Phishing Steals Spotlight at MIT Conference - Slashdot

Slashdot is powered by your submissions, so send in your scoop

×

Phishing Steals Spotlight at MIT Conference 74

Posted by Zonk on Friday March 31, 2006 @05:56PM from the beware-of-pork dept.

Bob Brown writes "Companies are coping with spam, but phishing is another matter altogether, according to researchers at the annual MIT Spam Conference this week. From the article: "The response rate for phishing e-mails is much higher than for spam, says Paul Judge, CTO of messaging security maker CipherTrust. So while spammers have to send more and more unsolicited e-mail these days, as anti-spam filters get better at identifying and blocking spam, phishing attacks are well enough disguised that a higher percentage get through such filters, and more recipients click on them, he says."

This discussion has been archived. No new comments can be posted.

Phishing Steals Spotlight at MIT Conference

Search 74 Comments Log In/Create an Account

Comments Filter:

Uh, duh? (Score:4, Insightful)

by Siberwulf ( 921893 ) writes: on Friday March 31, 2006 @06:00PM (#15037577)

The response rate for phishing e-mails is much higher than for spam, says Paul Judge, CTO of messaging security maker CipherTrust.

Gee, I wonder why...

Which would you click on? (Under the assumption you're a BoA customer)

Cl1ck H33RE F0R S|0ft V1A_GR_A!!!!!

or

Click here to update your account information.

Its a matter of logic. You can expect people to fall for things that look legitimate, not the things that just look utterly retarded, like most spam these days.

Share
twitter facebook
Re:Two words (Score:2, Insightful)

by Anonymous Coward writes: on Friday March 31, 2006 @06:16PM (#15037680)

If you need cash in an unfamiliar city, how can you make the difference between a real ATM machine and a machine which just stores your PIN and eats your card? You can't. You rely on people to quickly identify scams like this and have the local police take the scam machine down.

Phishing fighting is the Internet equivalent of this.

Parent Share
twitter facebook
Best Cure for Phishing (Score:2, Insightful)

by Anonymous Coward writes: on Friday March 31, 2006 @06:27PM (#15037769)

The cure for phishing is very simple - Don't use an email client that supports HTML in email. Read all emails as text only.

This has the following advantages:

1) There's no clicking on links - if you want to go to a referenced website, you have to think a little.
2) Links to phishes are very obvious when you see the whole URL.
3) Most Phishes sent as multipart alternative don't even have a
phish attempt in the text-only part.

In addition, because you're not loading any images referenced in HTML, the whole WebBug thing doesn't work.

HTML in email was a terrible idea. It's time to stop.

Share
twitter facebook
Re:Phishing emails look legit (Score:1, Insightful)

by Anonymous Coward writes: on Friday March 31, 2006 @06:29PM (#15037786)

If a real bank sent me an e-mail stating that my account would be closed in 24 hours I would have them on the phone in no time and closing all accounts and move to another bank.

I know people do not think but does it really take that much?

Parent Share
twitter facebook
Phishing is no joke... (Score:3, Insightful)

by random_amber ( 957056 ) writes: on Friday March 31, 2006 @06:30PM (#15037788)

Especially if they catch you off guard. I consider myself as savvy as most on /. but even I've done double-takes on some of the better phishing schemes...esp when they catch me at a particularly hectic moment AND the email comes from some place I had been dealing with that very day.

I've never fallen for one obviously, but just the fact I have to stop and check things out for Kosherability shows how insidious phishing has become. There is just no way someone like my wife who is just savvy enough to browse the web and read email could spot the difference (which is why i severely restrict her browsing/email habits, but not every newbie is so lucky to have the surf-nazi on their back!)

There is a LOT of potential here for the unscrupulous. I don't even think phishing has even remotely reached its peak yet.

Random_Amber

Share
twitter facebook
We simply aren't doing enough to stop phishing (Score:5, Insightful)

by StevenMaurer ( 115071 ) writes: on Friday March 31, 2006 @06:42PM (#15037876) Homepage
Sure, phishers are more clever than spammers. There's more money involved, so it attracts organized crime. Still, there are some pretty basic things both Mozilla Thunderbird and MS could do to combat the problem:
1. Bring up a warning dialog whenever you click on an email link whose body goes to a different domain than the text.
2. Make that warning dialog in large RED LETTERS talking about the likelihood that it is a SCAM - if the referenced text is formatted like a hyperlink and points to a different address
3. Hardcode in the top 100 sites subject to phishing, with a comparative of the hypertext links to known addresses. References to the site name in the text will cause the email client to check all embedded hyperlinks against their official published versions
4. Set up a cooperative site for email clients that have direct internet access to automatically check against w/o hardcoding.
Phishing is easier than spam to combat because it is constrained by the requirement to look authentic. And that can be used to virtually eliminate it.
Share
twitter facebook
Re:Uh, duh? (Score:3, Insightful)

by BACPro ( 206388 ) writes: on Friday March 31, 2006 @06:59PM (#15037972)

Other than the obvious differences pointed out by the PP, I always click the phishing emails and seed them with false data.

The value of the database must go down where there is invalid info in it...

Parent Share
twitter facebook
Companies could do more to prevent phishing (Score:5, Insightful)

by lorcha ( 464930 ) writes: on Friday March 31, 2006 @07:02PM (#15037993)
You have to admit that the companies themselves are making it as difficult as possible to spot phishing. For instance, look at the Citibank valid list of URLs [citi.com]:
1. web.da-us.citibank.com
2. www.citi.com
3. www.citibank.com
4. www.myciti.com
5. www.citibankonline.com
6. www.citibank.com/us/cards
7. www.accountonline.com
8. www.citicards.com
9. www.thankyouredemptions.com
10. www.studentloan.com
11. studentloan.citibank.com
12. citibusinessonline.di-us.citibank.com
13. citibusinessonline.com
14. citibusiness.com
15. www.citimortgage.com
16. www2.citimortgage.com
17. www.smithbarney.com
18. www.benefitaccess.com
Well, excuse me if I can't keep all your fscking domains straight, Citibank! How am I supposed to spot a phishing attack when you have 18 URLs on your list of valid ones? I think you could do a lot to help folks spot phishing emails if you would restrict yourself to your citibank.com domain. Then folks could remember, "You want citibank? Go to citibank.com."
Share
twitter facebook
Re:Why not cryptographically authenticate e-mail? (Score:3, Insightful)

by JesseMcDonald ( 536341 ) writes: on Friday March 31, 2006 @08:33PM (#15038692) Homepage

In order to avoid spoofed financial identities, the best would be for all clients of financial institutions to have a financial public key they only give out to banks and such. That way even if you get an email from Ch4s3 B4nK, with a valid looking certificate, you aren't fooled into thinking you have done business with them. Because only the real Chase Bank would have your financial public key.

I think you're missing the point of having a public encryption key: it's supposed to be, you know, public. In other words, you assume that everyone has access to it. Treating it as a private key defeats the whole point of public-key encryption. Your system would require every user to have a separate public key for every financial institution, unless you're willing to risk allowing all of them to be compromised by a single security breach. In other words, N users and M banks would require N * M secret keys. Ordinary public-key systems, however, would only require one public/private key pair for each individual (N + M key pairs).

What you need here is a local database of trusted public keys, one of which would be the one for Chase Bank (added from their (SSL) web site when you set up the account, for example). When you get an e-mail from "Ch4s3 B4nK", it will have a perfectly valid public key, but that key will not be trusted for authentication purposes because it isn't in the database (it will only ensure that the message was not altered during transit). This is exactly the way that GPG's "web of trust" system works, and it wouldn't be all that difficult (technically speaking) to make SSL certificates work the same way. All it needs is better integration with the various e-mail clients and web browsers.

Parent Share
twitter facebook

There may be more comments in this discussion. Without JavaScript enabled, you might want to turn on Classic Discussion System in your preferences instead.

Related Links Top of the: day, week, month.

413 commentsChatGPT Leans Liberal, Research Shows
347 commentsAmazon CEO Says 'It's Probably Not Going To Work Out' For Employees Who Defy Return-to-Office Policy
327 commentsHotel Owners Start To Write Off San Francisco as Business Nosedives
323 commentsChina is Building Nuclear Reactors Faster Than Any Other Country
315 commentsChina is Calling in Loans To Dozens of Countries

All your files have been destroyed (sorry). Paul.