Please create an account to participate in the Slashdot moderation system


Forgot your password?

People Suck at Spotting Phishing 317

JohnGrahamCumming writes "Initial results at show that people don't fare well when trying to spot spams and phishes. This blog entry shows some actual spams and phishes that people fell for, as well as genuine messages that they think are spam." The thing about these s[cp]ams is that they must work sometimes. When I see the messages, I can't fathom 'how'.
This discussion has been archived. No new comments can be posted.

People Suck at Spotting Phishing

Comments Filter:
  • Well..... (Score:3, Informative)

    by SatanicPuppy ( 611928 ) <.Satanicpuppy. .at.> on Monday May 15, 2006 @11:42AM (#15334933) Journal
    Mind you, I think that that type of phish is the most sophisticated type of phish, being both elegant and simple. I "fell" for one of those back in the day, in that I got an email from my bank, and it notified me of some account change, so I immediately and without checking the validity of the link on the email...called my bank on the phone and said, "What the hell is up with this?"

    They of course, didn't know anything about it, I checked the link and realized it was false. That was just long term ingrained habit that puleld me out of that one, because it was an excellent phish. But how do you teach those habits of suspicion to a layman?

    It's just a security issue. I deal with passwords all day every day, and people are awful with their password security. It just doesn't make any sense to them, and they all think that the consequences for this or that little security breach are harmless, and so when something like this comes along, they fall for it, hook, line, and sinker.
  • by gvc ( 167165 ) on Monday May 15, 2006 @11:49AM (#15334996)
    The definition used for the creation of the corpus was
    Unsolicited, unwanted email that was sent indiscriminately, directly or indirectly, by a sender having no current relationship with the re- cipient.
    For more details on issues arising in labelling the corpus, see Spam Corpus Creation for TREC [] or The TREC 2005 Spam Track Overview []. And if you have a spam filter, sign up for TREC 2006!
  • by aussersterne ( 212916 ) on Monday May 15, 2006 @11:51AM (#15335014) Homepage
    I used to work inside eBay and saw some of the best-crafted phishes around. The phishers used to use our system to get as many official eBay messages as they could, just to be able to clone each of them and have a phish that was "real" in origin so that they could catch people. We gradually had to eliminate email that led back to the site. Some still presents a problem and is being exploited (i.e. the mail forwarding system that buyers/sellers use to communicate is currently being exploited by phishers).

    One thing you didn't mention that might even get some slashdotters is that the "@" symbol in a URL is used by most browsers in a way (for authentication) that makes it possible to also spoof domains in a phish link. Try going typing this address (into your URL bar and you'll see what I mean:

    Firefox presents a warning in this case because you're being redirected to a site that doesn't require authentication ( yet you've provided authentication information. If the destination site (i.e. phish destination) had been crafted to require authentication and accept "" as valid data, you'd get no warning.

    Some of these URLs+site combinations had *very* well-crafted URLs using tricks like this that would almost certainly fool most users who had been told "don't click on a link unless it says it's going to '' in the status bar."

  • by SmallFurryCreature ( 593017 ) on Monday May 15, 2006 @11:56AM (#15335052) Journal
    You got a proper alternator and a shoddy one. Right. Okay. How about this test. LOOK AT THE BOX!

    If one comes with the logo of your car brand and the other comes in a plastic bag with chinese instructions. Easy choice.

    I only know a bit about mopeds (50cc limited bikes) because there as a huge industry for cheap parts but they really sucked donkey balls. Very poor quality and it showed.


    Perhaps alternators are different but I can tell the difference between a shoddy muffler and a good one in a second. Mostly because the good one does not have pieces falling off.

    But it is made even easier. If cars were the internet it would be very easy to spot the fake spare parts from the real ones because the real ones DO NOT EXIST!

    That is how you tell a fake request for your account details email for a real request for your account details. Because the real ones DO NOT EXIST!

    This is a not about cheap alternators. This is not even about people buying 10 dollar rolexes from a guy on a street corner. This is about people paying 1000 dollars for the Mona Lisa.

    EVERY serious site has a disclaimer stating they will NOT ask you for your details by email. EVERY scam involves them sending an email asking for your details.


    As for regular spam, how hard would it be to spot a car part if it said r3n@ul1 instead of renault. If you would fall for the badly spelled one do you mind if I kick you? In the nuts so you cannot spread those defective genes?

    Scams and spams work because people don't stop and think for a second. It is not asking people to spot gold plated from solid gold. Or even glass from diamonds. It is asking people for a second to think if this deal makes sense.

    You can't cheat a honest man and you can't phis a person who thinks.

  • by FireFury03 ( 653718 ) <> on Monday May 15, 2006 @11:56AM (#15335053) Homepage
    How do these people avoid getting busted? They have IP addresses that point directly to the fake server. Finding out who owns the servers and where it is should be fairly elementary.

    Because the person who owns the server is almost always some home user who plugged their Windows box directly into the internet. In the same way as compromised boxes are used to send spam, perform DDoS attacks, etc they are also used to run web servers for phishers.

    How do these people NOT get busted, and busted hard?

    As much as I like the idea of throwing people in jail who have too little clue to secure their machines, I'm afraid I don't think it'll do a lot to stop the phishers.
  • by KIFulgore ( 972701 ) on Monday May 15, 2006 @11:59AM (#15335075)
    That is true, I get more "unwanted" emails than "unsolicited" (though I always look forward to daily /. updates). I do feel bad for people that think they can just take their PC home, plug it in, and start using it like a toaster or washing machine. My parents repeatedly ask me if there's a program I can install, or a filter I can set up, to "get rid of all the spam." First off, I'm sure I'd be a billionaire if I could do that. Secondly, it's tough to make people (especially parents) understand there's nothing "magic" about a spam message that marks it as such. It's just another dishonest and/or annoying scam artists, the likes of which you run into every day. Hard for people to keep in mind there's other people at the end of that inter-web wire... not all of them friendly.
  • by fishbot ( 301821 ) on Monday May 15, 2006 @12:03PM (#15335096) Homepage
    Some of these URLs+site combinations had *very* well-crafted URLs using tricks like this that would almost certainly fool most users who had been told "don't click on a link unless it says it's going to '' in the status bar."

    That's why this is flawed advice, and it's why I don't give it. Instead, I tell people that they should NEVER click the link, even if it looks genuine. Instead, they should open their browser, type in the address or click their bookmark, and log in to their account.

    This will prove most scams immediately (e.g. if you can log in, then your account has obviously NOT been suspended ...), and the ones it doesn't will be easy to verify. If there is no warning that matches the email and you are still not convinced, phone them up or use the online support tools directly.

    Basically, the rule is the same as for unsolicited phone calls: always be the one to initiate the communication. If you phone your bank using the number on your statement, then you've got through to the right place. If you type the URL on your statement into the address bar, you've got to the right place. If you let somebody else initiate the communication, either by phoning you, sending email, fax, or whatever, and you trust them not to lie, then you're as good as caught already.
  • by tlhIngan ( 30335 ) <> on Monday May 15, 2006 @12:14PM (#15335186)
    I've seen about two or three that were good.

    The best one yet is where the target link went to a website, and through some javascript, put an image over the URL bar! The image had the right URL in it, and if you moved the window around, the image moved too (though, because it was javascript, the image movement lagged a bit, so depending on how fast you moved the window, you could see the real URL, then the image jumped over it). The reason I spotted it? the image was off by several pixels either way - I thought the text was a few pixels too low in the addressbar (and it was too far left - it went over the icon left of the URL bar). (This was in IE. In Mozilla/Firefox, when I could get it to work, the image was in the completely wrong place). That was probably 1 in 1000, though.

    The other smart ones actually do verify the information you give them, too. I suppose for those, signing up with false eBay accounts and using that is good. (Good way to get rid of negative feedback accounts).

    The less-good ones had an image that was clickable. Discovered only because text that isn't normally clickable is.

    The vast majority are very poorly crafted emails, though. Spelling errors, sending more than one to the same email address (If you receive 3 or 4 Paypal or eBay phishes, it kinda gives the whole game away). And they don't hide the URL at all - just plain old non-redirector links. Phishing has reached the realm of the idiots.

    Luckily, eBay and Paypal have several characteristics I've noticed in their legit emails:

    1) If you use a separate email account for eBay and Paypal from your regular email, well, that is clue #1 if you receive an eBay or Paypal email in an account that isn't what you use for eBay and Paypal.
    2) eBay emails will *always* include your eBay username in the email, not the email address. Paypal emails will include your real name as registered. This detail is almost always impossible to get directly unless you've conducted business with the target through eBay or Paypal.
    3) eBay and Paypal use specific From addresses - all eBay item questions do *not* come from aw-confirm (that's only used by the bid confirmation system).
    4) For eBay specifically, if you get a phish for an item, the item description is always included, while phishes just give you the item number (because the item description will tell you "fake" immediately). In addition, all eBay messages appear in the "My eBay" message section. If unsure, log in to eBay and check there.
  • Trial Copy? (Score:2, Informative)

    by 50m31sl4sh. ( 854939 ) on Monday May 15, 2006 @12:19PM (#15335228)
    Anyone spotted red text "TRIAL COPY" across the titlebars in the screenshots?
    Looks like a "feature" of some screenshot capture shareware.

    Nevertheless, I think (having in mind the topic of TFA) this doesn't add them much credibility.
  • Funny feeling (Score:5, Informative)

    by shumacher ( 199043 ) on Monday May 15, 2006 @12:25PM (#15335271)
    I completed about four tests before I started to get the feeling that I was actually working on training their filter. I felt like I should be charging a fee. Most of the tests are bogus. One email asked me to add some addresses to the "TW mailing list". I don't have context - in this scenario, do I work for an employer who has a "TW mailing list"? Do I manage it? The answer has everything to do with the way I'd rank it. In fact, most of the emails referred to specific people, and knowing or not knowing them would control the rating on the email.
  • by phlamingo ( 629479 ) on Monday May 15, 2006 @12:30PM (#15335317)

    Do your part! Screw with a scammer.

    This may seem obvious, but I wouldn't play this kind of game with IE. Or from Windows at all, for that matter.

  • by hackstraw ( 262471 ) * on Monday May 15, 2006 @12:39PM (#15335397)
    I don't want to hear from Travelocity every week

    Use SpamGourmet, url in my url field above.

    With spamgourmet, you can create a new valid email on the fly in the format of:

    At any time, newAccountName can be used. So travelocity can be use, or travel. or t, or tv, or whatever.

    X is the number of mails you want to receive to that email. You can increase or decrease X if need be. 5 is usually sufficient for an online purchase.

    myUserID is, well my userID that I use to login to the system.

    Everything after @ should be self explanatory.

    So, no Amazon, I will not see your deal of the week, nor will I get bothered by all of the people you sell my address to.

    Also, spamgourmet lets you see how many emails have been eaten by each of your aliases. The leaders for eaten email are 1) a mortgage scam site I gave false info to. Just curious how much of a scam it was. 2) NyTimes registration. I now use the anonymous logins that you can find on the net. 3) [] This is a health site, and boy they love to spam you.

    I highly recommend the service. It really works well, and will keep your email much more uncluttered.

  • by josepha48 ( 13953 ) on Monday May 15, 2006 @12:44PM (#15335443) Journal
    you forgot a rule:
    Rule #3: Turn of HTML in your email so that your links are text and you can see what they are.

    People are nieve and "probably" 80% of the people out there do not understand the internet. The rest of us do. Just look at the politicians that make laws to "govern" the internet. They don't understand what the hell they are doing.

  • by pNutz ( 45478 ) on Monday May 15, 2006 @01:09PM (#15335638)
    Be sure NOT to do this with IE. All phishig sites I have visited were chock full of browser exploits. You will almost always be prompted to install an ActiveX control or just have one pushed through an IE vulnerability for you (many fools are unpatched). McAfee was nice enough to tell me that it stopped IE from running a trojan from the temp folder without even asking me.

    I'd imagine they are doing this with Firefox vulnerabilities as well.
  • by srmalloy ( 263556 ) on Monday May 15, 2006 @03:36PM (#15336910) Homepage
    While it would be nice if there was a test or three that a person was required to take in order to do anything online... the fact that anyone is able to buy a PC and plug it into the internet means that there are a lot of... uninformed people out there.

    There used to be a test; back before connecting to the Internet was a matter of plugging the cable from your cablemodem into the back of your computer and clicking 'OK' on all the prompts, you actually had to have enough technical savvy to be able to set up your own TCP/IP stack; even for basic dialup shell access (pre-GUI), you needed to be able to figure out Unix command-line functions. This meant that the people who were posting to the newsgroups were almost always people who had exhibited a minimum level of technical skill. The exceptions were freshmen at college getting access to the Net through their institution's terminal farms, and who could readily be identified by the wave of "Greetings. My name is David Rhodes..." pyramid-scheme postings that heralded the start of each semester and trickled off as they had a little common sense mailbombed into them (if only 0.1% of the readers of a newsgroup emailed someone with an explanation of why it's a pyramid scheme, it still floods their mailboxes).

    However, as time went on, the various online services (Delphi, GEnie, et al.) began to offer access to the Net as another feature of their service, with their install software being automated, so if you could stick an AOL floppy into your computer, you could get Net access. And with each new online service that added Net access to their services, you saw a flood of people being exposed to the chain letters and pyramid schemes that had maintained a hand-to-mouth existence on the twice-yearly crop of gullible freshmen -- and there was a steady stream of fresh meat arriving as more people subscribed. With the massive expansion of potential victims, it became a lot more profitable to run scams, and the 'market' boomed, with increased automation making it just as easy to spam the world with 'opportunities' as it was to filter newsgroup postings to find accounts that hadn't posted before and spam them directly.

Perfection is acheived only on the point of collapse. - C. N. Parkinson