Feeds

Why phishing catches punters

Hook, line and sinker

Reducing security risks from open source software

Comment Occasionally a criminal is so, well, clever that you have to admire him even as you wish that he spends the rest of his life in jail.

Take Arnold Rothstein, for instance. One of the kingpins of organised crime in New York City during Prohibition and before. The "Great Brain", as he was termed, was more than likely behind the infamous Black Sox scandal, in which the 1919 World Series was fixed in favour of the Cincinnati Reds. He is also widely credited with inventing the floating crap game immortalised in Guys and Dolls.

Like some character out of a Damon Runyon story, Rothstein's "office" was outside of Lindy's Restaurant, at Broadway and 49th Street, and he associated with gangsters whose names still trip off the tongue three-quarters of a century later: Meyer Lansky, Legs Diamond, Lucky Luciano, Dutch Schultz. When it comes to colorful, clever criminals, Rothstein is at the top of the heap.

And then, on the other end of the scale, today we have the phishers. Scumbags of the seb, phishers vomit out emails to as many millions of people as they can possibly reach, hoping that a tiny few will respond to their fraudulent request to update their account information at PayPal, eBay, or CitiBank (or just about any other bank you can imagine). This is an enormous problem, and it's not getting any better. I recently read a fascinating study that shows just why that's the case.

If you haven't read Why Phishing Works (850Kb PDF) - written by Rachna Dhamija, J D Tygar, and Marti Hearst - stop what you're doing now and go get it (or at the very least, read a short summary of what it offers).

In just 10 pages, your eyes will be opened to just how much of a problem the public - and the security people tasked with protecting them - really face. I knew it was bad, but I had no idea it was this bad.

Basically, the researchers sat a variety of folks down and had them use some websites. Some were fakes created by the team, and some were not. After watching what the participants did with the websites, the researchers quizzed the users as to the motivations for their behaviours. The results are eye-opening, to say the least. Here's some of the scarier things I learned.

Think that cues in the browser will help? Forget it.

When Firefox 1.0 came out, I thought it was a major benefit that the background color of the address bar changed to gold when you were on a site using HTTPS. "How cool!" I remember saying to a friend, "In addition to the gold lock, the entire address bar is gold too. That'll make it even more obvious to people that they're on a secure site!" And that was in addition to the other three indicators that Firefox provides. How utterly naive of me.

In the study by Dhamija et al, 23 per cent of the users don't even look at cues provided by the web browser, such as the address or status bars. Many have no idea what the padlock icon means; in fact, one participant confidently asserted that the padlock indicates that the website can't set cookies.

Instead of browser cues, these people look at the web page itself. Does it "look" and "feel" right? Are there VeriSign logos on the page? How about animations? Does it seem authoritative? In some cases, the padlock icon on the web page itself was enough to convince some that the site was safe, more so than if the padlock was in the browser's chrome.

URLs don't work with everyone either

Some users pay attention to the fact that the address bar changes as they travel through a website, but they don't really have the foggiest idea what the URL itself means. This extends to HTTPS as well. IP addresses do raise alarms, however...although the users don't really know what those are. They just find numbers suspicious.

Users fixate on the weirdest things

The site that fooled all but one participant in the study was for Bank of the West (that's a link to the real website ... or is it?). On that site was a cute animated video of a bear. Evidently that tickled a number of the users who reloaded the page several times to see that animated bear. In fact, some of the participants said that the animation was proof that the site was legit, since it would take too much effort to copy it!

The ordinary folks in the study also figured that if a site has ads on it, then that increases the likelihood that it's not a fake. Likewise, the presence of a favicon (the little icon that appears in the address bar to the left of the URL) was deemed indicative of a site that was not out to steal your money and identity. Amazing what people glom onto.

It's incredibly easy to fool people

I was astonished to read - which again shows my naiveté - that some of the people tested in the study were not only unaware of the term "phishing," but were also surprised that anyone would even engage in such criminal behavior in the first place. In the face of such ignorance, it's no surprise that phishing works.

Others might be aware of phishing, but either ignored or were unsure how to use the various cues provided by the web browsers. This isn't exactly surprising when you consider they were asked by the browser to "accept this certificate temporarily for this session". Would your uncle or grandma know what a "certificate" is? How about a "session"? Didn't think so.

Mobile application security vulnerability report

More from The Register

next story
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Microsoft: You NEED bad passwords and should re-use them a lot
Dirty QWERTY a perfect P@ssword1 for garbage websites
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
NUDE SNAPS AGENCY: NSA bods love 'showing off your saucy selfies'
Swapping other people's sexts is a fringe benefit, says Snowden
Own a Cisco modem or wireless gateway? It might be owned by someone else, too
Remote code exec in HTTP server hands kit to bad guys
British data cops: We need greater powers and more money
You want data butt kicking, we need bigger boots - ICO
Crooks fling banking Trojan at Japanese smut site fans
Wait - they're doing online banking with an unpatched Windows PC?
NIST told to grow a pair and kick NSA to the curb
Lrn2crypto, oversight panel tells US govt's algorithm bods
prev story

Whitepapers

Top three mobile application threats
Prevent sensitive data leakage over insecure channels or stolen mobile devices.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.
Mobile application security vulnerability report
The alarming realities regarding the sheer number of applications vulnerable to attack, and the most common and easily addressable vulnerability errors.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.