Slashdot Mirror
The Psychology of Phishing
An anonymous reader writes Phishing emails are without a doubt one of the biggest security issues consumers and businesses face today. Cybercriminals understand that we are a generation of clickers and they use this to their advantage. They will take the time to create sophisticated phishing emails because they understand that today users can tell-apart spam annoyances from useful email, however they still find it difficult identifying phishing emails, particularly when they are tailored to suit each recipient individually. Fake emails are so convincing and compelling that they fool 10% of recipients into clicking on the malicious link. To put that into context a legitimate marketing department at a FTSE 100 company typically expects less than a 2% click rate on their advertising campaigns. So, how are the cybercriminals out-marketing the marketing experts?
The criminals offer people stuff they want, marketing offers people shit they don't want. Seems simple enough
It's the singer....not the song.
School smarts lose to street smarts.
and DON'T appear to be selling anything?
No, they're not. I use filters, blocking, caller ID, etc. and kinda know who calls or sends me email, so even if my stuff was wide open it would be delete, delete, delete do not pick up.. Anyone who works from home or is home during the day or at dinner time gets spam calls even when trying to be a "Do Not Call" person. Who makes this stuff up? A generation of clickers? Really Slashdot?
I was getting so much LinkedIn related junk that I stopped using LinkedIn and sent all email from them, or purporting to be from them to trash. If LinkedIn isn't putting in the effort to find their attackers, why should I use them?
Trying harder counts. The fact that these people only have to think about how make people read and click, and not any legalities also helps considerably.
>> can tell-apart
You can't fool me...I'm not going to click any links on this craptacular "story."
Holds true for phishing and marketing. IDK were they are getting their numbers, I've clicked exactly once on a phishing link. The average day when I am not adjusting my filters to not see them I see 3 or 4 a day. My filters catch hundreds/day for over a decade now.
.. would be if the link in this article was in itself a phishing scam
Trained to click on shit by bad interface design. It might have been a different story if UI designers didn't think every simple little thing demanded the users exclusive attention and acknowledgment right now.
I think you underestimate just how much I just dont care.
How do we known that the link in the post isn't a phishing attempt tailored to /. readers?
Actually, according to this study (http://onemillionfreeipads.co.zn/submitpersonaldetails.asp) approximately 10% of links on Slashdot are fishing scams.
The phishing emails I get (and I get a few...) are targeted at semi-literal morons that have no clue how the world works. But it may be that there are a lot of these people around, judging from other observations.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
How are spammers successful so often? Simple, companies don't train people
As one who has thousands of people working in companies that I either own, co-own, or have invested in, I can tell you that not everyone is trainable
Not that people are stupid - no, as far as I am concern, almost all who are working in the companies I mentioned above are above average in intelligence - but the one thing that is needed the most is not information, rather, it's intuition with a large bit of paranoia mixed in
It takes a paranoid to be suspicious of everything - and in this social-media world that we have today, where everybody shares every bit of their own info to the world - paranoia is becoming a scarce resource
No matter how much info we have shared with our colleagues, no matter how many times we have told them to be ultra careful, you bet someone will get phished, almost in a daily basis, and the local level network will get breached
Muchas Gracias, Señor Edward Snowden !
From TFA:
people clicking on a link in the email that goes to a malicious website that looks harmless but can have total control over their PC in less than five seconds
That's not really phishing. More like a drive-by download. Phishing is where the e-mail or web site attempt to truck the luser into entering an ID/password for the legitimate site being masqueraded.
Phishing attempts to exploit a weakness in the user, downloads exploit the o/s or client software.
Have gnu, will travel.
I bet if you drew a Venn diagram, the morons that spew cash to these criminals and make them so flush with cash that they will never stop their crimes would have a 100% overlap. Stupidity and funding crime is the way of their kind.
Criminals can promise things that legit marketing emails can't.
If the marketing experts used the same tactics (disguising their emails as linked-in requests) they could compete with the cybercriminals.
Some things about this article smell. The author is a director of the company whose research the article cites. And what about the claim that "a dating website was hacked and approximately 10% of the passwords were âoelove1234â"
That seems like a lot! (Unless there were only 10 accounts....)
"love1234"
oops
What about making it as wide-spread as possible organization policy to alway *sign* your e-mail with pgp / gpg? ...
That would at least increase the effort needed (ie, actual access to someones computer) to send "genuine" e-mail from a coworker
The one that seems to catch people out is the link which they click on in a mail in gmail.
that takes them to gmail.google.com.myphishingsite.info/sessionexpired
which presents them with a message like session expired please login to your gmail account and the top line already has their email address all they need do is enter their password.
Most people don't question why would that happen a few seconds after clicking on the link
quite possibly because Google and facebook don't take you straight to a link they log it first by an intermediate page and then redirect you to the destination (i see it all the time on my slow connection).
The page looks authentic and they tend not to look at the address bar and see the bolded address myphishingsite.info.
often its a site like fgjfjhki23d.info a random jumble of characters just like the ones a site like google and facebook use all the time. People are used to seeing this sort of thing
e.g http://it.slashdot.org/comment... of this address (taken from the address on this page) only it.slashdot.org make any sense to most people and thier eyes glaze over beyond the initial it.slashdot.org
Thats a problem without any training in website design then its pretty hard to tell the real from the fake.
Thing is once an email account has been harvested it immediately sends out a 100 emails to the address book of that user and the same thing happens again.
Most people think they had thier email hacked not realising they gave away thier password.
kind of hard to stop people for falling for this sort of thing. The emails are even clever enough to redirect to an alternative page once the fake webmail page has been brought up once.
People here would say its because people are stupid, but most people just don't have enough knowledge or interest in this area to know when something is fake or genuine.
It is probably impossible to fix especially when the sites we use everyday use random looking charactor sequences as part of the url.
Blarney Quality Restaurant, Plants
As one who has thousands of people working in companies that I either own, co-own, or have invested in, I can tell you that not everyone is trainable
Doesn't help if you start out with not even trying.
You can try and teach people the finer points of literature but if they can't even read or write, they're lacking some basic knowledge to build upon.
This basic knowledge in computing has for ages been refused to people on the grounds that the software was "intuitive" and so would convey the basics by osmosis. Turns out it doesn't.
Even something as basic as the difference between To: and Cc:, I've seen people assume "first goes in To:, rest goes in Cc:, and that's not how it works. But nobody had bothered to explain even that. What's the difference, what do we use it for? Poor sod didn't know.
Instead the software provides an environment where all you can do is click and so that's all that people will do. Without looking where they're clicking because looking before you click has been made extra difficult, and so they've long been discouraged from engaging their brains on the question what they're doing. So if the thing in front of them presents them with a link, they're going to click on it, and you cannot blame them.
Similar with how to write reply emails. Why would you slap a single line atop someone's letter and send the entire thing back? Why then, do it with email? Nobody explained how to do it properly so everybody does it wrong, exactly as the (most popular but most poor excuse for an) email client provides. The results are mostly unreadable wastes of time but nobody knows they can do better with trivial effort and so it doesn't happen.
At the very least, should've given them an email client that doesn't do html and doesn't do links. Requiring people to copy/paste the link would be a simple, basic security measure because it requires engaging a few more braincells and actually looking at the url at least while copy/pasting, increasing the chances that dangerous links get spotted. Also because now the href cannot be hidden as easily.
Don't believe me? We live in the age of the veritable flood of poorly-written messages, to the point that most corporate communication consists of poorly worded laments that the communication is so poor. There's no discerning malicious from the merely inept there. It's all crap and yet you have to slog through it. And so that's what the poor untrained drones do.
This isn't really automation, it has nothing to do with empowering users. It's using technology to make puppets out of untrained meat sacks. You really shouldn't blame the meat sacks here.
"Phishing emails are without a doubt one of the biggest security issues consumers and businesses face today."
Only on Microsoft Windows, the Operating System that made clicking on a URL or opening an email attachment dangerous. Mainly because Windows doesn't know the difference between OPEN and RUN. If you want to be safe doing your online banking then use a LiveCD
That's easy. They don't care about laws that are intended to protect people from "legitimate" marketers. When you don't worry about the law you can literally do and say whatever you want.
New news:
Bank robbers withdraw more money from banks than they have in their accounts!
I'm not going to click any links on this craptacular "story."
I did, and it really is a craptacular article. I can sum it up thusly: "Phishers do illegal things, therefore getting more clicks. If legitimate marketers did the same thing, their click rate would skyrocket."
And, "Don't use Windows XP on the Internet." This, by the way, was always good advice. And it still applies to all versions of Windows.
Advertisers and marketeers are trying to sell something real (that might not be interesting enough to click), and aren't allowed to lie. Phishers are already breaking the law, so no worries about false advertising or dull products.
Life is pain, Highness. Anyone who says differently is selling something.
Get free satoshi (Bitcoin) and Dogecoins
In the past, I used whether an email contained my first name as an indicator (a textual token) of whether the email was legitimate, as a sort of password to gain access to your attention. That stopped being useful several years ago as many spammers must have a name database to go with email addresses now. That also would not work for people whose entire first name was in their email address, as is often a corporate practice. Still, the idea of filtering email on a token can make sense, where the token says the sender has been authorized to send you email.
I still have filters for certain keywords like products I support as a way of doing some of this filtering. A next step could be to tell people (on a contact web page) that they need to include some token phrase like "swordfish" in any email to you if they want it to get read as a first-time sender. Or the token could be a random uuid like "f34f775b-3ccb-45e0-a75e-06f845f0c318". It is relatively easy to make filters in many email clients that would prioritize emails with an expected token. After you get such an email from someone the first time, you can whitelist the sender. Granted, phishing or spam often forges sender email addresses. So, there is a problem here that the validity token ideally should be in every email sent to you to avoid relying on whitelisting address.
Ideally, there could be one unique token per entity (or email address) you want to get emails from. Then you could selectively disable and change the token if spammers got one. These tokens then are specific to an allowed communications channel. That requires more complexity though. For example, when you signed up for a mailing list, you could give the list a token such as the above (or perhaps just accept a random one from the list signup procedure), and the list software would store that token to include in a header when it sends a message to you. You would also tell your email client about the token being associated with the sender somehow (either the email address or the sender name or perhaps some other unique sender identifier like a public key). When your client software receives email, it would check if the email has the expected token for the sender. If the email does not have the token, it would be marked as probably spam or phishing. Email tools would need to have this facility built into them, both for sending and receiving. Public mailing lists might need to filter out such tokens from their public web pages of email archives to prevent spammers from harvesting such data to spam the list.
Still, how can people contact you the first time? One answer is to separate the process of getting emails from a trusted source from the process of requesting a token. For example, when someone new wanted to contact you, they could need to go to a web page (or other means) and get a token for their sending email address (or other identifying information, like a public key). That web page might include some sort of captcha challenge or something requiring computational cost or even direct monetary cost (like a small amount of money required to be spent via Paypal or another service, perhaps as a donation to a favorite charity). A web form to do this might need to send a special email to your client that includes both its own token and the new sender and new token, which would need to be processed by your email client to make the association.
This would be a big difference from now, when the first contact you get from someone new might be directly via a new email which could be the spam or phishing attempt. Tokens could also be valid for a limited time. There could even be general tokens not associated with a specific email address, perhaps time-limited ones, ones that need to be paired with other tokens or perhaps topical key words (like a product name) to be considered valid. This does make it harder for senders to send emails, but it makes it more likely they will be read and not ignored as spam.
One advantage of this system is it could build on top of the current email
A 21st century issue: the irony of technologies of abundance in the hands of those still thinking in terms of scarcity.
What?
We are a government tied place (not DoD) perpetually of interest to Advanced Persistent Threats (APTs). We have a small phishing problem: and we have accurate data about it. Not only is every outbound internet packet stored for some period of time for forensic analysis (so if you know of one event, you can go hunt for other similar events), but there are white-hat phishing tests done all the time: so we know the click through rate on the phishing. In theory, I suppose if a particular person was always responding, we could find them, but I don't believe that's the case. It's usually an inadvertent click, when the user was distracted by someone walking in their office or calling, just at the wrong time.
The latter phenomenon is why you're NEVER going to get rid of ALL of the problem. Get thousands of people doing their day to day jobs, and perfection is impossible.
Advertisers and marketeers are trying to sell something real (that might not be interesting enough to click), and aren't allowed to lie. Phishers are already breaking the law, so no worries about false advertising or dull products.
I'm not so sure about the advertisers not being allowed to lie thing. I worked as a minion at an ad agency for a brief time and pictures comparing the results of various products and such were from completely unrelated stock photos. I'm not sure I'd trust the text (copy) that much either, though it's a lot easier to catch them in it.
You're talking about regular phishing. Phishing is not spear-phishing. Phishing, like fishing, involves casting out a bait and hoping that someone (anyone) takes the bait.
Spear-phishing, like spear-fishing, is DEFINED as identifying a specific target and launching your weapon against that target specifically.
I like the solutions they offer at the end of the article. Number 2 is so simple it should be obvious. Then, number 3 is a hugh run-on sentence full of buzzwords that looks like number 1 rewritten.
If I saw number 3 in an e-mail, I'd assume it was a phishing site. It's so vague.
FTA:
Businesses need to:
1. Put in place layered security to provide an in depth defense against the latest attacks and malware.
2. Run awareness campaigns with your staff telling them not to click on links within social networking emails such as LinkedIn invitations, instead open your browser or app, log-in and manage your invites/messages from there.
3. Deploy new technologies that combine big data security analytics with advanced malware analysis to provide predictive and click-time defense, end-to-end attack campaign insight and automated incident containment capabilities through connectors to your existing security layers.
I have received a couple of years ago a dozen emails with messages of account terminations-or-you-have-to-click here to review from "Apple" that looked like the real deal, and only at looking to the headers you would notice they were coming from someplace else, and where using strange URLs. If you were looking at the emails, they looked like the real deal.
And it would be simple: the browser would know that it's reading email (from URL -- gmail, yahoo, custom) and *would not open any links* the user may click on unless the link URL is on the click-to-open whitelist (initially empty). It would still let you copy the link to the clipboard (possibly with a warning) that you could paste yourself in a new tab (possibly with another warning), but this speed bump of having to take the destination URL in your hands, so to speak, would -- I'm assuming -- be good enough to let you pause and think if "support-raytheon.com" is really where you want to go.
just what the f*** is that?
http://www.acetonestudio.com
All clickable e-mail is phishing, in the sense that stupidity wants to suck you in.
If a company says it needs you to contact them, get out of e-mail and go to their site. The only way this could fail is if they hijacked your DNS. Nothing is fail-safe, but why make it easy for attackers by clicking in e-mail? Really, if any of these companies cared about security they would never put clickable links in e-mail. They would simply say, "log in to your account" if they needed contact. Instead, they want you to join in their stupidity program.
Similarly, no phone call from a company is ever real. Just hang up and call their number. You shouldn't even be getting to the part where Joe insists that he's with Company X and needs some information. Just. Hang. Up. Even if they say they're cops, Just. Hang. Up. Call back on the non-emergency number. There's a pretty good chance they don't know Officer X who was asking for personal information.
Of course it's really hard to not respond to uniformed officers who show up with a car and everything; but that's a pretty elaborate hoax; probably harder than capturing your ISP's DNS.
Sure you can lie but if you get caught the penalties will be high. Its called false advertising and there are laws against it.
Jack of all trades,master of none
Granted it's Wikipedia, but a glance at http://en.wikipedia.org/wiki/False_advertising didn't seem to indicate any stiff penalties for false advertising.
"So, how are the cybercriminals out-marketing the marketing experts?"
My question is, why are we assuming that they are different people.
Oh, I'm not saying that marketers aren't bad people whose job it is to deceive and mislead consumers, but there are rules and agencies that enforce those rules. Spammers and scammers don't have to worry about their company being punished so there is nothing holding them back.