Feeds

Why phishing catches punters

Hook, line and sinker

High performance access to file storage

Comment Occasionally a criminal is so, well, clever that you have to admire him even as you wish that he spends the rest of his life in jail.

Take Arnold Rothstein, for instance. One of the kingpins of organised crime in New York City during Prohibition and before. The "Great Brain", as he was termed, was more than likely behind the infamous Black Sox scandal, in which the 1919 World Series was fixed in favour of the Cincinnati Reds. He is also widely credited with inventing the floating crap game immortalised in Guys and Dolls.

Like some character out of a Damon Runyon story, Rothstein's "office" was outside of Lindy's Restaurant, at Broadway and 49th Street, and he associated with gangsters whose names still trip off the tongue three-quarters of a century later: Meyer Lansky, Legs Diamond, Lucky Luciano, Dutch Schultz. When it comes to colorful, clever criminals, Rothstein is at the top of the heap.

And then, on the other end of the scale, today we have the phishers. Scumbags of the seb, phishers vomit out emails to as many millions of people as they can possibly reach, hoping that a tiny few will respond to their fraudulent request to update their account information at PayPal, eBay, or CitiBank (or just about any other bank you can imagine). This is an enormous problem, and it's not getting any better. I recently read a fascinating study that shows just why that's the case.

If you haven't read Why Phishing Works (850Kb PDF) - written by Rachna Dhamija, J D Tygar, and Marti Hearst - stop what you're doing now and go get it (or at the very least, read a short summary of what it offers).

In just 10 pages, your eyes will be opened to just how much of a problem the public - and the security people tasked with protecting them - really face. I knew it was bad, but I had no idea it was this bad.

Basically, the researchers sat a variety of folks down and had them use some websites. Some were fakes created by the team, and some were not. After watching what the participants did with the websites, the researchers quizzed the users as to the motivations for their behaviours. The results are eye-opening, to say the least. Here's some of the scarier things I learned.

Think that cues in the browser will help? Forget it.

When Firefox 1.0 came out, I thought it was a major benefit that the background color of the address bar changed to gold when you were on a site using HTTPS. "How cool!" I remember saying to a friend, "In addition to the gold lock, the entire address bar is gold too. That'll make it even more obvious to people that they're on a secure site!" And that was in addition to the other three indicators that Firefox provides. How utterly naive of me.

In the study by Dhamija et al, 23 per cent of the users don't even look at cues provided by the web browser, such as the address or status bars. Many have no idea what the padlock icon means; in fact, one participant confidently asserted that the padlock indicates that the website can't set cookies.

Instead of browser cues, these people look at the web page itself. Does it "look" and "feel" right? Are there VeriSign logos on the page? How about animations? Does it seem authoritative? In some cases, the padlock icon on the web page itself was enough to convince some that the site was safe, more so than if the padlock was in the browser's chrome.

URLs don't work with everyone either

Some users pay attention to the fact that the address bar changes as they travel through a website, but they don't really have the foggiest idea what the URL itself means. This extends to HTTPS as well. IP addresses do raise alarms, however...although the users don't really know what those are. They just find numbers suspicious.

Users fixate on the weirdest things

The site that fooled all but one participant in the study was for Bank of the West (that's a link to the real website ... or is it?). On that site was a cute animated video of a bear. Evidently that tickled a number of the users who reloaded the page several times to see that animated bear. In fact, some of the participants said that the animation was proof that the site was legit, since it would take too much effort to copy it!

The ordinary folks in the study also figured that if a site has ads on it, then that increases the likelihood that it's not a fake. Likewise, the presence of a favicon (the little icon that appears in the address bar to the left of the URL) was deemed indicative of a site that was not out to steal your money and identity. Amazing what people glom onto.

It's incredibly easy to fool people

I was astonished to read - which again shows my naiveté - that some of the people tested in the study were not only unaware of the term "phishing," but were also surprised that anyone would even engage in such criminal behavior in the first place. In the face of such ignorance, it's no surprise that phishing works.

Others might be aware of phishing, but either ignored or were unsure how to use the various cues provided by the web browsers. This isn't exactly surprising when you consider they were asked by the browser to "accept this certificate temporarily for this session". Would your uncle or grandma know what a "certificate" is? How about a "session"? Didn't think so.

High performance access to file storage

More from The Register

next story
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
NSA denies it knew about and USED Heartbleed encryption flaw for TWO YEARS
Agency forgets it exists to protect communications, not just spy on them
prev story

Whitepapers

Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
HP ArcSight ESM solution helps Finansbank
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.