US Airways thing. Yeah, it's an example of "not spam", but if you haven't recently bought a US Airways ticket, then the save bet would be that it is.

Oh... and the nun joke is fucking hilarious. That alone made TFA worth reading.

spam is not the same as phishing!

[seanadams.com]

TFA seems to be using a funny definition of spam.

Most would say it's unsolicited commercial junk mail, but he seems to think it means "phony" email. Apparently he doesn't mind receiving weekly airfare specials containing choice bits like "BID FOR TICKETS TO THE BIG GAME IN THE BIG EASY!"

Also re phishing: I'd say paypal is largely at fault for this. They do (did?) send an awful lot of useless mail full of clickable links - they were just begging to get phished because people were so used to receiving authentic but useless clickable mail from them. None of my other banks have done this (although one sends a fair amount of crap not specific to my account - rates and such).

What's wrong with false positives for phishing?

[qwijibo]

So what if someone thinks a legitimate email from a bank is a phishing scam? Banks shouldn't be using email for anything serious because it makes their customers more susceptible to fraud. If people expect to receive legitimate and sensitive communications from their bank via email, it's that much easier to fall for it.

For example, I got one this morning talking about my home loan account with a large bank I don't have an account with. I know it's a phishing scam just from the From and Subject lines. However, if my own bank sent an email talking about my actual mortgage, I'd treat it in exactly the same way. There's no benefit to giving an email the benefit of the doubt. If there is something my bank needs from me, they can send a letter and I'll go to my local branch to take care of it in person.

The Power Of Attrition

[American+AC+in+Paris]

Let's say I handed you an alternator. Could you tell me whether or not it was a genuine, durable, manufacturer-approved alternator or a cheap, flimsy, fly-by-night knock-off? To be fair, I'll give you a sheet of paper with some advice on how to differentiate between genuine and knockoff alternators.

Let's say I handed you an entire crate of auto parts, and told you that some of them may be genuine parts, while others might be knockoffs. I give you a whole binder, filled with instructions on how to differentiate between all the different "good" and "bad" parts. Some of these knockoffs are obvious fakes; others are quite cleverly done, requiring you to check for minute details such as whether or not inner surfaces are well-polished, or subtle discrepancies in serial number schemes and product logos.

At what point do you just start winging it? After one day of studious sifting? After a week? A month? When you see a part that you're pretty sure is genuine, but would need to haul out the manual for ten minutes' worth of cross-checking part and serial number ranges to confirm this--at what point do you simply go with your gut?

When somebody who knows what they're doing goes about trying to hoodwink your typical individual, it can be very hard for the individual to know when they're being hoodwinked, even if they know they might be being hoodwinked. It's part of human nature--there's a point at which you just throw your hands in the air and grant your trust to an unknown entity, because it's too tedious or time-consuming to check everything out. Given the average person--heck, even a person who knows a fair amount about the subject--there'll be a point where they just take the damn part and have it installed in their car, because they just want to be done with it and get on with their life. It's the same thing with phishing--unless you're one of those few individuals who has fairly advanced knowledge on the subject, you're eventually going to give up and make a gut-reaction decision to whether or not you "trust" the email you just got, simply because it's more trouble than it's worth to actually dig through it.

Re:This really shouldn't be a surprise

[maxwell+demon]

Ah, and by the way, there are many people falling for fraud on the front door. We really shouldn't allow people to open the front door if they have not passed a test or three. The fact that anyone is able to open his front door means that there are a lot of ... uninformed people out there.

Re:This really shouldn't be a surprise

[gstoddart]

While it would be nice if there was a test or three that a person was required to take in order to do anything online... the fact that anyone is able to buy a PC and plug it into the internet means that there are a lot of... uninformed people out there.

That might be a little harsh. We're seeing increasingly sophisticated phishing stuff -- right down to building a look-alike site of the bank which they are pretending to be.

I think it's getting increasingly difficult for even people who know what they're looking for to spot.

Yes, people need to learn the basics of how to spot and avoid spam and phishing. But, the increasing sophistication of the bad guys makes it a difficult thing to always identify.

Cheers

It's quite simple...

[brouski]

Evil will always triumph, because good is dumb.

Mail programs need better IP filters

[davidwr]

Email clients and servers need to start automatically looking at the chain of IP addresses or domains in the headers, and rating them accordingly.

If any header lies, e.g. IP address mismatches with domain name, or two successive Received-by headers don't have consistent information, then RED ALERT.

If the From domain doesn't appear in top-most received line, YELLOW ALERT. If it doesn't appear in any line, RED ALERT.

If the top-most received line's address is from a known spamming domain or open relay, RED ALERT.

If any previous mail-server, such as your ISP's, tagged the message with YELLOW or RED alerts, your alert should be at least this high.

Note that red and yellow alerts don't necessarily indicate spam. They are simply one of many indicators of spam, and should be used as input to the spam/ham decision-making process.

Re:So... idiots get taken for their money?

[SupremeTaco]

Problem is, people often mistake unwanted email for unsolicited email. I don't want to hear from Travelocity every week, with their weekly specials. It's unwanted, but I can cancel their letter if it gets irritating enough. The V14Gr4 ads, are not easily (or at all) cancellable. When you blend the two types of emails, people do tend to misclassify them.

Re:This really shouldn't be a surprise

[NoTheory]

I think a lot of people are being unfair. With instructions like this on SpamOrHam:

Please read the message below, enter the verification code in the box (if asked) and then click one of the three buttons. If you think the message is a spam click This is Spam, if you think it's a genuine message click This is Ham, and if you are not sure click I'm not sure. You are seeing the message as displayed in Microsoft Outlook and the raw message as it is seen by your email program. In the raw message, first the headers are shown (with From, To and Subject highlighted in bold) and then the body of the message follows colored blue.

I don't see how you could possibly think that the results of such a website could be meaningful. Spam filtering is a contextual process. This site cripples the critical component that allows humans to behave differently from naive filters, i.e. judgement based on memory. The claim being made here is that humans can't identify other people's spam (and this makes sense, how can you tell if you're shown a random email whether it's unsolicited or not? the only way you can is by knowing whether the recipient had been signed up for a mailing list or not!). You should NOT conclude, based on that fact, that humans are bad at identifying their own spam.

No HTML mail

[Neil+Watson]

Stop using HTML or convert it plain text and it's hard not to spot a phish.

Re:There's One rule I always Follow.

[Asphalt]

(a) Avoiding the use of email for business is surrending to the s[pc]ammers.

I conduct almost all of my business online and I don't think this is necessary.

I am never, ever asked for a password or identifying information via email. At least never by the legitimate company.

And I never click a link in an email. If my bank/company wants me to update my information, I type their website URL by hand into Firefox, log into my account section, and do what I need to do.

It basically comes down to this: Don't click links in email.

This one basic rule really does solve 99.999% of all scam problems, while allowing you to conduct business online safely.

Funny feeling

[shumacher]

I completed about four tests before I started to get the feeling that I was actually working on training their filter. I felt like I should be charging a fee. Most of the tests are bogus. One email asked me to add some addresses to the "TW mailing list". I don't have context - in this scenario, do I work for an employer who has a "TW mailing list"? Do I manage it? The answer has everything to do with the way I'd rank it. In fact, most of the emails referred to specific people, and knowing or not knowing them would control the rating on the email.

Re:Oh okay, I will bite.

[American+AC+in+Paris]

You got a proper alternator and a shoddy one. Right. Okay. How about this test. LOOK AT THE BOX! If one comes with the logo of your car brand and the other comes in a plastic bag with chinese instructions. Easy choice.

...yes, because a skilled counterfeiter wouldn't have the sense to duplicate a manufacturer's packaging, just as a skilled phisher doesn't have the sense to use anything other than "Gimm3 ur info ha ha lollerbate sux0r!" as bait.

EVERY serious site has a disclaimer stating they will NOT ask you for your details by email. EVERY scam involves them sending an email asking for your details.

In the early days, yes. Now, many phishers have wised up. They'll send you a phish that, save for one or two links, looks absolutely legitimate. You click the link, it sends you to a page at ebay.verification-department.com that mimics an actual eBay login page. You'll "log in", then they'll welcome you and very professionally gather your information--all, of course, after you've "logged in" to their system.

You can't cheat a honest man

Oh, you most certainly can. Just 'cause something rolls off the tongue nicely doesn't mean it's true.

and you can't phis a person who thinks.

Again, we're talking about attrition and trust. Unless you have a quite solid understanding of what phishing is, how to identify it, and how to go about avoiding it, you're going to eventually just trust something that looks legitimate enough. It's simply not feasible to expect that every single user of email will have enough technical know-how to identify and avoid getting phished.

You've got telephone slamming, you've got phishing, you've got insurance fraud, you've got pyramid schemes, you've got con artists--if we were all simply smart enough to know a rat when we saw one, none of these would be a problem. The problem is that many, many people have ductile minds and want to trust other people. If you're somebody who is willing to cheat another person out of their money, odds are that you'll eventually nail somebody. It's attrition, plain and simple--eventually, people simply let their guard down, even if only for a moment.

Re:Most Phishing Is Simple To Stop

[jekewa]

This method of phish detection has its flaws, too. It'd be pretty easy for said phisher to set up a self-certified SSL site, that the phish would accept even if it weren't trusted third-party verified.

It's pretty easy to tell the phish from the non-phish, as I don't bank or shop at most of the places the phishers send my way. Also, should I receive an e-mail from my bank (which they already said they wouldn't send me--believing that snail mail is more secure and less likely to be abused), and I feel the need to get there to deal with whatever the message may be saying, I'm surely not going to click a link. Heck, I probably wouldn't even visit the bank during the same session for fear of some kind of redirect spyware that they tried to sneak into the session.

Looking at the URL and seeing "ebay.somewhere.ch" instead of "ebay.com" isn't secure enough anyway, as it's trivial to spoof the status bar with the hover-over text.

The only way to avoid being phished is to not trust any e-mail that has anything to do with anything related to money, savings, charge cards, or deals that are too good to be true--they are too good to be true. A good runner-up is to find a black-hole mail service (i.e., get your own domain name) and set up an account for each vendor you deal with, with a less-than-likely phishable address (e.g. nvrSp4mMy-ebay@mydomain.us). Then, never give your "real" e-mail address to any site you don't explicitly trust. Or even use the same black-hole method for sites you do trust--like slashdot@mydomain.us), instead opting for a black hole e-mail address; this also helps identify who compromised your identity.

While some software is sometimes better at recognizing these things than others (I seldom get phish-mail at my GMail account, as they're recognized and flagged by the other users first), we still can't rely on an automated method to stop these things. It is on the individual to be responsible with their own information.

"I am not who I seem to be," is the safest way to present yourself to the generally anonymous Internet. That's the way they're presenting themselves.