Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

The Psychology of Phishing

samzenpus posted about 2 months ago | from the click-and-release dept.

Security 128

An anonymous reader writes Phishing emails are without a doubt one of the biggest security issues consumers and businesses face today. Cybercriminals understand that we are a generation of clickers and they use this to their advantage. They will take the time to create sophisticated phishing emails because they understand that today users can tell-apart spam annoyances from useful email, however they still find it difficult identifying phishing emails, particularly when they are tailored to suit each recipient individually. Fake emails are so convincing and compelling that they fool 10% of recipients into clicking on the malicious link. To put that into context a legitimate marketing department at a FTSE 100 company typically expects less than a 2% click rate on their advertising campaigns. So, how are the cybercriminals out-marketing the marketing experts?

cancel ×

128 comments

Sorry! There are no comments related to the filter you selected.

well (5, Insightful)

Osgeld (1900440) | about 2 months ago | (#47520585)

The criminals offer people stuff they want, marketing offers people shit they don't want. Seems simple enough

Re:well (4, Interesting)

s.petry (762400) | about 2 months ago | (#47520627)

Sometimes yes, but not always true. Sure, "Free Porn" will get a whole lot of clicks, especially from uneducated people (who are usually schooled shortly thereafter by the spammer).

Professional phishing is geared to make it look like something the target company sent out. Working in DOD for about a decade, I saw some exceptional work. They register domains similar enough to the company and often related (support-raytheon for example) so that even people that look for questionable URLs can be fooled.

How are spammers successful so often? Simple, companies don't train people.

At the DOD site I worked at, it was a weekly training memo from our security team on the latest threats. Phishing was always a topic. People had to read the briefings or they could be terminated. 3-4 questions were enough to ensure people at least skimmed the content. Before you get anal about productivity, the email was a 2 minute read max, so even if you had to read it twice to answer the few questions it was a whopping 5 minutes out of your Friday.

We experienced numerous well crafted phishing attacks, and had 1 person out of 5,800 click the link. That person immediately contacted security, and we reset all of their account data. That was 1 out of 5,800 once, and we had professional campaigns run against us several times a year.

Now, take the average IT company in Silicon Valley which spends no time training on these issues (if your company has security awareness training I'm not referring to you, your company is not "average"). Since their people lack training, it's not uncommon to see 10% success in a phishing campaign. Compounding the problem, people often won't report the breach until it's too late if they report the incident at all (cultural issue with many companies in SV).

Re:well (4, Interesting)

vasanth (908280) | about 2 months ago | (#47520773)

We experienced numerous well crafted phishing attacks, and had 1 person out of 5,800 click the link. That person immediately contacted security, and we reset all of their account data. That was 1 out of 5,800 once

or 1 out of 5,800 realised that they were being phished and many more never realised it...

there are ways to measure the 1 in 5k (0)

Anonymous Coward | about 2 months ago | (#47522211)

We are a government tied place (not DoD) perpetually of interest to Advanced Persistent Threats (APTs). We have a small phishing problem: and we have accurate data about it. Not only is every outbound internet packet stored for some period of time for forensic analysis (so if you know of one event, you can go hunt for other similar events), but there are white-hat phishing tests done all the time: so we know the click through rate on the phishing. In theory, I suppose if a particular person was always responding, we could find them, but I don't believe that's the case. It's usually an inadvertent click, when the user was distracted by someone walking in their office or calling, just at the wrong time.

The latter phenomenon is why you're NEVER going to get rid of ALL of the problem. Get thousands of people doing their day to day jobs, and perfection is impossible.

Not everyone is train-able (5, Insightful)

Taco Cowboy (5327) | about 2 months ago | (#47520825)

How are spammers successful so often? Simple, companies don't train people

As one who has thousands of people working in companies that I either own, co-own, or have invested in, I can tell you that not everyone is trainable

Not that people are stupid - no, as far as I am concern, almost all who are working in the companies I mentioned above are above average in intelligence - but the one thing that is needed the most is not information, rather, it's intuition with a large bit of paranoia mixed in

It takes a paranoid to be suspicious of everything - and in this social-media world that we have today, where everybody shares every bit of their own info to the world - paranoia is becoming a scarce resource

No matter how much info we have shared with our colleagues, no matter how many times we have told them to be ultra careful, you bet someone will get phished, almost in a daily basis, and the local level network will get breached

If you tried fixing that you did it wrong (4, Insightful)

Anonymous Coward | about 2 months ago | (#47521251)

As one who has thousands of people working in companies that I either own, co-own, or have invested in, I can tell you that not everyone is trainable

Doesn't help if you start out with not even trying.

You can try and teach people the finer points of literature but if they can't even read or write, they're lacking some basic knowledge to build upon.

This basic knowledge in computing has for ages been refused to people on the grounds that the software was "intuitive" and so would convey the basics by osmosis. Turns out it doesn't.

Even something as basic as the difference between To: and Cc:, I've seen people assume "first goes in To:, rest goes in Cc:, and that's not how it works. But nobody had bothered to explain even that. What's the difference, what do we use it for? Poor sod didn't know.

Instead the software provides an environment where all you can do is click and so that's all that people will do. Without looking where they're clicking because looking before you click has been made extra difficult, and so they've long been discouraged from engaging their brains on the question what they're doing. So if the thing in front of them presents them with a link, they're going to click on it, and you cannot blame them.

Similar with how to write reply emails. Why would you slap a single line atop someone's letter and send the entire thing back? Why then, do it with email? Nobody explained how to do it properly so everybody does it wrong, exactly as the (most popular but most poor excuse for an) email client provides. The results are mostly unreadable wastes of time but nobody knows they can do better with trivial effort and so it doesn't happen.

At the very least, should've given them an email client that doesn't do html and doesn't do links. Requiring people to copy/paste the link would be a simple, basic security measure because it requires engaging a few more braincells and actually looking at the url at least while copy/pasting, increasing the chances that dangerous links get spotted. Also because now the href cannot be hidden as easily.

Don't believe me? We live in the age of the veritable flood of poorly-written messages, to the point that most corporate communication consists of poorly worded laments that the communication is so poor. There's no discerning malicious from the merely inept there. It's all crap and yet you have to slog through it. And so that's what the poor untrained drones do.

This isn't really automation, it has nothing to do with empowering users. It's using technology to make puppets out of untrained meat sacks. You really shouldn't blame the meat sacks here.

Re:If you tried fixing that you did it wrong (1)

GTRacer (234395) | about 2 months ago | (#47521941)

Why would you slap a single line atop someone's letter and send the entire thing back?

Because we can and bytes are cheap? Hiya! I promise I'm not trying to start a religious war over top-versus-bottom posting or the like, but I'm genuinely curious:

I save all emails. Always have. I can usually find a thread easily enough, but there are times when multiple people are in a thread and the subject gets manually mangled, so Outlook won't incorporate those in its "conversation" search. So having the whole thread, TOP-POSTED, makes it simple to quickly review what was said about whatever we were discussing. As long as the email client clearly marks each message's beginning, how hard is it to read the top one and only scan down if needed?

That said, I'm all for stripping out inline images on reply, and if the topic shifts I have no problem [snip] -ping out the completed thread to make room for the new one. Or if an email thread goes marathon and bounces more than like 10 times...

Re:If you tried fixing that you did it wrong (0)

Anonymous Coward | about 2 months ago | (#47522809)

Why would you slap a single line atop someone's letter and send the entire thing back?

Because we can and bytes are cheap?

Well, they do add up. I recall swapping QWK mail packets over 2400 baud, and it fit ~200 mails in a (compressed) packet of whatwasit 100kB or so (five or so minutes on the modem, long distance so expensive). Now, you'd be lucky to fit maybe one tenth of the same kind of conversation in such a thing. But it doesn't stop there. Keep on repeating the same data (with more > added, so not block-level dedupable) and store it all for every single recipient and that's quite the archive that gets more and more convoluted and unreadable. So our "essentially free" resources get clogged with stuff we don't want to slog through anyway.

And then there's the kicker: Just saying "bytes are cheap" forgets that the most precious resource is human bandwidth, which you're wasting with gay abandon. This is, incidentally, the root of why spam is so offensive.

On top of that, we now can do so much that we can no longer afford to do things merely because we can. We must choose. You can see this in many places, usually to do with slurping up massive amounts of data "just in case", but elsewhere too, like in email.

So having the whole thread, TOP-POSTED, makes it simple to quickly review what was said about whatever we were discussing. As long as the email client clearly marks each message's beginning, how hard is it to read the top one and only scan down if needed?

Quite a bit harder than reading a judiciously picked quote or having my mail client serve up the entire thread and walk back through it. Much like you'd walk back through a stack of letters. Or, you know, hit "parent" right here.

Because you're not "quickly reviewing", since everything is top-posted, so the entire conversation is read top-to-bottom per layer of top-posting but bottom-to-top overall, making for very inefficient eye movements. This is quite different from either a top-to-bottom-overall or a client (ie, by my command) driven walk back.

Worse, you only need that occasionally but you get to look at it every time. Because you have to walk through it to check that it's really crap you can safely ignore, or risk the one case where you couldn't and miss something important. In many it builds a reflex of not reading more than the first line or so in an email, with the result that more than once I've been asked (in top-posted reply) for information that was already prominently in the sig block (prominently quoted).

That already should show you the folly of this, but it also immediately gives rise to the obvious question, how is it helpful to add the entire original when your recipient already has the entire thing in his SENT folder, just so he can skip over it in your reply again? Since you asked, well, no, it's not, it's a waste of everyone's bandwidth, attention, time, and so on. Thus it is the wrong place to "optimize", with the result that the workflow is thorougly pessimized. And it shows.

Please note that you're not top-posting here; even you pick a bit to quote and take the discussion from there. It takes a little effort but saves your reader(s) enough trouble that it's worth it. (Compare the first paragraph in EWD1300.) This is but one part of a larger theme but a good example. Why do you bother? What makes email so different? Do you read all your emails bottom to top starting at the inevitable disclaimer? If not, why not?

The answer to "why bother?" by the by, is clearly visible through "everyone" not bothering and because of that, many giving up on email entirely (moving to twitter, and facebook, and whatnot else, causing the information flow to be that more fragmented and harder to piece together again--yay for job security). Because the result is too much noise, too much crap. And that again is because too many uneducated people are using the wrong tools the wrong way (often religiously!), and the massed abuse reflects on the medium itself. I'm saying that had they known how to use it properly --and used it properly, that too-- then it'd still be usable.

So what we're seeing here is layer upon layer of fail, down to not understanding why it is in fact a fail. This isn't against you specifically, for you're in good company, you can see it in all the other people top-posting. Yes, most by far are doing it wrong, and it shows in many different ways.

Relatedly, the problem with outlook is that it's clearly written by people who had no truck with how email works at all. In fact, outlook is explicitly ment as a client for the "collaboration server" exchange, which only does a vendor-typical vague handwaving at "compatability" as an afterthought. It's really ment as a server for that client, with features only that client supports--and that don't work anywhere else, see the occasional "unsend"-fail hilarity. You can see it in many things, like its poor defaults and its poorly reinventing threads that already existed well enough in proper email, TYVM.

Re:If you tried fixing that you did it wrong (1)

tsqr (808554) | about 2 months ago | (#47522153)

Even something as basic as the difference between To: and Cc:, I've seen people assume "first goes in To:, rest goes in Cc:, and that's not how it works.

Personally, I like the people who don't understand the difference between Reply and Reply All. When HR sends a company picnic invitation to Everybody, the invitation is immediately followed by a Reply All flood of RSVPs from that crowd. Lately, though, HR seems to have discovered the Bcc: field as a solution to that issue.

Re:If you tried fixing that you did it wrong (2)

tlhIngan (30335) | about 2 months ago | (#47522609)

Personally, I like the people who don't understand the difference between Reply and Reply All. When HR sends a company picnic invitation to Everybody, the invitation is immediately followed by a Reply All flood of RSVPs from that crowd. Lately, though, HR seems to have discovered the Bcc: field as a solution to that issue.

Well, given the default to most company emails requires reply-all, it's not a surprise, really. I mean, if you're on a project and you need to send information to others, you probably will put in several people. And the recipient probably uses reply-all so everyone can be aware of the followup as well. Because things get awfully stilted if everyone merely replied to the original sender and they get flooded with dozens of the same question and notes.

So it's natural in a business setting to use reply-all since you expect to share with everyone else. Hitting reply just feels unnatural.

And yes, that's what the BCC field is for, if you really need to break the reply-all chain.

Re:Not everyone is train-able (0)

Anonymous Coward | about 2 months ago | (#47522383)

As one who has thousands of people working in companies that I either own, co-own, or have invested in, I can tell you that not everyone is trainable

They are "fireable" though. Breach of company policy . . .

Re:Not everyone is train-able (0)

Anonymous Coward | about 2 months ago | (#47522391)

I hope you get to hear a cry from the trenches then. I don't take myself for a dupe often; but, I'm really getting tired of the training about the outcome prevention as opposed to the training that would help them.

So, instead of "when you get a link, verify the URL by following this four step procedure. I get "don't click on suspicious URLs", where the definition of suspicion is so up-in-the-air that legimite company owned URLs couldn't be differentiated via the tool kits they are promoting.

So, it boils down to training to be paranoid, even paranoid against legitimate scenarios. That leads to people deciding if they are going to live in fear, or if they are going to be mentally at peace and hope for the best. Companies I've been trained in wish for the former, but if you want to be successful in those companies, you don't have time for it, so you must take the latter approach.

Re:Not everyone is train-able (2)

s.petry (762400) | about 2 months ago | (#47522427)

As one who has thousands of people working in companies that I either own, co-own, or have invested in, I can tell you that not everyone is trainable

I agree, but those are not people you want working for you if you are concerned about security.

Not that people are stupid - no, as far as I am concern, almost all who are working in the companies I mentioned above are above average in intelligence - but the one thing that is needed the most is not information, rather, it's intuition with a large bit of paranoia mixed in

I think that you and I have different definitions of intelligence (mine matches the dictionary). If a person does not care, or is lazy in terms of security, that has nothing to do with intelligence. An intelligent person that cares can easily learn. An intelligent person that does not care will perform questionable acts, and not just in terms of phishing campaigns. A lazy person will filter security messages to junk and never read them.

Making people care about security takes work, and making sure they review security bulletins takes work. Reward vs. punishment systems are a juggling act, but this is true in any behavioral science.

It takes a paranoid to be suspicious of everything - and in this social-media world that we have today, where everybody shares every bit of their own info to the world - paranoia is becoming a scarce resource

If the dangers of social media are not part of your security awareness campaigns in the office, you need to have your security team add this to their normal message campaigns. It does not take paranoia by end users to catch phishing attacks, it takes awareness. I.E. "Our company will never ask you for personal information on a social media site. We will never ask for your login name or password on the phone. If you receive such a request contact security at [some extension] immediately, preferably while the person making this request is on the phone." or how about "Want a free lunch? Report questionable content to security and if it's a campaign to cause damage we'll buy you lunch." and finally "Send suspect phishing emails to security, be entered for a raffle to win dinner with the CEO/attend a game in our suite at the Shark Tank, etc...." There are many ways to mold behavior.

Further if you are are a company that does take login names and passwords over the phone or asks for people's personal social media information, change your friggin policies immediately! That is not a problem with uneducated users, that is a problem with horrible company policies and practices.

No matter how much info we have shared with our colleagues, no matter how many times we have told them to be ultra careful, you bet someone will get phished, almost in a daily basis, and the local level network will get breached

I have seen too many examples where this is simply not true. Companies that skimp on acquiring and maintaining a good security team and enforcing internal training are the biggest victims. Where I work currently we have regular training, and even though we experience regular phishing attacks people are not giving out data. It's only 600 employees, but we still see 0 successful phishing attacks.

I'd be willing to bet that any company you claim is "good" yet gets regularly victimized by phishing attacks receives little to no regular security training. And "NO", an email from security that requires no follow up is not "training". Annual face to face meetings with security are similarly not training. Even in a place where users have been well trained quarterly is a minimum, and while working to train users this should be monthly at a minimum. Make the training mandatory, but buy your people lunch for attending. If you let people skip training you are teaching them that it does not matter, so your company needs to ensure a zero tolerance policy for this training. This is all pretty basic psychology for behavior training.

Re:well (2)

phantomfive (622387) | about 2 months ago | (#47520883)

We experienced numerous well crafted phishing attacks, and had 1 person out of 5,800 click the link.

How did you know that others didn't click on it and then not mention it to anyone?

Re:well (1)

Antique Geekmeister (740220) | about 2 months ago | (#47521663)

> How did you know that others didn't click on it and then not mention it to anyone?

Of course they did. Why would anyone normal report this kind of incident to a security department that is bombarding them with warnings, and will fire you if you can't prove you've read their warnings?

Re:well (1)

GTRacer (234395) | about 2 months ago | (#47521915)

I'm going to give s.petry the benefit of the doubt here and assume their systems are tightly locked down and they have various antivirus / tripwire / ip rules in place. That said:

If someone got phished leading to trojan installation, *BAM* alerts go off in the NOC. If phishing led to credential leakage, eventual usage of the credentials by the outside attackers would set off alarms in the NOC, assuming we aren't dealing with valid external staff. If phishing led to credit card / invoicing info loss, unauthorized purchases would set off alerts in Finance.

This also assumes an environment where credentials are not shared (the norm everywhere I've ever worked and none of those were DoD postings). It also assumes that pretty much anything of power is tied 1:1 to a person so any kind of abuse (use off-hours or in excess of limits, etc.) would be detectable.

Re:well (1)

s.petry (762400) | about 2 months ago | (#47522469)

As I replied above, it's much simpler than that. Proxy logs are used to determine who clicked a bad link.

Re:well (4, Interesting)

gstoddart (321705) | about 2 months ago | (#47522007)

How did you know that others didn't click on it and then not mention it to anyone?

The company I work for does periodic in-house phishing/spam tests.

If you fail and click the link, you get sent for extra security training. They know, because they're the ones who own the machines you went to.

I gather a surprising amount of people actually fall for them. I find myself looking at "1 in 5800" and thinking "wow, you have some good training".

When my parents got on the interwebs, in so uncertain terms, I sat them down and had "the talk": The internet is a dark and scary place, and not something you just trust. I explained phishing and spam, as well as how to spot fake telemarketers and scams.

My parents have learned to be wary and a little skeptical when someone initiates contact with them, and know to ask for proof. On many occasions they've spotted stuff, though I still worry they might miss something.

But, I still remain amazed at how many people who work in technology fields still blindly click stuff. I expect senior citizens and the like to be less aware of this stuff, but if you've worked in technology for any period of time, you should know better.

Re:well (1)

gfxguy (98788) | about 2 months ago | (#47522717)

Interesting... I should stop clicking on those links, then. I feel like, since I'm using linux, I likely won't get a virus, so when I get a "you need to change your password" link, I usually just curse them out in it. Email: eat@shit.and.die, password: youfuckingasshole. I know it doesn't solve any problems, but it feels good.

Hey, if enough people did it, they'd have to wade through tons of insults before finding one where the person actually fell for it.

Re:well (1)

s.petry (762400) | about 2 months ago | (#47522453)

Proxy logs are not magical things, they are actually very effective in determining users that followed a phishing link. Even if the user did not report the breach themselves, the security incident would have been found (though it may have taken an hour or two as opposed to minutes.

Sadly many people think a proxy is a bad thing and believe direct access is better.

Re:well (1)

phantomfive (622387) | about 2 months ago | (#47522951)

Sadly many people think a proxy is a bad thing and believe direct access is better.

Well yeah, because often their either used for censorship, or are cheap and end up slowing the internet down.

Re:well (1)

s.petry (762400) | about 2 months ago | (#47523417)

People misusing or abusing a proxy server (or any other service that can be used to increase security) is a totally separate issue. I laugh at anyone claiming it makes things slower too, because you are obviously not using a proxy properly if your internet slows down. Either that or you think a single cache drive is "enough" and skimped on scaling out the service properly.

Re:well (1)

phantomfive (622387) | about 2 months ago | (#47523509)

you are obviously not using a proxy properly if your internet slows down. Either that or you think a single cache drive is "enough" and skimped on scaling out the service properly.

Yes, well, not every IT person is as competent as you

Re:well (0)

Anonymous Coward | about 2 months ago | (#47520903)

"...or they could be terminated" was the important part. The only thing you need to say is : you break it, you're fired. The weekly training memo was mostly useless.

Re:well (1)

drinkypoo (153816) | about 2 months ago | (#47521409)

How are spammers successful so often? Simple, companies don't train people.

Also, people are stupid. It's not hard not to get phished if you critically evaluate claims and requests as your SOP.

Re:well (1)

gstoddart (321705) | about 2 months ago | (#47522061)

It's not hard not to get phished if you critically evaluate claims and requests as your SOP.

Of course, the problem with this is, anybody who does that more or less gets called a bit of a paranoid loon now and then. :-P

Not everybody understands that a certain level of paranoia is actually required to survive the internet and other scams.

Sometimes people look at you like you're over-reacting, right up until they realize they've given their credit card information to someone who was lying to them.

Re:well (1)

gfxguy (98788) | about 2 months ago | (#47522753)

Yes! My wife is terrible, and when I say "just don't click on anything," she asks "what about the legitimate ads?" So I repeat "just don't click on anything... there's no SPAM that is legitimate." Sadly, she does it anyway. I missed a whole day of world cup group games "fixing" her computer... and it wasn't the first time. I should just cut her off.

Re:well (1)

s.petry (762400) | about 2 months ago | (#47523423)

Or install ad-block and no-script and don't show her how to disable them

Re:well (1)

oobayly (1056050) | about 2 months ago | (#47521435)

They register domains similar enough to the company and often related (support-raytheon for example) so that even people that look for questionable URLs can be fooled.

This is also made harder with the use of CDNs nowadays. A while ago our office started receiving large numbers of "InterFax" notification with a download link. I don't know what a proper InterFax notification looks like, but as you said, they did look professional, and in some cases the URL didn't look too dissimilar to some CDN URLs we've used.

I tend to visit web pages used in phishing attacks for a couple of reasons. First, I like to input useless data. Second, I like to rate what sort of job the scammers did in cloning he web site - I always feel a little let down when I see dead links, as they didn't make the effort to duplicate all the pages linked to by the cloned login page. Seriously guys, put some effort into your scams - the work ethic of the criminal world is really dropping.

Re:well (1)

gfxguy (98788) | about 2 months ago | (#47522781)

I pretty much do the same thing, but instead of useless data I put insulting data. Sometimes I'm impressed with the effort... sometimes it links to a google form, and that's pretty sad. Some of them are so good, though, if they just put that much effort into honest work, they'd be pretty well off.

Re:well (1)

clickety6 (141178) | about 2 months ago | (#47521585)

They register domains similar enough to the company and often related (support-raytheon for example) so that even people that look for questionable URLs can be fooled.

It doesn't help that legitimate companies that should know better do the same. I recently got a survey from PayPal, but rathet than going through their verified site at www.paypal.com, the links in the email directed only to www.paypal-survey.com. It looked like a classic phishing scam but was apparently a legitimate survey request.

Re:well (1)

gfxguy (98788) | about 2 months ago | (#47522849)

Which I (and a lot of other people) would then not have participated in, so PayPal should learn from it.

Re:well (4, Insightful)

FireFury03 (653718) | about 2 months ago | (#47521669)

How are spammers successful so often? Simple, companies don't train people.

Or they train them with exactly the opposite of good behaviour.

Case in point: a few years ago my (at the time) bank sent me a marketing email (and yes, I confirmed it was legit). It wasn't from the bank's normal domain name and it contained lots of links to product descriptions that were also on an unusual domain. It said that I could verify it's authenticity because it contained the first half of my post code (i.e. something that's trivial for anyone to find out). I complained to the bank and the regulator - neither of them would do anything. The bank's excuse was that none of the pages linked from the email asked for my bank credentials so it was ok. This kind of thing trains people to expect that their bank will legitimately send them emails with clickable links that don't go to the bank's main website - the distinction between a link that asks for your credentials and one that doesn't is going to be lost on a lot of people.

Similarly, my Paypal account is currently suspended because they sent me an email telling me I needed to "verify my ID" (by sending them a scan of my driving licence)... this email went into the bin along with all the phishing emails asking me to "verify my paypal account", so when I didn't send them any ID they suspended the account.

Now, banks _do_ need to communicate with their customers, and I can't discount email as a viable method for them to communicate, but they really really need to start providing a sensible method for people to authenticate the legitimacy of the email - why the hell don't they MIME sign the messages, for example? At the moment they are sending out emails that are indistinguishable from phishing messages and then blaming the customer when they get phished.

Re:well (1)

gfxguy (98788) | about 2 months ago | (#47522871)

The thing with my bank is that they don't send links in the email, and they often warn people that they won't. If there's something you should look at on your account, like a notification of bill pay or something, they simply say in the email "log into your online account" without providing a link. Most people have their bank bookmarked, so it's not like it's some kind of hardship.

Re:well (1)

FireFury03 (653718) | about 2 months ago | (#47523391)

The thing with my bank is that they don't send links in the email, and they often warn people that they won't. If there's something you should look at on your account, like a notification of bill pay or something, they simply say in the email "log into your online account" without providing a link. Most people have their bank bookmarked, so it's not like it's some kind of hardship.

It is some kind of a hardship because you still have to figure out which emails are legit - I'm not going to go log in to my bank every time I get a phishing email. When the vast majority of emails claiming to come from my bank are phishing mails, I'm pretty much guaranteed to miss legitimate ones unless the bank give me a trivial way to know that they're legit - MIME signed emails would allow that, but no banks seem to be interested.

Re:well (1)

gfxguy (98788) | about 2 months ago | (#47523483)

That makes no sense to me, though... how does a phisher succeed when they don't send you a link? Since they can't blindly lead you somewhere else, you wouldn't receive a phishing scam email without links.

Re:well (3, Funny)

T.E.D. (34228) | about 2 months ago | (#47521965)

At the DOD site I worked at, it was a weekly training memo from our security team on the latest threats. Phishing was always a topic. People had to read the briefings or they could be terminated.

Click link below for weekly training memo about latest phishing threats. Remember failure to reading could result in the termination.

- IT Team

Re:well (1)

gfxguy (98788) | about 2 months ago | (#47522883)

Click link below for weekly training memo about latest phishing threats. Remember failure to reading could result in the termination.

- IT Team

... and don't forget to sign in with your username and password so that you get credit for having read the memo!

Re:well (1)

nabsltd (1313397) | about 2 months ago | (#47522601)

How are spammers successful so often? Simple, companies don't train people.

Companies also don't often have the infrastructure set up to help their people do the right thing.

As an example, every company should provide users with unlimited e-mail addresses that end up in their real e-mail inbox but can be filtered using rules. Employees should then be instructed that they should never use their "real" e-mail address for anything that gets put into a database. This means that if they sign up at Cisco's support portal, they don't use "realaddress@example.com", but instead something like "cisco-realaddress@example.com". This means that if you get what seems to be an official-looking e-mail about paying an invoice from Cisco addressed to "amazon-realaddress@example.com", you know it's fake.

If ISPs provided the same feature, phishing success would be reduced dramatically. I get any number of e-mails that pretend to be from a bank (some actually from a bank I do business with), yet all come to the wrong e-mail address, so they are immediately trashed. With a little work, it could even be automated, especially if companies co-operated and documented keywords that would always appear in every e-mail from them. This would allow you to compare the keywords in the body to the recipient and see that they don't match as being from the same company.

Re:well (0)

Anonymous Coward | about 2 months ago | (#47522885)

They register domains similar enough to the company and often related (support-raytheon for example) so that even people that look for questionable URLs can be fooled.

This is part of the problem: Companies often register related domain names for legitimate purposes. If every company owned just one domain name and used subdomains for everything, it would immediately look suspicious if someone tried to get a target to click on a URL to a different domain.

Similarly, I had student loan once. Sometimes the student loan centre would call me about some administrative matter about the loan. At the start of their call, they would ask me for my social insurance number for identification purposes. Sorry, I am not telling a random caller my social insurance number. I have no evidence that they are actually the student loan centre. Let me call you on the number found on the student loan document. Organizations like this are training people to have bad security habits.

Re:well (4, Insightful)

dunkindave (1801608) | about 2 months ago | (#47520685)

The criminals offer people stuff they want, marketing offers people shit they don't want. Seems simple enough

Except the article is about spear-phishing. In spear-phishing, the emails are tailored to the intended victim, pretending to be from someone the attacker knows or believes the victim trusts, such as an email from their boss or their HR department, and the emails normally include information that the victim assumes isn't public which adds to the email's trust. Such emails may pretend to contain important employee training updates, company newsletters, specific conference information for conferences the target is known to attend, references by project name to projects the victim is working on, etc. This means the spear-phishing email is very different from typical spam which is clearly marketing, or so generic as to be obvious spam. It also means that without confirming the email's legitimacy via out-of-band methods, it may be virtually impossible to verify if it is real or not.

The problem for the defenders is the only real defense against a well crafted spear-phishing email is to instruct people NEVER to open an attachment, to click on a link, to visit a website if so instructed, or even to respond with information that may be requested. But such a world would render most business email useless.

Re:well (1)

techno-vampire (666512) | about 2 months ago | (#47520807)

In spear-phishing, the emails are tailored to the intended victim, pretending to be from someone the attacker knows or believes the victim trusts...

You mean like the urgent notices I get about my accounts at banks I've never done business with or the "invoices" from companies I've never heard of before, let alone done business with?

Re:well (3, Insightful)

dunkindave (1801608) | about 2 months ago | (#47520835)

No, like if they want to gain access to data in company ACME Co, they do some research about that company, find people who belong to it, often in specific groups they are particularly interested in (the missile division of ACME for example), then seak out information on these people, like what conferences they have attended (attendee lists are often published on the web) or what projects at the company they are working on (a newsletter on the web mentions them in a small article about the Ramrod SuperAgile Counterstrike Missile System), then send them an email tailored just for them: Hi Joe, we found another missile system using flight parameters that may be interesting for use in the Ramrod. Here is the website..., signed your coworker Frank.

The spam from your bank doesn't normally address you by name, or mention details like your account number or which local branch you use and when. In fact, it is the lack of such details that most people use for clues that it is spam, so when those details are there they typically trust it. That is the gist of the article.

Re:well (1)

techno-vampire (666512) | about 2 months ago | (#47520887)

The spam from your bank doesn't normally address you by name...

Actually, much of the spam/phishing email I get claiming to be from my bank has my name in the subject. I'm rather glad it does because I never get any real email from my bank that does this, so seeing my name there is a dead giveaway.

Solutions -- require tokens & connection phase (0)

Paul Fernhout (109597) | about 2 months ago | (#47521847)

In the past, I used whether an email contained my first name as an indicator (a textual token) of whether the email was legitimate, as a sort of password to gain access to your attention. That stopped being useful several years ago as many spammers must have a name database to go with email addresses now. That also would not work for people whose entire first name was in their email address, as is often a corporate practice. Still, the idea of filtering email on a token can make sense, where the token says the sender has been authorized to send you email.

I still have filters for certain keywords like products I support as a way of doing some of this filtering. A next step could be to tell people (on a contact web page) that they need to include some token phrase like "swordfish" in any email to you if they want it to get read as a first-time sender. Or the token could be a random uuid like "f34f775b-3ccb-45e0-a75e-06f845f0c318". It is relatively easy to make filters in many email clients that would prioritize emails with an expected token. After you get such an email from someone the first time, you can whitelist the sender. Granted, phishing or spam often forges sender email addresses. So, there is a problem here that the validity token ideally should be in every email sent to you to avoid relying on whitelisting address.

Ideally, there could be one unique token per entity (or email address) you want to get emails from. Then you could selectively disable and change the token if spammers got one. These tokens then are specific to an allowed communications channel. That requires more complexity though. For example, when you signed up for a mailing list, you could give the list a token such as the above (or perhaps just accept a random one from the list signup procedure), and the list software would store that token to include in a header when it sends a message to you. You would also tell your email client about the token being associated with the sender somehow (either the email address or the sender name or perhaps some other unique sender identifier like a public key). When your client software receives email, it would check if the email has the expected token for the sender. If the email does not have the token, it would be marked as probably spam or phishing. Email tools would need to have this facility built into them, both for sending and receiving. Public mailing lists might need to filter out such tokens from their public web pages of email archives to prevent spammers from harvesting such data to spam the list.

Still, how can people contact you the first time? One answer is to separate the process of getting emails from a trusted source from the process of requesting a token. For example, when someone new wanted to contact you, they could need to go to a web page (or other means) and get a token for their sending email address (or other identifying information, like a public key). That web page might include some sort of captcha challenge or something requiring computational cost or even direct monetary cost (like a small amount of money required to be spent via Paypal or another service, perhaps as a donation to a favorite charity). A web form to do this might need to send a special email to your client that includes both its own token and the new sender and new token, which would need to be processed by your email client to make the association.

This would be a big difference from now, when the first contact you get from someone new might be directly via a new email which could be the spam or phishing attempt. Tokens could also be valid for a limited time. There could even be general tokens not associated with a specific email address, perhaps time-limited ones, ones that need to be paired with other tokens or perhaps topical key words (like a product name) to be considered valid. This does make it harder for senders to send emails, but it makes it more likely they will be read and not ignored as spam.

One advantage of this system is it could build on top of the current email architecture. Clients that don't support such tokens would just not work as well because they would not be able to distinguish Spam of Phishing as well, and emails they send without such a token would be more likely to be ignored.

There are other approaches of course to reduce spam and phishing. There are already mail receivers that will ask a first time sender to confirm identity or do greylisting. There are domain-oriented solutions too like DMARC: http://www.dmarc.org/ [dmarc.org]

But a token-based system just seems appealing to me because it sort-of worked for me for a time (based on my first name). I'm sure spammers or phishers would find some new way to get around these channel tokens eventually, but it seems like a next step in the evolutionary arms race of validating wanted communications. If tokens were associated with public keys which represented identities, a next step could be to sign the entire email or at least the token and a timestamp and message ID with the associated private key. This approach relies also on the fact that much email being sent is now encrypted all along the way.

There is at least one big flaw in this approach though. What to do about the CC or BCC list? Ideally, each recipient should get a token specific to the recipient. That seems to imply each recipient will have the email sent directly to him or her or it. But that is not how email servers work now, where one server might dispatch a single email to multiple destinations. So, still things to think through, including how much email servers should get involved with such tokens.

Paul Jones has his #noemail campaign as one potential solution to email woes, but I feel that throws the locally-stored email message center baby out with the spam & tl;dr bathwater. Paul Jones pushes social media and blogs as an alternative to email, which have their merits (see below at end), but are still suffering from more and more spam too. Web solutions also make it harder to have a local copy of correspondence. For example, I have many years of emails in my local email archive which I can search and review locally including to mailing lists, but l have little history of what I have read or posted via the web. Still, private email has its limits. As with my immediately previous Slashdot post referencing a post to the FONC mailing list, I can find some of my emails to public lists via Google. Using Google to find emails I wrote to public lists can be easier than searching my my email archive which is on a different machine than I post to Slashdot from often. And it is great to be able to link to such posts via a URL. I've started saying, "if it does not have a URL, it is broken". Ultimately I feel we need something that combines the best of email and the best of the web like perhaps a "social semantic desktop" such as I and others have worked towards. That could have a better infrastructure than email with anti-spam protections built-in (including perhaps public key authentication of senders, and perhaps even using DNS records to associate public keys with domains).

Re:well (1)

nabsltd (1313397) | about 2 months ago | (#47522711)

then send them an email tailored just for them: Hi Joe, we found another missile system using flight parameters that may be interesting for use in the Ramrod. Here is the website..., signed your coworker Frank.

Frank doesn't sign his e-mail that way, so something must be up. Or, I don't know Frank personally, why would he send this to me? Or, Frank always sticks his head in my office right after he sends and e-mail and asks "did you see my e-mail?", so this must be fake. If your investigations that allow you to "spear phish" are good enough to solve these sorts of problems, you don't need to phish for stuff, you've paid off the cleaning crew and they can just take the papers.

As for technological solutions (after all, this is /. ), we can assume that the e-mail was flagged as arriving at our e-mail server from an external server (i.e., not authenticated against our network), so it has a header added that causes it to be filtered by e-mail rules to not go directly into the inbox, but instead into the "external contacts" folder. Yes, I know most companies don't do this, but they should. My company adds headers, but doesn't automatically filter...that's up to the user.

Re:well (1)

N1AK (864906) | about 2 months ago | (#47521035)

You mean like the urgent notices I get about my accounts at banks I've never done business with or the "invoices" from companies I've never heard of before, let alone done business with?

What exactly's your point? Obviously emails about accounts with banks you don't use aren't going to catch many people (although if they're threatening consequences like fines or rewards it'll catch some of the more naive), but when it gets to someone who does use that bank/business the effectiveness increases considerably. What you're doing is the equivalent of laughing at advertising billboards, roughly 3/4s of the people who see an add for female deoderant aren't the target market but the company knows that and doesn't care because the cost is worth it to reach the 25% it wants.

Re:well (1)

Sique (173459) | about 2 months ago | (#47521061)

Even if I get spam that claims to be from my bank, I can see it being spam because I got similar spam allegedly from other banks I never did business with. The same with the two messages of unclear status, I seem to have with so many sites, that the one that claimed to have sent by a site I actually have an account with was easily spotted.

Re:well (1)

techno-vampire (666512) | about 2 months ago | (#47521073)

My point is that all of those emails I get about accounts I don't have is a counter-example to the claim that spear-phishing is carefully crafted to look real.

Re:well (1)

Anonymous Coward | about 2 months ago | (#47521305)

You don't grasp the concept of spear-phishing at all, and you've almost certainly never been targeted by it. Generic emails crafted to look like they're from your bank are NOT spear-phishing - they're sent out en masse, along with lots of others crafted to look like different banks, just like any other phishing attempt.

A hypothetical spear-phishing attack from your bank would address you by your real name, with specific reference to the names of accounts and products you actually hold with them (not just "your account"). A genuine junk email from my bank includes my name, post code (zip code for the Americans), the name of a now-obsolete credit card that I have, and several digits of its number. A spear-phishing attack could include all of that - the last four digits of a credit card are easily available from any store receipt. The phishing emails you talk about include none of it.

You're thinking of phishing, not spear phishing (2)

raymorris (2726007) | about 2 months ago | (#47522417)

You're talking about regular phishing. Phishing is not spear-phishing. Phishing, like fishing, involves casting out a bait and hoping that someone (anyone) takes the bait.

Spear-phishing, like spear-fishing, is DEFINED as identifying a specific target and launching your weapon against that target specifically.

Re:well (0)

Anonymous Coward | about 2 months ago | (#47521261)

one way around, from TFA:

2. Run awareness campaigns with your staff telling them not to click on links within social networking emails such as LinkedIn invitations, instead open your browser or app, log-in and manage your invites/messages from there.

Re:well (0)

Anonymous Coward | about 2 months ago | (#47522027)

There was no reason to believe that the "NSA opt out of us spying on you CLICK HERE" email was not legitimate. It seems to me that being gullible enough to think such a thing would work would immediately take you off the TSA watch list as well.

People who are savvy enough to be against media mergers and packet sorting by ISPs are the ones you need to watch.

Sorry, I've got to go "Punch the Monkey" -- the last person who was able to click on it won an iPad!

Re:well (1)

kajla00007 (3757539) | about 2 months ago | (#47520747)

That i well said

Re:well (0)

Anonymous Coward | about 2 months ago | (#47520931)

10% of people are dumb fuckers!

Re:well (0)

Anonymous Coward | about 2 months ago | (#47521783)

+1 Insightful

Re:well (0)

Anonymous Coward | about 2 months ago | (#47521445)

The criminals can lie in ways that marketers cannot. Marketing basically says "You want our fantastic product!". Which might be a lie, to some extent. But a criminal can say things like "I am your bank, and you need this app..."

Re:well (3, Informative)

Joe Gillian (3683399) | about 2 months ago | (#47521819)

I think it's more that the criminals tend to structure their phishing emails around things that look like they need to be clicked - I've seen a lot of phishing emails that purport to be from the reader's bank (I've gotten a few of these, all mimicking banks I don't use) telling them that fraud has been detected on their account or that there's some other urgent issue threatening their money. A lot of people will click these things without even giving it a second thought because to them, it looks like their life savings/credit score are at stake.

Re:well (0)

Anonymous Coward | about 2 months ago | (#47522679)

Marketing doesn't care that it's a 2% return vs. a 10% one. Advertising companies are usually a third-party who makes money selling the "promise of" customer sales. In fact, the more uncertainty, the better.

Phishing is far more targeted in scope. They want to attack banks, retail credit cards, and apparently DOD contractors by pretending to be them.

Remember (3, Interesting)

djupedal (584558) | about 2 months ago | (#47520603)

It's the singer....not the song.

School smarts lose to street smarts.

they lie (0)

Anonymous Coward | about 2 months ago | (#47520611)

and DON'T appear to be selling anything?

Fake emails are so convincing.... (2)

tquasar (1405457) | about 2 months ago | (#47520613)

No, they're not. I use filters, blocking, caller ID, etc. and kinda know who calls or sends me email, so even if my stuff was wide open it would be delete, delete, delete do not pick up.. Anyone who works from home or is home during the day or at dinner time gets spam calls even when trying to be a "Do Not Call" person. Who makes this stuff up? A generation of clickers? Really Slashdot?

Re:Fake emails are so convincing.... (0)

Anonymous Coward | about 2 months ago | (#47520617)

No, they're not. I use filters, blocking, caller ID, etc. and kinda know who calls or sends me email, so even if my stuff was wide open it would be delete, delete, delete do not pick up.. Anyone who works from home or is home during the day or at dinner time gets spam calls even when trying to be a "Do Not Call" person. Who makes this stuff up? A generation of clickers? Really Slashdot?

Do you have some kind of confusion that prevents you from distinguishing phone calls from e-mails?

Re:Fake emails are so convincing.... (3, Funny)

Cryacin (657549) | about 2 months ago | (#47520751)

Do you have some kind of confusion that prevents you from distinguishing phone calls from e-mails?

He has trouble relating to Phemails

Stopped using LinkedIn (4, Interesting)

Animats (122034) | about 2 months ago | (#47520621)

I was getting so much LinkedIn related junk that I stopped using LinkedIn and sent all email from them, or purporting to be from them to trash. If LinkedIn isn't putting in the effort to find their attackers, why should I use them?

Re:Stopped using LinkedIn (1)

Bigbutt (65939) | about 2 months ago | (#47522499)

Yea, I closed my account with linked in. Far too much noise and very very little signal.

[John]

Re:Stopped using LinkedIn (0)

Anonymous Coward | about 2 months ago | (#47523183)

Congradulations on the hourly anniversary of your comment!

I endorse your ability to write comments.

Like everything else.. (1)

Anonymous Coward | about 2 months ago | (#47520631)

Trying harder counts. The fact that these people only have to think about how make people read and click, and not any legalities also helps considerably.

anna university question paper available here (-1)

jkumarsbd (3763711) | about 2 months ago | (#47520633)

anna university question paper available for this blog. http://allprogramminginfo.blog... [blogspot.in] is the blog for anna university questio paper

If your English sucketh, your link prolly doeth 2 (4, Funny)

xxxJonBoyxxx (565205) | about 2 months ago | (#47520643)

>> can tell-apart

You can't fool me...I'm not going to click any links on this craptacular "story."

Re:If your English sucketh, your link prolly doeth (1)

StormReaver (59959) | about 2 months ago | (#47521479)

I'm not going to click any links on this craptacular "story."

I did, and it really is a craptacular article. I can sum it up thusly: "Phishers do illegal things, therefore getting more clicks. If legitimate marketers did the same thing, their click rate would skyrocket."

And, "Don't use Windows XP on the Internet." This, by the way, was always good advice. And it still applies to all versions of Windows.

If it's too good to be true... it probably isn't. (0)

Anonymous Coward | about 2 months ago | (#47520645)

Holds true for phishing and marketing. IDK were they are getting their numbers, I've clicked exactly once on a phishing link. The average day when I am not adjusting my filters to not see them I see 3 or 4 a day. My filters catch hundreds/day for over a decade now.

Irony.. (1)

super_scalt (2978137) | about 2 months ago | (#47520651)

.. would be if the link in this article was in itself a phishing scam

Re: Irony.. (-1)

Anonymous Coward | about 2 months ago | (#47520697)

Irony would be if those penis pills you bought last night actually worked and you were hung like a horse and could bang any chick you dreamed of, including my mom.

Irony.. (0)

Anonymous Coward | about 2 months ago | (#47520769)

Actually, according to this study (http://onemillionfreeipads.co.zn/submitpersonaldetails.asp) approximately 10% of links on Slashdot are fishing scams.

Re:Irony.. (0)

Anonymous Coward | about 2 months ago | (#47520867)

Fishing scam? Is that swindling someone out of their fish?

Trained to be clickers (1)

dilvish_the_damned (167205) | about 2 months ago | (#47520711)

Trained to click on shit by bad interface design. It might have been a different story if UI designers didn't think every simple little thing demanded the users exclusive attention and acknowledgment right now.

Re:Trained to be clickers (1)

bondsbw (888959) | about 2 months ago | (#47520775)

It might have been a different story if UI designers didn't think every simple little thing demanded the users exclusive attention and acknowledgment right now.

In my experience: 's/UI designers/the customer/'

Too scared to click the link (0)

Anonymous Coward | about 2 months ago | (#47520755)

How do we known that the link in the post isn't a phishing attempt tailored to /. readers?

"Sophisticated"? Not from what I see... (1)

gweihir (88907) | about 2 months ago | (#47520801)

The phishing emails I get (and I get a few...) are targeted at semi-literal morons that have no clue how the world works. But it may be that there are a lot of these people around, judging from other observations.

Phishing? (1)

PPH (736903) | about 2 months ago | (#47520827)

From TFA:

people clicking on a link in the email that goes to a malicious website that looks harmless but can have total control over their PC in less than five seconds

That's not really phishing. More like a drive-by download. Phishing is where the e-mail or web site attempt to truck the luser into entering an ID/password for the legitimate site being masqueraded.

Phishing attempts to exploit a weakness in the user, downloads exploit the o/s or client software.

Why did people vote for Bush? (0)

Anonymous Coward | about 2 months ago | (#47520859)

I bet if you drew a Venn diagram, the morons that spew cash to these criminals and make them so flush with cash that they will never stop their crimes would have a 100% overlap. Stupidity and funding crime is the way of their kind.

too good to be true (1)

pr100 (653298) | about 2 months ago | (#47521037)

Criminals can promise things that legit marketing emails can't.

Because cybercriminals cheat (1)

curty (42764) | about 2 months ago | (#47521047)

If the marketing experts used the same tactics (disguising their emails as linked-in requests) they could compete with the cybercriminals.

Some things about this article smell. The author is a director of the company whose research the article cites. And what about the claim that "a dating website was hacked and approximately 10% of the passwords were âoelove1234â"

That seems like a lot! (Unless there were only 10 accounts....)

utf-8 copy/paste bug (1)

curty (42764) | about 2 months ago | (#47521051)

"love1234"
oops

Re:Because cybercriminals cheat (1)

ArcadeMan (2766669) | about 2 months ago | (#47521745)

I'd be interested to know, with a total from all those password surveys, how many are "luggage12345". A search on Google gives "About 10,600 results", so that's already a possible hint about how popular it could be as a password.

always use pgp (1)

pereric (528017) | about 2 months ago | (#47521241)

What about making it as wide-spread as possible organization policy to alway *sign* your e-mail with pgp / gpg?
That would at least increase the effort needed (ie, actual access to someones computer) to send "genuine" e-mail from a coworker ...

People should look where they are going (4, Interesting)

blackest_k (761565) | about 2 months ago | (#47521245)

The one that seems to catch people out is the link which they click on in a mail in gmail.
that takes them to gmail.google.com.myphishingsite.info/sessionexpired
which presents them with a message like session expired please login to your gmail account and the top line already has their email address all they need do is enter their password.

Most people don't question why would that happen a few seconds after clicking on the link
quite possibly because Google and facebook don't take you straight to a link they log it first by an intermediate page and then redirect you to the destination (i see it all the time on my slow connection).
The page looks authentic and they tend not to look at the address bar and see the bolded address myphishingsite.info.
often its a site like fgjfjhki23d.info a random jumble of characters just like the ones a site like google and facebook use all the time. People are used to seeing this sort of thing
e.g http://it.slashdot.org/comment... [slashdot.org] of this address (taken from the address on this page) only it.slashdot.org make any sense to most people and thier eyes glaze over beyond the initial it.slashdot.org

Thats a problem without any training in website design then its pretty hard to tell the real from the fake.
Thing is once an email account has been harvested it immediately sends out a 100 emails to the address book of that user and the same thing happens again.

Most people think they had thier email hacked not realising they gave away thier password.
kind of hard to stop people for falling for this sort of thing. The emails are even clever enough to redirect to an alternative page once the fake webmail page has been brought up once.

People here would say its because people are stupid, but most people just don't have enough knowledge or interest in this area to know when something is fake or genuine.

It is probably impossible to fix especially when the sites we use everyday use random looking charactor sequences as part of the url.

Security issues of emails .. (3, Insightful)

lippydude (3635849) | about 2 months ago | (#47521381)

"Phishing emails are without a doubt one of the biggest security issues consumers and businesses face today."

Only on Microsoft Windows, the Operating System that made clicking on a URL or opening an email attachment dangerous. Mainly because Windows doesn't know the difference between OPEN and RUN. If you want to be safe doing your online banking then use a LiveCD [ubuntu.com]

Re:Security issues of emails .. (0)

Anonymous Coward | about 2 months ago | (#47521773)

No kidding. Not like my Android would prompt me to a new app to open some attachment, then redirect me toa fake Play.store.

Re:Security issues of emails .. (2)

sociocapitalist (2471722) | about 2 months ago | (#47522113)

"Phishing emails are without a doubt one of the biggest security issues consumers and businesses face today."

Only on Microsoft Windows, the Operating System that made clicking on a URL or opening an email attachment dangerous. Mainly because Windows doesn't know the difference between OPEN and RUN. If you want to be safe doing your online banking then use a LiveCD [ubuntu.com]

A live CD isn't going to help against a redirect attack and subsequent harvest of your login credentials.

The only real protection for this type of attack is if your banks, credit card companies, etc. and you use one time passwords (i.e. one or more tokens of some sort)

How are they outmarketing the experts? (1)

mark_reh (2015546) | about 2 months ago | (#47521447)

That's easy. They don't care about laws that are intended to protect people from "legitimate" marketers. When you don't worry about the law you can literally do and say whatever you want.

New news:
Bank robbers withdraw more money from banks than they have in their accounts!

I know! (1)

sabbede (2678435) | about 2 months ago | (#47521727)

Advertisers and marketeers are trying to sell something real (that might not be interesting enough to click), and aren't allowed to lie. Phishers are already breaking the law, so no worries about false advertising or dull products.

Re:Advertisers and marketee aren't allowed to lie. (1)

DocSavage64109 (799754) | about 2 months ago | (#47522317)

Advertisers and marketeers are trying to sell something real (that might not be interesting enough to click), and aren't allowed to lie. Phishers are already breaking the law, so no worries about false advertising or dull products.

I'm not so sure about the advertisers not being allowed to lie thing. I worked as a minion at an ad agency for a brief time and pictures comparing the results of various products and such were from completely unrelated stock photos. I'm not sure I'd trust the text (copy) that much either, though it's a lot easier to catch them in it.

Princess Bride (0)

ArcadeMan (2766669) | about 2 months ago | (#47521731)

Life is pain, Highness. Anyone who says differently is selling something.

"tell-apart" (1)

Arancaytar (966377) | about 2 months ago | (#47521887)

What?

Wonderful Solutions (0)

Anonymous Coward | about 2 months ago | (#47522611)

I like the solutions they offer at the end of the article. Number 2 is so simple it should be obvious. Then, number 3 is a hugh run-on sentence full of buzzwords that looks like number 1 rewritten.

If I saw number 3 in an e-mail, I'd assume it was a phishing site. It's so vague.

FTA:

Businesses need to:

1. Put in place layered security to provide an in depth defense against the latest attacks and malware.
2. Run awareness campaigns with your staff telling them not to click on links within social networking emails such as LinkedIn invitations, instead open your browser or app, log-in and manage your invites/messages from there.
3. Deploy new technologies that combine big data security analytics with advanced malware analysis to provide predictive and click-time defense, end-to-end attack campaign insight and automated incident containment capabilities through connectors to your existing security layers.

Some phishing campaigns are quite elaborate (1)

ruir (2709173) | about 2 months ago | (#47522987)

I have received a couple of years ago a dozen emails with messages of account terminations-or-you-have-to-click here to review from "Apple" that looked like the real deal, and only at looking to the headers you would notice they were coming from someplace else, and where using strange URLs. If you were looking at the emails, they looked like the real deal.

There could be a solution in the browser (1)

iMadeGhostzilla (1851560) | about 2 months ago | (#47523101)

And it would be simple: the browser would know that it's reading email (from URL -- gmail, yahoo, custom) and *would not open any links* the user may click on unless the link URL is on the click-to-open whitelist (initially empty). It would still let you copy the link to the clipboard (possibly with a warning) that you could paste yourself in a new tab (possibly with another warning), but this speed bump of having to take the destination URL in your hands, so to speak, would -- I'm assuming -- be good enough to let you pause and think if "support-raytheon.com" is really where you want to go.

tell-apart (1)

oldmac31310 (1845668) | about 2 months ago | (#47523251)

just what the f*** is that?
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>