Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Why Phishing Works

Zonk posted more than 8 years ago | from the lower-your-expectations dept.

293

h0neyp0t writes "Harvard and Berkeley have released a study that shows why phishing attacks work (pdf). When asked if a phishing site was legit or a spoof, 23% of users use only the content of the website to make the decision! The majority of users ignore the address and SSL indicators in the browser. Some users think that favicons and lock icons in HTML are more important indicators. The paper hints that the proposed IE7 security indicators and multi-colored address bar will also suffer a similar fate. This study is brought to you by the people who developed the security skins Firefox extension."

cancel ×

293 comments

Sorry! There are no comments related to the filter you selected.

I would think its obvious why (-1, Offtopic)

suso (153703) | more than 8 years ago | (#15027467)

Just a few days ago, I found out that not nearly as many people as I thought knew their delta from GMT time.

Re:I would think its obvious why (1)

networkBoy (774728) | more than 8 years ago | (#15027550)

-8, why do you ask?
I think anyone who uses outlook to schedule meetings should know this, especially if they are in a global org.
-nB

OT: Timezones (1)

jawtheshark (198669) | more than 8 years ago | (#15027618)

Did it have to do with daylight savings time? I for one am amazed how many people actually didn't know that many devices adapt automatically (newer DVD, VCR and TV). Oh, and if they don't, they often have a switch "DST active" or not. Examples: the PlayStation2 and many cellphones.
Heck, my cellphone has a timezone setting and I'm sure only 0.1% of the population has it set correctly.

Re:OT: Timezones (1)

freakmn (712872) | more than 8 years ago | (#15027767)

I would hope that less than 0.1% of the population has changed the timezone on your cell phone. I'm fairly sure that I'm the only one who has set the time zone on my phone, unless it was before it got to me.

Re:OT: Timezones (1)

Keruo (771880) | more than 8 years ago | (#15027848)

Most cells just use the time provided by the cell network.
Just turn the phone off and back on and it should say something like "timezone changed, time updated"

Short answer (5, Insightful)

gEvil (beta) (945888) | more than 8 years ago | (#15027479)

Phishing works because people don't understand (nor do they want to) the basics of the technology they use (example: Jerry Taylor).

The Blind Squirrel (1)

Tackhead (54550) | more than 8 years ago | (#15027562)

> > When asked if a phishing site was legit or a spoof, 23% of users use only the content of the website to make the decision!
>
> Phishing works because people don't understand (nor do they want to) the basics of the technology they use (example: Jerry Taylor).

Funny you should mention him, though.

"I do not follow instructions that show up when a website that I am not familiar with appears on my computer and I do not think anyone with experience would do so either."
- Jerry Taylor [theregister.co.uk]

Even a blind squirrel finds a nut from time to time!

Although in the case of Jerry, it's more like even a blind seal finding a club :)

Re:The Blind Squirrel (5, Funny)

$RANDOMLUSER (804576) | more than 8 years ago | (#15027601)

I've been proposing for a long time that the "Yes/No/Cancel" type dialog boxes should simply be replaced with a single "Whatever" button, as users NEVER read what the dialog box says.

Re:The Blind Squirrel (1)

Andrzej Sawicki (921100) | more than 8 years ago | (#15028027)

You mean like the dialogs with one button saying "OK"?

Re:Short answer (5, Insightful)

plover (150551) | more than 8 years ago | (#15027584)

In the paper, one guy was very paranoid. He opened a second browser window, and typed the site name by hand, and did comparisons. Even he got one wrong. Phishing is a very, very hard problem to solve.

In the end, people may end up needing strong authentication tokens. When you go to the bank, you'll present your token so they know it's you. When you sign up for a new account, you'll get that account added to your token. And, when you hit a phishing web site, your token will light up and say "UNKNOWN WEB SITE".

And it could work both ways. If you use an ATM in a seedy bar, you could even ask your token to identify the legitimacy of the ATM.

The disadvantage, of course, is either a plethora of tokens (one per account) or every Tom, Dick and Harry shop wanting to use your token for marketing and tracking purposes.

Re:Short answer (1)

TheBogie (941620) | more than 8 years ago | (#15027731)

At Bank of America, online banking customers are given a "site key", which consists of an image for them to remember. The first page asks for your account number, the next page will ask for your PIN. The page with the PIN prominently displays your "site key" image. If the image isn't correct, you don't enter your password.

There are some obvious problems with this setup, but it makes it so that phishers must do some work and target you specifically in order to get your PIN.

Re:Short answer (1)

MindStalker (22827) | more than 8 years ago | (#15027790)

Well the obvious problem would be that the phisher could use your login name and obtain the site key themselves.. Though this isn't actually a problem, because before it shows you a sitekey it also has to obtain a security cookie from your browser, if it doesn't see the cookie it says oh your on a computer I've never seen before. And ask you random questions from a list you setup such as mothers madien name, anniversary etc. I got in trouble for that second one as I didn't put in my real aniversary, and one time my wife tried to login from her work....

Re:Short answer (1)

TheBogie (941620) | more than 8 years ago | (#15027983)

That's right, I forgot about the security cookie. BTW that's hilarious about you forgetting your anniversary. You probably should have tried to blame it on the bank or something.

Re:Short answer (1)

quantum bit (225091) | more than 8 years ago | (#15028006)

Yes, but the main page [bankofamerica.com] has boxes for both your ID and password. By the time you get to the sitekey page and see that it's wrong/missing, the phishing site already has your login information. That makes the whole thing just a pointless waste of time and an annoyance to have to enter the password a second time.

Re:Short answer (3, Insightful)

daveewart (66895) | more than 8 years ago | (#15027823)

In the paper, one guy was very paranoid. He opened a second browser window, and typed the site name by hand, and did comparisons. Even he got one wrong. Phishing is a very, very hard problem to solve.

I think the point is that, since you can copy verbatim the HTML of a web site, it is trivial to create an identical copy of any site. So, trying to look for similarities and differences between the sites is a pointless exercise.

The real way to avoid being stung by phishing scams is to know that emails from anyone asking for personal or private information, passwords, credit card numbers etc. are almost certainly fake.

Re:Short answer (1)

pilkul (667659) | more than 8 years ago | (#15028017)

He was fooled by a website identical in all respects except a visual URL spoof (www.bankofthevvest.com instead of www.bankofthewest.com). It is not trivial to create an identical copy of a site including URL, certificates etc; in fact, it is impossible. A careful enough investigation would have exposed it.

That said, you're right that it's never a good idea to click on a link in an unsolicited email, and that is certainly the best approach for nonexperts (and experts, really).

Re:Short answer (1)

yEvb0 (904248) | more than 8 years ago | (#15027829)

The disadvantage, of course, is either a plethora of tokens (one per account) or every Tom, Dick and Harry shop wanting to use your token for marketing and tracking purposes.

don't forget about stealing/copying/forging said tokens...phishing for chips? er...tokens?

Re:Short answer (1)

gEvil (beta) (945888) | more than 8 years ago | (#15027865)

phishing for chips?

Mmmmmm...Phish 'n chips. Looks like it's lunchtime.

Re:Short answer (1)

marcosdumay (620877) | more than 8 years ago | (#15027956)

No problem if the chip can only identify the bank. There should be no private key on it, so if you lose, the phisher will be able to identify the bank, and you only need to go there and get another token.

Re:Short answer (1)

vertinox (846076) | more than 8 years ago | (#15028013)

When you go to the bank, you'll present your token so they know it's you.

You mean your driver's license? I always have to show them mine when I go.

Re:Short answer (3, Insightful)

Sigma 7 (266129) | more than 8 years ago | (#15027615)

Phishing works because people don't understand (nor do they want to) the basics of the technology they use (example: Jerry Taylor).


I'd agree on the concept, but the actual cause is different. The actual reason is because people believe that the word gullible is not in the dictionary.

Recently, there was an "employment agency" that sent out paper forms to applicants which were to be filled out and mailed in with a $20 cheque for a processing fee. The forms included sections for the Social Insurance Number, Driver's License number, DOB, mother's Maiden name, and other information not normally used by employers.

Their intent was to obtain credit cards from banks with the applicant's personal information - hence, they used four different company names. The good news was that they were raided.

Re:Short answer (1)

PitaBred (632671) | more than 8 years ago | (#15027760)

"The actual reason is because people believe that the word gullible is not in the dictionary."

Too true :( The one girl I saw that pulled on in high school even looked it up in the dictionary, and didn't get it even after reading the definition aloud. Worst part is that she probably got better grades than I did because she actually did her homework...

But back on-topic, that's what's most amazing to me, that more people don't know what information a type of institution should have. Or that more people don't have shredders that they use regularly.

Re:Short answer (0)

Anonymous Coward | more than 8 years ago | (#15027626)

... the basics of the technology they use (example: Jerry Taylor).


What exactly is the new and cutting edge technology known as a Jerry Taylor?

Re:Short answer (1)

sahuaro (524043) | more than 8 years ago | (#15027637)

I don't see why people don't simply ignore these mails and just login to their account in a new browser window. If the bank/eBay/PayPal, etc. needs to talk with them, there will be a message right there. Why play a guessing game? There is no point in it!

sahuaro

Re:Short answer (2, Funny)

slashid (940815) | more than 8 years ago | (#15027669)

We all know that if you teach a man to phish he will eat for a lifetime....

Critical thinking and Reading skills (1)

rsilvergun (571051) | more than 8 years ago | (#15027979)

or lack thereof is what makes phishing work. I remember being taught it in High School and wondering why, since it seemed so natural and obvious, but a lot of people have trouble thinking critically, and take everything at face value. Combine that with reading skills that prevent them from recognizing bad grammar and you've got a health crop of suckers.

In defense of the clueless (2, Informative)

Anonymous Coward | more than 8 years ago | (#15028022)

In defense of the clueless (NOT Jerry Taylor!) I have to ask you, how many people understand how a physical lock works? Well, all of them. You put the key in and turn it.

Few have a clue about its tumblers and other doodads and geegaws.

How many understand how a car works? "Yeah, I know how it works, you put the key in and turn it, then you drive away."

A certified Ford mechanic knows about the car's crankshaft, cylinders, pistons, fuel injectors, all the other components and how they're put together as well as you and I know how a PC and TCIP works.

You shouldn't have to know the physics of the expanding gasses in the cylinder driving the pistons (and how the valves work etc) to drive a car.

We, the nerd community, are to blame for failing to deliver something as simple as a web browser that works as easily as a door lock or a car.

And the banking industry itself should be educating the public about phishing. I get tons of mail from my bank telling me about its whiz-bang web based banking, but nary a word about phishing.

How is Average Joe supposed to know this stuff?

As to Taylor, he claims 22 years tech experience, so the man deserves more ridicule than we can possibly heap on him.

fisting attacks (-1, Offtopic)

Anonymous Coward | more than 8 years ago | (#15027481)

fist sport!

first post!

pebkac (0)

Anonymous Coward | more than 8 years ago | (#15027497)

As long as users will have physical control over their machines and chose what or what not to open, it will be like VM-based rootkits, an NP-Complete (and hardly solvable) problem.

Social engineering anyone? (5, Insightful)

SComps (455760) | more than 8 years ago | (#15027501)

It works because it plays on the concept that seeing is believing; and most people will trust their eyes over their minds any day of the week.

And this might be optimistic (5, Insightful)

plover (150551) | more than 8 years ago | (#15027502)

The paper hints that the people selected for the study may not adequately represent the web-surfing public -- they may be "above average".

Humanity is doomed.

Re:And this might be optimistic (1)

jonfelder (669529) | more than 8 years ago | (#15027555)

Even worse, the paper indicates that the people know some of them will be fake.

Re:And this might be optimistic (4, Funny)

Daniel_Staal (609844) | more than 8 years ago | (#15027801)

I recently did this caluation, and it sounds relevent here...

A common formula for the IQ of a group is to take the IQ of the highest member of the group, and divide by the number of people in the group.

The highest IQ is the US is that of Marilyn Vos Savant, estimated at 228. (That's the high estimate. Might as well give the benifit of the doubt.)

The population of the US is 295,734,134, according to the CIA world factbook.

That means the IQ of the US is 7.70962746×10^-7.

My solution (0)

Anonymous Coward | more than 8 years ago | (#15027512)

Instead of visable UI, there would be electrodes that you attach to your sex parts before surfing. Legitimate sites with valid certs and no nonsense in the HTML would generate an electric shock which the user would definitely notice. Illegitimate sites would not generate the shock, informing the user not to enter personal data.

I have another theory (4, Interesting)

jawtheshark (198669) | more than 8 years ago | (#15027513)

It is summarized by: There's a sucker born every minute.

Re:I have another theory (3, Funny)

eargang (935892) | more than 8 years ago | (#15027773)

Considering 4 to 5 children are born every second, are you saying that only 0.37% of the population consists of suckers? ...have you looked around lately?

Simply because .... (5, Funny)

cfortin (23148) | more than 8 years ago | (#15027515)

People are stupid. Total knuckle biters. Every one of them.

That is all ...

Re:Simply because .... (0)

Anonymous Coward | more than 8 years ago | (#15027769)

Completely agree. As a whole people are dumber than sheep.

My first 3 rules of explaining human behavior:
1: They are stupid.
2: They are lazy. ..if neither of those 2 explain why they did something go to #3
3: They are crazy.

Life has completely shot my faith in human intelligence for 90% of the population.

Re:Simply because .... (0)

Anonymous Coward | more than 8 years ago | (#15027779)

My girlfriend bites pillows, not knuckles.

Not surprising (4, Insightful)

op12 (830015) | more than 8 years ago | (#15027524)

Think of the average internet user. I'm surprised that 77% are actually looking at more than just the content. It's probably because the media has made a big thing about it (as they should).

It's like P.T. Barnum said, (5, Insightful)

TheCoders (955280) | more than 8 years ago | (#15027552)

"There's a sucker born every minute." Listen, we can put an evil Devil's face on the browser, along with flashing neon lights and big signs that say "WARNING: This site is suspicious", and a gloved hand that comes out of the monitor and slaps the user silly, and you know what? People will still fall for these scams! It's not people like you and me that are the targets of phishing. Ask your grandmother what a URL is, and (with some exceptions, of course) you'll get a blank stare. Heck, ask the cute cocktail waitress at your local bar, and you'll get the same response (and I wonder why I can't get a date...). That's what we're up against.

Don't get me wrong, I applaud these researchers and all other approaches to making the web a safer place, but in the end, at some point you have to trust that the user is going to take resposibility for their actions. The best we can do is bring the percentages down. The problem is it is so cheap to set up a phishing web site, that even if only one in several thousand potential targets fall for it, that's usually enough to ensure a profit.

Re:It's like P.T. Barnum said, (2, Interesting)

plover (150551) | more than 8 years ago | (#15027641)

Actually, these guys did nothing to make the web safer. They just tested methods for phishing, and identified the ones that worked best. A good example? Bank of the West [bankofthevvest.com] and Bank of the West [bankofthewest.com] are two URLS, but only one of them leads to the real site. Even font makes a difference -- look at the slashdot [] link, and check out the link preview in the status bar. The difference is surprisingly hard to catch.

stop blaming The User (1)

SuperBanana (662181) | more than 8 years ago | (#15027876)

Listen, we can put an evil Devil's face on the browser, along with flashing neon lights and big signs that say "WARNING: This site is suspicious", and a gloved hand that comes out of the monitor and slaps the user silly, and you know what? People will still fall for these scams!

From the article summary: Some users think that favicons and lock icons in HTML are more important indicators.

Want to take a guess why they think that "lock icon" is so important? Because for years they've been told by "tooltips", every "consumer reporter", etc that they should look for it, "when shopping online". It's not the user's fault that they've been given information that was at best incomplete; nobody told them "the lock just means your connection to the other computer can't be decoded."

Compound this with all the problems in Outlook, IE, Windows...well...the deck is rather stacked against them. Not to mention, it used to be a lot tougher to get an SSL cert...

As some other posters pointed out, "these were above average users, we're doomed". If your "above average users" are fooled/tricked, then the operating system/email client/browser is failing, not the user.

Re:It's like P.T. Barnum said, (1)

GWTPict (749514) | more than 8 years ago | (#15027914)

cute cocktail waitress

Whoohoo you go to some fancy bars. Now at my local Debbie is pouring the pint and has the cigar to hand as I hit the bar, but cute? 20 stone of hips and rotating bosoms ain't never gonna be cute.

Mind you, it's a sight to see.

stop blaming users (2)

SuperBanana (662181) | more than 8 years ago | (#15027918)

Listen, we can put an evil Devil's face on the browser, along with flashing neon lights and big signs that say "WARNING: This site is suspicious", and a gloved hand that comes out of the monitor and slaps the user silly, and you know what? People will still fall for these scams!

From the article summary: Some users think that favicons and lock icons in HTML are more important indicators.

As some other posters pointed out, "these were above average users, we're doomed". Not exactly the world's best parallel- but if "above average" users set themselves on fire using your company's fireplace, would you say, "MAN! We have REALLY stupid users"? Maybe your manual gives improper instructions. Maybe you have a defect. If your "above average users" are fooled/tricked, then the operating system/email client/browser is failing, not the user.

Also, want to take a guess why they think that "lock icon" is so important? Because for years they've been told by "tooltips", every "consumer reporter", etc that they should look for it, "when shopping online". It's not the user's fault that they've been given information that was at best incomplete; nobody told them "the lock just means your connection to the other computer can't be decoded."

Compound this with all the problems in Outlook, IE, Windows...well...the deck is rather stacked against them. Not to mention, it used to be a lot tougher to get an SSL cert...

Re:It's like P.T. Barnum said, (0)

Anonymous Coward | more than 8 years ago | (#15027950)

Listen, we can put an evil Devil's face on the browser, along with flashing neon lights and big signs that say "WARNING: This site is suspicious", and a gloved hand that comes out of the monitor and slaps the user silly, and you know what? People will still fall for these scams!

Not only that, they'll file a bug report complaining about being slapped.

Re:It's like P.T. Barnum said, (1)

Y.T.G. (964304) | more than 8 years ago | (#15028087)

Just look on the bright side of things ... in about 20 - 30 years you would think that taking a hypercard with data/kongobucks from a stranger's aviatar would be a wrong and stupid thing to do.

I don't know which upsets me more... (2, Insightful)

Spy der Mann (805235) | more than 8 years ago | (#15027558)

the phishers or the idiots who follow them.

You do (0)

Anonymous Coward | more than 8 years ago | (#15027717)

I don't know what I blame more - the thief or the victim. Why does it upset you, slashbot?

Re:You do (1)

Spy der Mann (805235) | more than 8 years ago | (#15027739)

Well, I guess you're right. It's just that I'm tired of people falling in scams. I suppose banks should do more stuff for educating their customers.

Why Phishing Works... (0)

Anonymous Coward | more than 8 years ago | (#15027563)

Because 99% of (l)users are retarded...

common sense, people! (2, Insightful)

Geek_3.3 (768699) | more than 8 years ago | (#15027570)

When the suspect site, for arguement's sake let us say it was a credit card scam (since i had one of those a couple of days ago) asks for EVERYTHING--card #, PIN, security code, mother's maiden name, login name, and LOGIN PASSWORD, alarm bells should go off in your head. Also, it is highly unlikely that someone is going to give you a carrot on the end of a stick(in this case, $20 for a simple 3 question blurb about how the site was running or some bs like that) without a big catch involved. The obvious catch being that IT'S A SCAM.

Geez, i would feel sorry for these duped people, but it's getting harder and harder to.

Re:common sense, people! (1)

the_humeister (922869) | more than 8 years ago | (#15027917)

You know, there are scams that do look completely legitimate. In fact, there was recently an article in slashdot about how some scammer was able to obtain a valid ssl. Here it is [slashdot.org] . Personally, I just don't click on any html links in my mail.

I've almost been duped (1)

grahamsz (150076) | more than 8 years ago | (#15028117)

I suspected from the very beginning that it was a Phising scam, but it took me quite a while to figure out how it was done.

They sent me an html email with a link that looked like it was going to my bank but actually went to an ip address in taiwan. The webpage they loaded created a popup window asking for login information and then used meta-refresh to load https://www.mybank.co.uk./ [mybank.co.uk]

Their login popup was presented in a look and feel that was completely consistent with my bank, and behind it was my real banks homepage, complete with lock icon and real certificate. The popup itself had no address bar or status bar, so you couldn't see that it wasn't a secured page.

I was very impressed by the whole scam, especially since the original email even looked like an official one (in the usual style of my bank). Obviously I shouldn't have clicked the link in the html email, but apart from that and some viewing of html source, i'd never have picked up on it.

I certainly expect lay-people would have been duped.

It's Always Going to Work (4, Insightful)

eldavojohn (898314) | more than 8 years ago | (#15027573)

Why Phishing Works
Phishing will always work. The intelligence and cautiousness of the population who use the internet is represented by some form of a normal curve. On the far left, a line falls for those users who will (out of innocence or ignorance) 'bite' on a phishing site. Thanks to e-mail, it is increasingly easier for phishermen (and phisherwomen) to select a random sample from this normal curve and those that fall to the left of the threshold will invariably become victims.

To disrupt or completely stop this from happening is currently an impossible Herculean task.

Even netting one person can result in thousands of dollars worth of damages. If one in every one million phishing works, of course they'll keep doing it.

Re:It's Always Going to Work (1)

MrBugSentry (963105) | more than 8 years ago | (#15027910)

The curve and big sample is a compelling explanation.

Here's one approach to stopping the crooks: Increase their false positive rate: give them bogus bank account info by the thousands to clog up their phishing sites.
So what if they get 1 sucker. They also get 90,000 liars. What to do? Try every login by hand? Use an automated tool that fails 99.999% of the time and probably catches the attention of security people?

Wasn't there a javascript tool hacked up for populating mortagage spam sites with bogus data? I can't find the article now, but if memory serves, the spammers offered to pay the author to stop. If I was Chase, or PayPal, I'd budget a couple of programmers to build a distributed phisher thwarting screen saver. Build a list of phishing emails, share the sites, and use some nasty screen scraping algorithm to fill their databases with junk. It could run in the background like a vigilante SETI.

It's all about sight, sound, and experience (2)

WillAffleckUW (858324) | more than 8 years ago | (#15027575)

People believe what they see, even when they shouldn't.

People believe what they hear, even when it shouldn't be there.

And people's experience shows that 99 percent of everything they see on the Internet must be true, or it wouldn't be written down, like for example the obvious Fact that not only is the Moon made of Yellow Cheese, but it's quite tasty.

Why phishing works (1, Insightful)

taustin (171655) | more than 8 years ago | (#15027603)

It works because a lot of people are idiots.

Including the ones who needed to do a study to figure that out.

Re:Why phishing works (2, Insightful)

Tux2000 (523259) | more than 8 years ago | (#15027667)

It works because a lot of people are idiots.

Not idiots, but ignorant people who don't care and don't want to know how the technology works that they use.

Tux2000

Re:Why phishing works (0)

Anonymous Coward | more than 8 years ago | (#15027807)

Not idiots, but ignorant people who don't care and don't want to know how the technology works that they use.

Otherwise known as "idiots."

I mean, really. If you fall into that category, what distinguishes you from a monkey pressing a lever?

Re:Why phishing works (1)

taustin (171655) | more than 8 years ago | (#15028119)

I mean, really. If you fall into that category, what distinguishes you from a monkey pressing a lever?

The monkey is far more likely to be entertaining. It may throw its own feces at you.

Re:Why phishing works (1)

gEvil (beta) (945888) | more than 8 years ago | (#15027699)

It works because a lot of people are idiots. Including the ones who needed to do a study to figure that out.

Hey, at least they got some grant money to do a study of the obvious. That shows a fair amount of smarts right there.

Re:Why phishing works (1)

EvanED (569694) | more than 8 years ago | (#15027902)

Including the ones who needed to do a study to figure that out.

Okay, this is just a stupid statement.

First, this study actually provided specific reasons why phishing works. Even if you concede the reason is because people are idiots, there's a lot of different ways they can be idiots.

Second, and more generally, if we never tested anything that appeared obvious we would never have figured out that light travels, that neglecting air resistance things of different weights fall at the same speed, and that going really really fast makes you weigh more. The obvious solution is not always right, so testing to make sure the obvious solution IS right can be valuable in itself even if it confirms that hypothesis.

Get ready for on-line voting? (2, Funny)

coastin (780654) | more than 8 years ago | (#15027628)

With news of the obvious (to us geeks) like this, it won't take long for the US Congress to enact on-line voting.

"Dauh, I thought I voted for the other guy when I clicked his picture in the e-mail reminding me to vote!"

DRTFA (4, Interesting)

Billosaur (927319) | more than 8 years ago | (#15027629)

People fall for phishing because:

  1. Most are not tech savvy, and have no idea the difference between http and https, don't look at the links they click on, and can't tell a spoofed URL from a real one on sight.
  2. Most people are pretty gullible. They believe what they're told, whether by a newscaster, the President, scientists, or the glowing pixels of a web page. Critical reasoning skills are lacking.
  3. Most people are pretty stupid. They get an email purportedly from their bank telling them they need to update their information for security purposes or have lost their bank account number, or something equally unlikely, and don't question it. They don't call their local bank branch to verify it, they simply click.
  4. Most people believe the Internet is infallible. They think every person who has a blog or web page knows what they are talking about. They think if a page looks a little like what they normally see when they bank online, that it's the same thing, even though the URLs to the links are all wrong.
You can't protect people from themselves, although our Congress tries to do this every day by passing inane laws that protect no one but the large corporations and billionaires. People who go online will continue to be duped as long as no concerted effort is made to educate them. Cue the PSAs.

Re:DRTFA (1, Insightful)

Anonymous Coward | more than 8 years ago | (#15027857)

..and because most banks and such organizations still don't make any effort to authenticate their emails. That would go a long way towards making people more suspicious towards emails without a little key icon in the mailreader, asking them for their firstborn in exchange for continued onlinebanking availablity or such..

I don't get it, it's well inside major organization's capabilities to push for easily usable GPG or S/MIME support in email clients and webmail interfaces, yet they don't seem to be interested. Are they actually interested in having their customers spammed?

Obligatory (1)

dotpavan (829804) | more than 8 years ago | (#15027631)

Give a man a victim, and he will feed on him till the victim stays, teach him to phish, and he stays alive for a lifetime.

Light a fire, and the man stays warm till it is put off, set him on fire, and he stays warm for his lifetime.

Re:Obligatory (0)

Anonymous Coward | more than 8 years ago | (#15028192)

Can someone slap this guy please?

Same story different medium (1)

consultant (148958) | more than 8 years ago | (#15027671)

These sites are no different to traditional confidence tricksters that knock on your door and pretend to be something their not with phoney ID's. It took many years for Joe Public to be fully aware of those scams too. Just need to elevate the public's awareness of the whole issue. The paper whilst interesting is slightly obvious, after all if the Phishing emails didn't work we wouldn't still be getting 10's or 100's on our mail servers everyday.

I thought I did once... (4, Interesting)

BlueCodeWarrior (638065) | more than 8 years ago | (#15027681)

I remember the one time I almost thought that I fell for a phishing scam.

I got an email saying that my student loan company needed some more information to give me the loan. I had to log into thier website to check out what exactly it was and what I needed to send in.

I just clicked the link in the email and typed my login information (of which the username is my SSN) and got a message to the effect of 'password incorrect, please try again.'

I did this two or three times with some of the different passwords that I usually use...and then I thought about it.

Oh fuck! The address bar said 'www.terri.org' and my bank was Chase. I freaked out, thinking that I'd fallen for it...

Turns out terri is the company that processes the loan or whatever and I had just mistyped the password. But I reminded myself to not be so trusting on the internet, and always re-type the site in for things like that...

This makes me want to start a phishing scam (1)

cdogbert (964753) | more than 8 years ago | (#15027689)

Because apparently I can get 23% of people on the internet to send me their personal information if I set up an Apache server at my house, and send out a couple emails.

409 scams still work so why not phishing? (4, Interesting)

smooth wombat (796938) | more than 8 years ago | (#15027701)

If you want to see how gullible or just plain stupid people are, check out the story in my Journal titled, 'Renowned psychiatrist bilked by Nigerian scam'. It was rejected by the editors so I plunked in my Journal.

Even after the guy knew it was a scam and promised his son he wouldn't send any more money, he still did it anyway!

Maybe a bit different than a phishing scam but along the same lines.

This just in. (1)

DaveV1.0 (203135) | more than 8 years ago | (#15027725)

In stunning outcome of research on security indicates that people are weakest link in security chain.

Other amazing developments include discovery water is wet, fire is hot, the sky is blue.

Film at 11!

People get surprisingly confused (1)

superdude72 (322167) | more than 8 years ago | (#15027737)

The home page for my housemate's Web browser was set to Yahoo, so whenever she needed to enter a URL, she just entered it into the Yahoo search field. It worked... most of the time. I mean she'd get a list of Web pages and one of them would be the right one. But it makes my teeth itch just thinking about it. She didn't seem to understand what a URL was at all.

Re:People get surprisingly confused (1)

fishbowl (7759) | more than 8 years ago | (#15027827)

I do that all the time -- google for a url as a keyword rather than put an address in the location bar. The result is usually high confidence. But then, I know all about SSL, redirection, etc., and the most clever phishing site won't fool me. (Whenever I get one, I go and fill it out, all the way, with amusing (activist) contact information and even go as far as to use test CC numbers that pass MOD10).

acutrust (0)

Anonymous Coward | more than 8 years ago | (#15027754)

Check out Acutrust [prweb.com] . I recently reviewed it for my employer and it looks very interesting.

The problem goes right down to the SSL layer (5, Insightful)

egarland (120202) | more than 8 years ago | (#15027788)

This is a post I wrote in response to the phishing site with a valid SSL cert [slashdot.org] . I'll highlight the appropriate portion for this discussion.


SSL Certificates don't have to be signed. You can create X509 self signed certs no problem. Web browsers just don't like them and pop up all kinds of warnings.

They should tier SSL certs and make the higher level ones more difficult and time consuming to get:
0 None
1 Self Signed
2 Small business
3 Mid-sized business
4 Large business
5 Financial Institution

Browsers should display a lock with a number explaining what encryption a site used (even when none is used) and could explain the rank when the icon is moused over. Then people always would have a place to look to check the rank before deciding if they should punch information in.

The original SSL design was a good first step but it is definitely showing it's age today.


For Anti-Phishing to work it needs a UI with support right down into the SSL layer.

Currently it's next to impossible to diferentiate things on the web. It's the great equalizer, and as we are finding, it makes things *too* equal. You are on equal footing with a bank when trying to convince people to enter finantial information. We need a bit more structure, a few more checks and balances.

Re:The problem goes right down to the SSL layer (1)

oirtemed (849229) | more than 8 years ago | (#15027868)

Why is a large business safer than a small business? One is actively trying to fuck me out of my money, the other's livelyhood usually depends on my satisfaction.

Nonsense (2, Insightful)

rbowles (245829) | more than 8 years ago | (#15027815)

Con-artists are older than recorded time. Snake-oil salesmen, crooked used-car lots, (snail) mail scams and their ilk are likely at least as prevalent even in our quasi-"Information Age".

How many educated people have bought a lemon? I've known otherwise educated, extremely intelligent college-educated (students and grads alike) who've done this. Perhaps everyone should be fully educated about the hazards of auto-buying, phishing web-sites and maybe get a medical degree for proper evaluation of physicians while they're at it.

The answer is not pamphlets and FAQs. If anything these "easy answers" only propogate the problem of people being too damn trusting. Seek your own understanding.

I'll admit it... (1)

Skynet (37427) | more than 8 years ago | (#15027828)

I was caught by a phishing scam once at my old company.

An email was sent out that looked exactly like an official email and was linked to a page that looked exactly like the employee intranet page.

I let my guard down just a tiny bit and got snagged.

Phishing works because people are sometimes stupid and frequently lazy.

Re:I'll admit it... (1)

Skynet (37427) | more than 8 years ago | (#15027889)

That should have read, "Phishing works because even tech savvy people are sometimes stupid and frequently lazy."

trOllkore (-1, Troll)

Anonymous Coward | more than 8 years ago | (#15027855)

anothe8E special [goat.cx]

There's a sucker born... (1)

Pedrito (94783) | more than 8 years ago | (#15027859)

Phishing works because most people are suckers.

On a related topic, I was trying to pay my Bank of America bill online yesterday and they had some new security system (called "SiteKey", I think. Probably (r)(tm) and whatever) where it gives me some picture and also had me provide 3 answers to 3 questions (like lost password questions). Now, I kind of went through it quickly, but I was under the impression that whenever I login, it was supposed to show me the picture (my Site Key) and told me not to use the site if I don't see it, but since I signed up, it doesn't show me the site key. I'm hoping that whatever is broken about it they fix... Not that I really care if someone hacks it. All they can really do online is pay my bill which they're welcome to do.

I never thought my family was this stupid.... (1)

porcupine8 (816071) | more than 8 years ago | (#15027862)

I thought everyone knew about phishing and how to watch out for it, but then I got a great view of how average computer users obviously don't have any clue.

A few months ago, my sister freaked out when someone broke into her PayPal account.

I didn't find out until just a week or two ago that this was the direct result of her falling for a phishing attack - and that my mom fell for it too! They're lucky I live 12 hours away so I could smack them both upside the head. I'm not exactly shocked that my mom fell for it, but my sister should really know better.

You Password Information is Incorrect (0)

Anonymous Coward | more than 8 years ago | (#15027866)

Due to MySQL database problems we have lost your password. Please Enter your Login and new Password below.

Login:

Password:

Favicons (1)

Trillan (597339) | more than 8 years ago | (#15027870)

Well, perhaps an unpopular opinion, but I don't see why favicons need to be shown for the current page anyway. It makes sense for bookmarks, but it seems showing it on the current page is just asking for this kind of confusion. How about just showing a generic icon until a site is bookmarked?

I'd Probably Get Phished.... (1)

rhkaloge (208983) | more than 8 years ago | (#15027874)

if I didn't just assume every bit of unexpected e-mail was a scam. Ask me to actually prove it, and I'd have some problems. For example, I got a notice from "ebay" saying my on-file credit card was about to expire. I chucked the e-mail, but when I logged on to ebay a few days later, I noticed that the credit card on file was indeed expired. I just deleted the info rather than updating anything, but it's only paranoia that keeps me from getting caught.

this just in! people are stupid! film at 11! (1)

compro01 (777531) | more than 8 years ago | (#15027891)

"the purpose of any scientific study is to prove what everyone already knows"

Doesn't seem likely. (2, Funny)

zubinjdalal (816389) | more than 8 years ago | (#15027900)

From the synopsis (and echoed in the paper): "The paper hints that the proposed IE7 security indicators and multi-colored address bar will also suffer a similar fate."

While I don't mind taking a swipe at M$ft from time to time, I find it difficult to imagine how a brightly colored red address bar (even one outside the focus of attention) with "Phishing Website" written on it will be ignored.

The only thing (and I am keeping in mind users that are not extremely tech savvy) that would be more obvious would be a "arm-like" device attached to one's monitor that points to the "Phishing Website" text displayed on the screen and whacks you on the top of your head if you still proceed to enter all your personal information in.

While ISPs learn to block... (5, Informative)

fak3r (917687) | more than 8 years ago | (#15027929)

I always encourage others to 'go on the offensive [fak3r.com] ' and help polute phisher's databases with the awesome site: PhishFighting.com [phishfighting.com] . Set a few tabs open to fill the phisher's database with useless Data, check back later and see the site is offline (likely from the attention garnered from all the bandwidth useage!

As bosses would say "It's a win-win!"

Similar Fate? (1)

irimi_00 (962766) | more than 8 years ago | (#15027951)

I bet new measures would drop it below 20% at least, maybe 18%.

Sender Policy Framework...?? (2, Interesting)

Beefslaya (832030) | more than 8 years ago | (#15027970)

Lots of us Mail guru's have been switching to using SPF (sender policy framework) which is a separate set of DNSish records that ask mail servers who is qualified to send mail for them.

The answer to phishing is a similar setup, that queries a DNS server to check and see if this "site" is OK to mirror for this site, or accept requests.

Just a shot in the dark, but I bet something could be worked out like this.

This would eliminate alot of question whether or not a site is legit or not.

"Why Phishing Works" (1)

veeoh (444683) | more than 8 years ago | (#15027991)

because people are stupid.

URL? (1)

engagebot (941678) | more than 8 years ago | (#15028012)

Being able to identify a phony/suspicious URL? Hardly!

I've had support calls here at the *hospital* from *doctors* who are trying to 'log in' to their computer in the Address Bar of IE.

Phishing has the highest job security rating on the planet.

Two solutions (1)

groovy.ambuj (870307) | more than 8 years ago | (#15028028)

may be possible: * track the guy registering the DNS (people will less likely click on IP address & give their password, although some will :-( ) * solve mother of all online problems: SPAM. no SPAM, phishermen will have few fieshes to target

Re:Two solutions (1)

ericwfrost (587822) | more than 8 years ago | (#15028077)

Fishing works because the fish like to eat on a regular basis and the bait is presented in such a way that it looks like a tasty morsel that is easy and at first the fish thinks this is a great day, but then later not so much. Eric ELF mapping [elfmapping.com]

like Nigerian letters work too (1)

peter303 (12292) | more than 8 years ago | (#15028062)

Something like over 300 Americans have fallen for the Nigerian 419 schemes too. Sixty minutes did a piece on a victim several years ago. Earlier year the son of demented California college professor tried to get guardianship over his father who fell for the scheme too.

Judging by the fact I still get several of these emails a week, and used to get US mail paper letters in the 1980s; they perputrators are getting results from less than one per million emails. But someone is still making money.

Some people are just stupid (1)

SnarfQuest (469614) | more than 8 years ago | (#15028069)

Even if you wrote a phising page that stated in big, bold, blinking letters "This is a Phishing Scam, and if you fall for it we will drain your bank account", some people would still click the link and enter their data.

Some were just born stupid.

http://www.rinkworks.com/stupid/cs_obvious.shtml#1 [rinkworks.com]

Solution? Make it legal (0)

Anonymous Coward | more than 8 years ago | (#15028137)

If phishing is made legal, and people who are suckered into phishing scams have no recourse to get back their money or credit, the problem will disappear very quickly. Either people will wise up, or all the idiots will be culled. Nice, simple, natural selection.

Plus, I could make a few bucks and not worry about getting arrested.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>