Forgot your password?
typodupeerror

Why Phishing Works 293

Posted by Zonk
from the lower-your-expectations dept.
h0neyp0t writes "Harvard and Berkeley have released a study that shows why phishing attacks work (pdf). When asked if a phishing site was legit or a spoof, 23% of users use only the content of the website to make the decision! The majority of users ignore the address and SSL indicators in the browser. Some users think that favicons and lock icons in HTML are more important indicators. The paper hints that the proposed IE7 security indicators and multi-colored address bar will also suffer a similar fate. This study is brought to you by the people who developed the security skins Firefox extension."
This discussion has been archived. No new comments can be posted.

Why Phishing Works

Comments Filter:
  • by fak3r (917687) on Thursday March 30, 2006 @01:30PM (#15027929) Homepage
    I always encourage others to 'go on the offensive [fak3r.com]' and help polute phisher's databases with the awesome site: PhishFighting.com [phishfighting.com]. Set a few tabs open to fill the phisher's database with useless Data, check back later and see the site is offline (likely from the attention garnered from all the bandwidth useage!

    As bosses would say "It's a win-win!"
  • by Anonymous Coward on Thursday March 30, 2006 @01:38PM (#15028022)
    In defense of the clueless (NOT Jerry Taylor!) I have to ask you, how many people understand how a physical lock works? Well, all of them. You put the key in and turn it.

    Few have a clue about its tumblers and other doodads and geegaws.

    How many understand how a car works? "Yeah, I know how it works, you put the key in and turn it, then you drive away."

    A certified Ford mechanic knows about the car's crankshaft, cylinders, pistons, fuel injectors, all the other components and how they're put together as well as you and I know how a PC and TCIP works.

    You shouldn't have to know the physics of the expanding gasses in the cylinder driving the pistons (and how the valves work etc) to drive a car.

    We, the nerd community, are to blame for failing to deliver something as simple as a web browser that works as easily as a door lock or a car.

    And the banking industry itself should be educating the public about phishing. I get tons of mail from my bank telling me about its whiz-bang web based banking, but nary a word about phishing.

    How is Average Joe supposed to know this stuff?

    As to Taylor, he claims 22 years tech experience, so the man deserves more ridicule than we can possibly heap on him.
  • by eclipz (630890) <skyspirit@g m a i l . com> on Thursday March 30, 2006 @02:48PM (#15028851)
    Sure, Phishing works. We know it does, and some of the most technical people can be caught offguard. It goes with any forgery of any secure material, be it fake IDs, S.S. Cards, etc.

    However, with regard to TFA, I have some doubts about their data. First, they use *only* 22 participants, which is a horribly low number. They give no background information of how they chose them. It could have just been 22 of their friends that they could con into playing with some web pages.

    Also, there are no controls with regards to the web pages. I didn't see (in the page list) two pages that would look identical and be either spoofed or real. This, to me, would be an important piece of information to support their conclusions. I personally would have had two identical web pages shown with only the browser security indicators changing. This would come a lot closer to showing people either ignore or watch those things.

    It's not that I disagree with their findings, it's just it would be a lot more believable with more people and a proper writeup of the makeup of such a group. You can't get a truly random group of people, but with larger numbers you can get closer.
  • by Aspirator (862748) on Thursday March 30, 2006 @04:03PM (#15029564)
    It isn't helped by some of the 'genuine' emails one receives from
    supposedly reputable financial institutions.

    For example I received an email purporting to be from American Express,
    one of the links in it was of the form that showed
    https://www.americanexpress.com/messagecenter [americanexpress.com],
    however it actually pointed to
    http://www65.americanexpress.com/clicktrk/Tracking ?mid=AnIdentifyingNumber&msrc=ENG-YES&url=https:// www.americanexpress.com/messagecenter [americanexpress.com]

    i.e It purported to be a secure link, but actually was not.
    It piped the request through another (insecure) URL.

    I sent it on to the American Expresses Phishing people, and got only an
    automatic reply.

    Finally I phoned American Express Customer service who assured me that it was real,
    on the basis that they did actually send out emails like that. (!!!!)

    It showed all the hallmarks of a phishing email, and yet ultimately was genuine.

    How I am ever going to explain to Aunt Mary what signs to look out for
    in phishing emails, while the real financial institutions send out
    stuff like this, I don't know.

    You're right, it is a Herculean task.

The typical page layout program is nothing more than an electronic light table for cutting and pasting documents.

Working...