Slashdot stories can be listened to in audio form via an RSS feed, as read by our own robotic overlord.

 



Forgot your password?
typodupeerror

Why Phishing Works 293

Posted by Zonk
from the lower-your-expectations dept.
h0neyp0t writes "Harvard and Berkeley have released a study that shows why phishing attacks work (pdf). When asked if a phishing site was legit or a spoof, 23% of users use only the content of the website to make the decision! The majority of users ignore the address and SSL indicators in the browser. Some users think that favicons and lock icons in HTML are more important indicators. The paper hints that the proposed IE7 security indicators and multi-colored address bar will also suffer a similar fate. This study is brought to you by the people who developed the security skins Firefox extension."
This discussion has been archived. No new comments can be posted.

Why Phishing Works

Comments Filter:
  • by jawtheshark (198669) * <slashdot AT jawtheshark DOT com> on Thursday March 30, 2006 @12:53PM (#15027513) Homepage Journal
    It is summarized by: There's a sucker born every minute.

  • DRTFA (Score:5, Interesting)

    by Billosaur (927319) * <wgrother@optonlin[ ]et ['e.n' in gap]> on Thursday March 30, 2006 @01:03PM (#15027629) Journal

    People fall for phishing because:

    1. Most are not tech savvy, and have no idea the difference between http and https, don't look at the links they click on, and can't tell a spoofed URL from a real one on sight.
    2. Most people are pretty gullible. They believe what they're told, whether by a newscaster, the President, scientists, or the glowing pixels of a web page. Critical reasoning skills are lacking.
    3. Most people are pretty stupid. They get an email purportedly from their bank telling them they need to update their information for security purposes or have lost their bank account number, or something equally unlikely, and don't question it. They don't call their local bank branch to verify it, they simply click.
    4. Most people believe the Internet is infallible. They think every person who has a blog or web page knows what they are talking about. They think if a page looks a little like what they normally see when they bank online, that it's the same thing, even though the URLs to the links are all wrong.
    You can't protect people from themselves, although our Congress tries to do this every day by passing inane laws that protect no one but the large corporations and billionaires. People who go online will continue to be duped as long as no concerted effort is made to educate them. Cue the PSAs.
  • by plover (150551) * on Thursday March 30, 2006 @01:04PM (#15027641) Homepage Journal
    Actually, these guys did nothing to make the web safer. They just tested methods for phishing, and identified the ones that worked best. A good example? Bank of the West [bankofthevvest.com] and Bank of the West [bankofthewest.com] are two URLS, but only one of them leads to the real site. Even font makes a difference -- look at the slashdot [] link, and check out the link preview in the status bar. The difference is surprisingly hard to catch.
  • by BlueCodeWarrior (638065) <steevk@gmail.com> on Thursday March 30, 2006 @01:07PM (#15027681) Homepage
    I remember the one time I almost thought that I fell for a phishing scam.

    I got an email saying that my student loan company needed some more information to give me the loan. I had to log into thier website to check out what exactly it was and what I needed to send in.

    I just clicked the link in the email and typed my login information (of which the username is my SSN) and got a message to the effect of 'password incorrect, please try again.'

    I did this two or three times with some of the different passwords that I usually use...and then I thought about it.

    Oh fuck! The address bar said 'www.terri.org' and my bank was Chase. I freaked out, thinking that I'd fallen for it...

    Turns out terri is the company that processes the loan or whatever and I had just mistyped the password. But I reminded myself to not be so trusting on the internet, and always re-type the site in for things like that...
  • by smooth wombat (796938) on Thursday March 30, 2006 @01:10PM (#15027701) Homepage Journal
    If you want to see how gullible or just plain stupid people are, check out the story in my Journal titled, 'Renowned psychiatrist bilked by Nigerian scam'. It was rejected by the editors so I plunked in my Journal.

    Even after the guy knew it was a scam and promised his son he wouldn't send any more money, he still did it anyway!

    Maybe a bit different than a phishing scam but along the same lines.
  • by Beefslaya (832030) on Thursday March 30, 2006 @01:34PM (#15027970)
    Lots of us Mail guru's have been switching to using SPF (sender policy framework) which is a separate set of DNSish records that ask mail servers who is qualified to send mail for them.

    The answer to phishing is a similar setup, that queries a DNS server to check and see if this "site" is OK to mirror for this site, or accept requests.

    Just a shot in the dark, but I bet something could be worked out like this.

    This would eliminate alot of question whether or not a site is legit or not.
  • Re:DRTFA (Score:5, Interesting)

    by Lumpy (12016) on Thursday March 30, 2006 @01:56PM (#15028266) Homepage
    Most people are pretty stupid. They get an email purportedly from their bank telling them they need to update their information for security purposes or have lost their bank account number, or something equally unlikely, and don't question it. They don't call their local bank branch to verify it, they simply click.

    Dude you seriousally underestimate the stupidity of the average human.

    I have seen people at the ATM intentionally swipe their card through a "card cleaner" stuck to the wall that was a reader.

    99% of the masses do not understand any of the technology they use daily in any way. They do not understand basic safety (Driving 4 feet from someone at 90mph is unsafe and stupid) and to top it off, they have to be told not to insert curling irons into a bodily orfice, and other things. Humans are too stupid to use most products safely which is why everything has a damned disclaimer on it.

    I will bet you that someone in Manhattan right now is getting a bridge sold to them, and they are seriousally considering it!
  • by blowdart (31458) on Thursday March 30, 2006 @01:57PM (#15028280) Homepage
    This would eliminate alot of question whether or not a site is legit or not.

    If people published it. I've been getting chase.com phishing mails. I check SPF at the mail server, but chase has ~all, so it's a soft fail if someone sends from another server, next to useless. Same for hsbc.com, paypal.com et al.

    So if the banks won't publish decent SPF records when SPF is 2+ years old now, what hope do you have of them adopting something new?

  • Clueless Companies (Score:2, Interesting)

    by penttan (720818) on Thursday March 30, 2006 @02:01PM (#15028343)
    I have recently received some emails that I think may be legitimate but look like phishing attempts. Also Thunderbird thinks that it is a phising attempt.

    I am a registered at the BBC Shop. I have allowed them to send me email and they have been sending some offers. Lately the links in the email seem to go to http://bbcshop.msgfocus.com/ [msgfocus.com] with some unique id added. Even to the point that a link that has a text "bbcshop@bbc.co.uk" and looks like an email link is actually a link to a http request at the bbcshop.msgfocus.com.

    All this was enough to make me not click any links. I did not find much information about msgfocus.com either.

    It could be a phishing attempt. I really am not sure. On the other hand, the email has some personal addressing that matches the information I have given to the web store. Maybe BBC has decided to use some clueless emailing service. But my point is that if respectable web stores send emails that look like phishing attempts to their customers it will become more and more difficult to identify phishing in the future.
  • Maybe it's genetic (Score:3, Interesting)

    by MrNougat (927651) <ckratsch&gmail,com> on Thursday March 30, 2006 @03:09PM (#15029067)
    No, seriously.

    I recall hearing about a study wherein monkeys were given the option of pressing one of two buttons at mealtime. Button A would always produce normal food. Button B would infrequently produce a treat, and usually produce nothing. The monkeys always pressed Button B.

    (I know, you can't let monkeys starve to death in an experiment, so it wasn't perfect perhaps, but it makes my point.)

    Shifting gears just a bit -- I have wondered for a long time myself how humanity has accomplished all that it has when such a large proportion of humans (those in charge of things as well as not) are complete morons. It seems to defy logic.

    Let's presume that the results of that experiment are correct. (If anyone has a link to substantiate my claim, I would appreciate it.) Monkeys gamble; they try to get something for nothing instead of going for the sure steady payoff. The inference, of course, is that humans do the same thing.

    Perhaps, over the long term (and I'm talking generations long), the "gambles" that individual human beings take pay off to the benefit of humanity as a whole. Think of the vast numbers of people, in attempts to invent fireworks, who must have blown their fingers or hands or heads off. People still do it. That's individual stupidity.

    But we've gone to the moon, we've sent probes to far-off planets, we have a world-girdling network of communications satellites. None of that would have been possible without the moronic work of tens of thousands of individual idiots.

    So, my hypothesis is as follows:

    The sum of individual stupidity is communal success.

    It's not tools, or language or brain size that sets humans apart from the beasts. We are more successful as a species because we are stupider as individuals.
  • Re:Short answer (Score:3, Interesting)

    by DdJ (10790) on Thursday March 30, 2006 @03:33PM (#15029284) Homepage Journal
    In the paper, one guy was very paranoid.
    Not paranoid enough, by my standards. I don't think they mentioned one single person using any tools other than web tools. The one who looked stuff up via Yahoo was a start, but just a start.

    Whenever I have the least suspicion of any web site, I start probing DNS and whois. I try to make sure information I get via non-compuer channels matches what the computer tells me, and so forth.

    I wonder if I'd fall for any of the sites they used. I like to think I wouldn't, but the moment I'm sure I wouldn't, I'm pretty sure that'd put me into a state of mind that'd ensure that I would.

    Nobody on the internet should ever feel safe.

    (Just like real life! Why, yes, I did grow up in NYC, why do you ask?)
  • I got "phished" a week ago from some scammer with a eBay handle of "precisionlaptops4u" looking for eBay logins. I emailed eBay and hoped they could shut the perp down. And then again yesterday I got another one. Same guy, same scam. The URL is : http://1342912795/intranet/forum/templates/subSilv er/images/wsbleh/ebay/index.html [1342912795] I started looking at the problem myself and put my findings at my Bloger blog. http://mrlinuxhead.blogspot.com/ [blogspot.com] Same guy is still up, and doing it today.
  • by blueZ3 (744446) on Thursday March 30, 2006 @04:54PM (#15029978) Homepage
    If all email was plain text, phishing would decrease significantly. Unfortunately, we have "helpful" things like hyperlinks in email (a well-intentioned but bad idea) that help prepetuate this type of problem. I can't recall the last time I clicked a link in an email, but I can tell you it was a long time ago.

    Chances are, if the user had to copy and paste the bank's URL out of the email, it would be a lot harder to hide the fact that the URL directs to some non-official site (bankofthevvest is a counter-example, but it would still help). Most likely, people would type in the banks URL and create a bookmark. Then when they got the email they would open their browser and click the bookmark and log in. Problem eliminated.

    This isn't an IE/Outlook problem only, I admit. There are a lot of mail clients that provide this same "helpful" behavior. But as with auto-executing scripts in the OUtlook preview pane, it would be better (IMO) if they didn't.

Torque is cheap.

Working...