People Suck at Spotting Phishing 317
JohnGrahamCumming writes "Initial results at SpamOrHam.org show that people don't fare well when trying to spot spams and phishes. This blog entry shows some actual spams and phishes that people fell for, as well as genuine messages that they think are spam." The thing about these s[cp]ams is that they must work sometimes. When I see the messages, I can't fathom 'how'.
Well..... (Score:3, Informative)
They of course, didn't know anything about it, I checked the link and realized it was false. That was just long term ingrained habit that puleld me out of that one, because it was an excellent phish. But how do you teach those habits of suspicion to a layman?
It's just a security issue. I deal with passwords all day every day, and people are awful with their password security. It just doesn't make any sense to them, and they all think that the consequences for this or that little security breach are harmless, and so when something like this comes along, they fall for it, hook, line, and sinker.
Re:spam is not the same as phishing! (Score:3, Informative)
Re:if it's done well, and some are (Score:5, Informative)
One thing you didn't mention that might even get some slashdotters is that the "@" symbol in a URL is used by most browsers in a way (for authentication) that makes it possible to also spoof domains in a phish link. Try going typing this address (into your URL bar and you'll see what I mean:
http://www.ebay.com@64.236.24.12
Firefox presents a warning in this case because you're being redirected to a site that doesn't require authentication (CNN.com) yet you've provided authentication information. If the destination site (i.e. phish destination) had been crafted to require authentication and accept "www.ebay.com" as valid data, you'd get no warning.
Some of these URLs+site combinations had *very* well-crafted URLs using tricks like this that would almost certainly fool most users who had been told "don't click on a link unless it says it's going to 'ebay.com' in the status bar."
Oh okay, I will bite. (Score:2, Informative)
If one comes with the logo of your car brand and the other comes in a plastic bag with chinese instructions. Easy choice.
I only know a bit about mopeds (50cc limited bikes) because there as a huge industry for cheap parts but they really sucked donkey balls. Very poor quality and it showed.
Easily.
Perhaps alternators are different but I can tell the difference between a shoddy muffler and a good one in a second. Mostly because the good one does not have pieces falling off.
But it is made even easier. If cars were the internet it would be very easy to spot the fake spare parts from the real ones because the real ones DO NOT EXIST!
That is how you tell a fake request for your account details email for a real request for your account details. Because the real ones DO NOT EXIST!
This is a not about cheap alternators. This is not even about people buying 10 dollar rolexes from a guy on a street corner. This is about people paying 1000 dollars for the Mona Lisa.
EVERY serious site has a disclaimer stating they will NOT ask you for your details by email. EVERY scam involves them sending an email asking for your details.
WTF?
As for regular spam, how hard would it be to spot a car part if it said r3n@ul1 instead of renault. If you would fall for the badly spelled one do you mind if I kick you? In the nuts so you cannot spread those defective genes?
Scams and spams work because people don't stop and think for a second. It is not asking people to spot gold plated from solid gold. Or even glass from diamonds. It is asking people for a second to think if this deal makes sense.
You can't cheat a honest man and you can't phis a person who thinks.
Re:if it's done well, and some are (Score:5, Informative)
Because the person who owns the server is almost always some home user who plugged their Windows box directly into the internet. In the same way as compromised boxes are used to send spam, perform DDoS attacks, etc they are also used to run web servers for phishers.
How do these people NOT get busted, and busted hard?
As much as I like the idea of throwing people in jail who have too little clue to secure their machines, I'm afraid I don't think it'll do a lot to stop the phishers.
Re:So... idiots get taken for their money? (Score:3, Informative)
Re:if it's done well, and some are (Score:5, Informative)
That's why this is flawed advice, and it's why I don't give it. Instead, I tell people that they should NEVER click the link, even if it looks genuine. Instead, they should open their browser, type in the address or click their bookmark, and log in to their account.
This will prove most scams immediately (e.g. if you can log in, then your account has obviously NOT been suspended
Basically, the rule is the same as for unsolicited phone calls: always be the one to initiate the communication. If you phone your bank using the number on your statement, then you've got through to the right place. If you type the URL on your statement into the address bar, you've got to the right place. If you let somebody else initiate the communication, either by phoning you, sending email, fax, or whatever, and you trust them not to lie, then you're as good as caught already.
Re:if it's done well, and some are (Score:5, Informative)
The best one yet is where the target link went to a website, and through some javascript, put an image over the URL bar! The image had the right URL in it, and if you moved the window around, the image moved too (though, because it was javascript, the image movement lagged a bit, so depending on how fast you moved the window, you could see the real URL, then the image jumped over it). The reason I spotted it? the image was off by several pixels either way - I thought the text was a few pixels too low in the addressbar (and it was too far left - it went over the icon left of the URL bar). (This was in IE. In Mozilla/Firefox, when I could get it to work, the image was in the completely wrong place). That was probably 1 in 1000, though.
The other smart ones actually do verify the information you give them, too. I suppose for those, signing up with false eBay accounts and using that is good. (Good way to get rid of negative feedback accounts).
The less-good ones had an image that was clickable. Discovered only because text that isn't normally clickable is.
The vast majority are very poorly crafted emails, though. Spelling errors, sending more than one to the same email address (If you receive 3 or 4 Paypal or eBay phishes, it kinda gives the whole game away). And they don't hide the URL at all - just plain old non-redirector links. Phishing has reached the realm of the idiots.
Luckily, eBay and Paypal have several characteristics I've noticed in their legit emails:
1) If you use a separate email account for eBay and Paypal from your regular email, well, that is clue #1 if you receive an eBay or Paypal email in an account that isn't what you use for eBay and Paypal.
2) eBay emails will *always* include your eBay username in the email, not the email address. Paypal emails will include your real name as registered. This detail is almost always impossible to get directly unless you've conducted business with the target through eBay or Paypal.
3) eBay and Paypal use specific From addresses - all eBay item questions do *not* come from aw-confirm (that's only used by the bid confirmation system).
4) For eBay specifically, if you get a phish for an item, the item description is always included, while phishes just give you the item number (because the item description will tell you "fake" immediately). In addition, all eBay messages appear in the "My eBay" message section. If unsure, log in to eBay and check there.
Trial Copy? (Score:2, Informative)
Looks like a "feature" of some screenshot capture shareware.
Nevertheless, I think (having in mind the topic of TFA) this doesn't add them much credibility.
Funny feeling (Score:5, Informative)
Re:if it's done well, and some are (Score:2, Informative)
This may seem obvious, but I wouldn't play this kind of game with IE. Or from Windows at all, for that matter.
Re:So... idiots get taken for their money? (Score:3, Informative)
Use SpamGourmet, url in my url field above.
With spamgourmet, you can create a new valid email on the fly in the format of:
newAccountName.X.myUserID@spamgourmet.com
At any time, newAccountName can be used. So travelocity can be use, or travel. or t, or tv, or whatever.
X is the number of mails you want to receive to that email. You can increase or decrease X if need be. 5 is usually sufficient for an online purchase.
myUserID is, well my userID that I use to login to the system.
Everything after @ should be self explanatory.
So, no Amazon, I will not see your deal of the week, nor will I get bothered by all of the people you sell my address to.
Also, spamgourmet lets you see how many emails have been eaten by each of your aliases. The leaders for eaten email are 1) a mortgage scam site I gave false info to. Just curious how much of a scam it was. 2) NyTimes registration. I now use the anonymous logins that you can find on the net. 3) http://www.mercola.com/ [mercola.com] This is a health site, and boy they love to spam you.
I highly recommend the service. It really works well, and will keep your email much more uncluttered.
Re:I have a simple ruleset (Score:3, Informative)
Rule #3: Turn of HTML in your email so that your links are text and you can see what they are.
People are nieve and "probably" 80% of the people out there do not understand the internet. The rest of us do. Just look at the politicians that make laws to "govern" the internet. They don't understand what the hell they are doing.
Re:if it's done well, and some are (Score:3, Informative)
I'd imagine they are doing this with Firefox vulnerabilities as well.
Re:This really shouldn't be a surprise (Score:3, Informative)
There used to be a test; back before connecting to the Internet was a matter of plugging the cable from your cablemodem into the back of your computer and clicking 'OK' on all the prompts, you actually had to have enough technical savvy to be able to set up your own TCP/IP stack; even for basic dialup shell access (pre-GUI), you needed to be able to figure out Unix command-line functions. This meant that the people who were posting to the newsgroups were almost always people who had exhibited a minimum level of technical skill. The exceptions were freshmen at college getting access to the Net through their institution's terminal farms, and who could readily be identified by the wave of "Greetings. My name is David Rhodes..." pyramid-scheme postings that heralded the start of each semester and trickled off as they had a little common sense mailbombed into them (if only 0.1% of the readers of a newsgroup emailed someone with an explanation of why it's a pyramid scheme, it still floods their mailboxes).
However, as time went on, the various online services (Delphi, GEnie, et al.) began to offer access to the Net as another feature of their service, with their install software being automated, so if you could stick an AOL floppy into your computer, you could get Net access. And with each new online service that added Net access to their services, you saw a flood of people being exposed to the chain letters and pyramid schemes that had maintained a hand-to-mouth existence on the twice-yearly crop of gullible freshmen -- and there was a steady stream of fresh meat arriving as more people subscribed. With the massive expansion of potential victims, it became a lot more profitable to run scams, and the 'market' boomed, with increased automation making it just as easy to spam the world with 'opportunities' as it was to filter newsgroup postings to find accounts that hadn't posted before and spam them directly.