Why phishing catches punters

Hook, line and sinker

The essential guide to IT transformation

Even the more sophisticated users were largely fooled by the fake www.bankofthevvest.com site. Take a look at that URL again. See it? Instead of "west", the researchers used "vvest," with two vs. This fooled 91 per cent of the participants. Even if you look at the address bar regularly, and pay attention to the links you click, I could see how that would pass right by.

Users are confident that they're right

Damn Interesting is a blog that posts something every day or so about things that are, well, usually pretty damn interesting. In March it was a post titled "Unskilled and Unaware of It" that showed those who lack knowledge or skill at something not only don't realise it, they also think they're far better than they actually are!

The more incompetent someone is in a particular area, the less qualified that person is to assess anyone's skill in that space, including their own. When one fails to recognise that he or she has performed poorly, the individual is left assuming that they have performed well. As a result, the incompetent will tend to grossly overestimate their skills and abilities.

These assertions were certainly borne out by the phishing study, which found that the participants were almost always very confident of their abilities to tell a fake site from a real one...even when they were grotesquely incorrect. And remember, that includes those folks who never look at the address bar to even see if they're on an HTTPS site. Doesn't exactly improve your confidence, does it?

Worse things are coming

Computer Science professor John Aycock and his student Nathan Friess recently published a warning about the coming threat of spam zombies from outer space. The title is straight out of something directed by target="_blank"Ed Wood, but the concept isn't nearly as funny.

These new zombies will mine corpora of email they find on infected machines, using this data to automatically forge and send improved, convincing spam to others.

The next generation of spam could be sent from your friends' and colleagues' email addresses - and even mimic patterns that mark their messages as their own (such as common abbreviations, misspellings, capitalisation, and personal signatures) - making you more likely to click on a web link or open an attachment.

Couple this with the statements made by the phishing study participants that they "regularly" follow links sent to them in emails from friends, co-workers, and employers, and we can easily see disaster looming.

What can we do?

At this point, I honestly feel pretty befuddled. Education is a piece of the solution, but how do we do that in the most effective manner? The browser and the web have gotten increasingly complicated over the past decade, so that your average user now has quite a lot to learn before we can feel comfortable turning him loose on the wild 'n wooly web. Maybe too much, in many cases.

Clearly, using more popup warnings isn't the answer, and the study bears this out: when confronted with a browser warning about a self-signed cert, well over half the users immediately clicked on OK to remove the warning without reading it. And adding additional warnings into the browser's chrome - more icons, more address bar colours, and so on - won't help when a substantial number of users never even look in those areas.

Should we just build web browsers so that they simply do not allow users to visit dangerous or questionable sites? There are already a number of initiatives in place that seek to create a central database of bad sites that software programs can reference; for instance, the next version of Firefox uses one maintained by Google (a service also provided by the Google toolbar for Firefox), while IE 7 will use one run by Microsoft.

Anti-phishing warnings are on by default in the upcoming versions of both browsers, which is good, but they both default to a warning message that can be quickly clicked past by the user. Maybe that shouldn't be allowed, or at least be made a lot more difficult to circumvent.

I know a lot of you are going to kick and holler about that, but if you're reading this, you're by definition different than the vast majority of users out there. Answer me this truthfully: do you really trust Aunt Sally or Steve in Accounting or your kid sister Brooke to carefully read an anti-phishing warning, ponder the ramifications, and then make a wise choice? If you answer in the affirmative, then you haven't read Why Phishing Works. Go read it, and you may change your mind.

But what about you? Do you have any ideas? Let's see if we can't come up with some ways to fix this problem...or at least lessen the likelihood that others will be fooled. That way we can get back to dealing with criminals that have just a touch of panache about them, like Arnold Rothstein and his ilk. Certainly we should wish a pox on both their houses, but better a Rothstein than the plague of phishers we see today.

Copyright © 2006, SecurityFocus

This article originally appeared in Security Focus.

Scott Granneman teaches at Washington University in St Louis, consults for WebSanity, and writes for SecurityFocus and Linux Magazine. His latest book, Hacking Knoppix, is in stores now.

Next gen security for virtualised datacentres

More from The Register

next story
Ice cream headache as black hat hacks sack Dairy Queen
I scream, you scream, we all scream 'DATA BREACH'!
Goog says patch⁵⁰ your Chrome
64-bit browser loads cat vids FIFTEEN PERCENT faster!
NIST to sysadmins: clean up your SSH mess
Too many keys, too badly managed
Scratched PC-dispatch patch patched, hatched in batch rematch
Windows security update fixed after triggering blue screens (and screams) of death
Researchers camouflage haxxor traps with fake application traffic
Honeypots sweetened to resemble actual workloads, complete with 'secure' logins
Attack flogged through shiny-clicky social media buttons
66,000 users popped by malicious Flash fudging add-on
New Snowden leak: How NSA shared 850-billion-plus metadata records
'Federated search' spaffed info all over Five Eyes chums
Three quarters of South Korea popped in online gaming raids
Records used to plunder game items, sold off to low lifes
Oz fed police in PDF redaction SNAFU
Give us your metadata, we'll publish your data
prev story


5 things you didn’t know about cloud backup
IT departments are embracing cloud backup, but there’s a lot you need to know before choosing a service provider. Learn all the critical things you need to know.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Backing up Big Data
Solving backup challenges and “protect everything from everywhere,” as we move into the era of big data management and the adoption of BYOD.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?