Why Phishing Works

Why Phishing Works

""Harvard and Berkeley have released a study that shows why phishing attacks work (pdf). When asked if a phishing site was legit or a spoof, 23% of users use only the content of the website to make the decision! The majority of users ignore the address and SSL indicators in the browser. Some users think that favicons and lock icons in HTML are more important indicators. The paper hints that the proposed IE7 security indicators and multi-colored address bar will also suffer a similar fate. This study is brought to you by the people who developed the security skins Firefox extension."

http://it.slashdot.org/it/06/03/30/1556226.shtml

Jeese... i can only imagine how many people loss all their $$ on scams...


No good!

Why Phishing works?? see my sigline :laughing:

yup, it's amazing the HUGE number of folks taken by simply duplicating a sites apearance...

anymore I always look at what the URL actually is pointing at VS what link says.

Sometimes it's just because the hackers are clever.

--Phishers Take New Tack With Three Florida Banks
(29/27 March 2006)
Attackers broke into servers belonging to an Internet service provider
(ISP) that hosts web sites for three small Florida banks. They then
redirected traffic from those sites to a phony server designed to mimic
the real banking sites where they attempted to gather sensitive customer
account data. The attack is believed to be the first of its kind.

http://www.computerworld.com/printthis/2006/0,4814,110046,00.html

Click to expand...

Sometimes its' because the businesses have questionable practices. I've seen phishing mail from sites that looked like my bank. Because my stupid bank outsources some of their special projects, it's not unusual to see http://www.mybank.colo_outfit.com/special_promotion.html on a VALID mail.

This makes it super hard to recognize the bad stuff.

I've seen verisign send mail that appears to be from a secondary domain. I guess they don't want their mail servers to be overloaded.

And last, but not least, the stupid companies that don't at least use SPF (sender policy framework) aren't helping either.

Daniel

It's kk

I received a notice from American Express, advising of a new phishing scheme. It's so realistic, that not replying to it would seem improper.

According to them, the phishing scheme is a pop-up that appears while you're in a secured session on their site. It's a pop-up that looks like this:



It appears while you're doing business with them, on their site.

They said they suspect that it is a virus or trojan that responds to a visit to a financial site, which makes it look like a legitimate request for information. They don't think it's a compromise of secured sites. In the American Express' case, they've asked that you report it immediately if you've entered your data into such a pop-up. If you receive it at another financial site, I assume you'll want to report it there as well.

empath, good grief that's scary....

down right under handed or clever depending upon your point of view :green:

what's even more scary is banks are not liable for security breaches as a result of your machine being compromised.

recently had a conversation with my local bank requesting them to put a cap on money transfer out of my account. They had no mechanizms to do this. further if you don't catch error within a certain time frame. they are not liable.

everything is biased in banks favor!

A lot of sites make you sign in every time, or after a few minutes have passed. Sometimes it seems like it is over and over. It's probably for security reasons, but I wouldn't know if I was being phished, anyway..

cy said:

Why Phishing Works

""Harvard and Berkeley have released a study that shows why phishing attacks work (pdf). When asked if a phishing site was legit or a spoof, 23% of users use only the content of the website to make the decision! The majority of users ignore the address and SSL indicators in the browser. Some users think that favicons and lock icons in HTML are more important indicators. The paper hints that the proposed IE7 security indicators and multi-colored address bar will also suffer a similar fate. This study is brought to you by the people who developed the security skins Firefox extension."

http://it.slashdot.org/it/06/03/30/1556226.shtml

Click to expand...

Would it be too harsh to say that these folks, as a result, deserve it?

The SSL indicators have been there since the dawn of time and SSL certs are largely considered to be un-forgeable. If someone ignored a warning light and their car/house/light/whatever blew up, would they deserve our sympathy? (I certainly didn't get much during the lithium ion days.....)

Everyone really needs to install Zonealarm, on your PC regardless if you already have a hardware firewall installed in your LAN. Zone Alarm will prompt you if a new program tries to access the internet, and it then gives you the choice of either allowing this program to access the internet this one time only, or you can give permission to allow it access to the internet at all times, or to disallow internet access completely.

So, if your PC has became compromised, you can still stop the virus from sending out messages to the internet by disallowing all communications for the program when Zone Alarm prompts you.

For those Mac users worried about such things as a compromised program making a call back to the internet for some reason the program you'll want is called "little snitch" which does the same as zonealarm.

Mostly you'll just catch programs checking their version information and you'll end up dismissing a lot of dialogs telling you which program is doing it now... I ran it for a while, it's interesting.