Feeds

Why phishing catches punters

Hook, line and sinker

Internet Security Threat Report 2014

Comment Occasionally a criminal is so, well, clever that you have to admire him even as you wish that he spends the rest of his life in jail.

Take Arnold Rothstein, for instance. One of the kingpins of organised crime in New York City during Prohibition and before. The "Great Brain", as he was termed, was more than likely behind the infamous Black Sox scandal, in which the 1919 World Series was fixed in favour of the Cincinnati Reds. He is also widely credited with inventing the floating crap game immortalised in Guys and Dolls.

Like some character out of a Damon Runyon story, Rothstein's "office" was outside of Lindy's Restaurant, at Broadway and 49th Street, and he associated with gangsters whose names still trip off the tongue three-quarters of a century later: Meyer Lansky, Legs Diamond, Lucky Luciano, Dutch Schultz. When it comes to colorful, clever criminals, Rothstein is at the top of the heap.

And then, on the other end of the scale, today we have the phishers. Scumbags of the seb, phishers vomit out emails to as many millions of people as they can possibly reach, hoping that a tiny few will respond to their fraudulent request to update their account information at PayPal, eBay, or CitiBank (or just about any other bank you can imagine). This is an enormous problem, and it's not getting any better. I recently read a fascinating study that shows just why that's the case.

If you haven't read Why Phishing Works (850Kb PDF) - written by Rachna Dhamija, J D Tygar, and Marti Hearst - stop what you're doing now and go get it (or at the very least, read a short summary of what it offers).

In just 10 pages, your eyes will be opened to just how much of a problem the public - and the security people tasked with protecting them - really face. I knew it was bad, but I had no idea it was this bad.

Basically, the researchers sat a variety of folks down and had them use some websites. Some were fakes created by the team, and some were not. After watching what the participants did with the websites, the researchers quizzed the users as to the motivations for their behaviours. The results are eye-opening, to say the least. Here's some of the scarier things I learned.

Think that cues in the browser will help? Forget it.

When Firefox 1.0 came out, I thought it was a major benefit that the background color of the address bar changed to gold when you were on a site using HTTPS. "How cool!" I remember saying to a friend, "In addition to the gold lock, the entire address bar is gold too. That'll make it even more obvious to people that they're on a secure site!" And that was in addition to the other three indicators that Firefox provides. How utterly naive of me.

In the study by Dhamija et al, 23 per cent of the users don't even look at cues provided by the web browser, such as the address or status bars. Many have no idea what the padlock icon means; in fact, one participant confidently asserted that the padlock indicates that the website can't set cookies.

Instead of browser cues, these people look at the web page itself. Does it "look" and "feel" right? Are there VeriSign logos on the page? How about animations? Does it seem authoritative? In some cases, the padlock icon on the web page itself was enough to convince some that the site was safe, more so than if the padlock was in the browser's chrome.

URLs don't work with everyone either

Some users pay attention to the fact that the address bar changes as they travel through a website, but they don't really have the foggiest idea what the URL itself means. This extends to HTTPS as well. IP addresses do raise alarms, however...although the users don't really know what those are. They just find numbers suspicious.

Users fixate on the weirdest things

The site that fooled all but one participant in the study was for Bank of the West (that's a link to the real website ... or is it?). On that site was a cute animated video of a bear. Evidently that tickled a number of the users who reloaded the page several times to see that animated bear. In fact, some of the participants said that the animation was proof that the site was legit, since it would take too much effort to copy it!

The ordinary folks in the study also figured that if a site has ads on it, then that increases the likelihood that it's not a fake. Likewise, the presence of a favicon (the little icon that appears in the address bar to the left of the URL) was deemed indicative of a site that was not out to steal your money and identity. Amazing what people glom onto.

It's incredibly easy to fool people

I was astonished to read - which again shows my naiveté - that some of the people tested in the study were not only unaware of the term "phishing," but were also surprised that anyone would even engage in such criminal behavior in the first place. In the face of such ignorance, it's no surprise that phishing works.

Others might be aware of phishing, but either ignored or were unsure how to use the various cues provided by the web browsers. This isn't exactly surprising when you consider they were asked by the browser to "accept this certificate temporarily for this session". Would your uncle or grandma know what a "certificate" is? How about a "session"? Didn't think so.

Internet Security Threat Report 2014

More from The Register

next story
George Clooney, WikiLeaks' lawyer wife hand out burner phones to wedding guests
Day 4: 'News'-papers STILL rammed with Clooney nuptials
Shellshock: 'Larger scale attack' on its way, warn securo-bods
Not just web servers under threat - though TENS of THOUSANDS have been hit
Apple's new iPhone 6 vulnerable to last year's TouchID fingerprint hack
But unsophisticated thieves need not attempt this trick
PEAK IPV4? Global IPv6 traffic is growing, DDoS dying, says Akamai
First time the cache network has seen drop in use of 32-bit-wide IP addresses
Oracle SHELLSHOCKER - data titan lists unpatchables
Database kingpin lists 32 products that can't be patched (yet) as GNU fixes second vuln
Who.is does the Harlem Shake
Blame it on LOLing XSS terroristas
Researchers tell black hats: 'YOU'RE SOOO PREDICTABLE'
Want to register that domain? We're way ahead of you.
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
The next step in data security
With recent increased privacy concerns and computers becoming more powerful, the chance of hackers being able to crack smaller-sized RSA keys increases.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.