Why phishing catches punters

Hook, line and sinker

New hybrid storage solutions

Even the more sophisticated users were largely fooled by the fake www.bankofthevvest.com site. Take a look at that URL again. See it? Instead of "west", the researchers used "vvest," with two vs. This fooled 91 per cent of the participants. Even if you look at the address bar regularly, and pay attention to the links you click, I could see how that would pass right by.

Users are confident that they're right

Damn Interesting is a blog that posts something every day or so about things that are, well, usually pretty damn interesting. In March it was a post titled "Unskilled and Unaware of It" that showed those who lack knowledge or skill at something not only don't realise it, they also think they're far better than they actually are!

The more incompetent someone is in a particular area, the less qualified that person is to assess anyone's skill in that space, including their own. When one fails to recognise that he or she has performed poorly, the individual is left assuming that they have performed well. As a result, the incompetent will tend to grossly overestimate their skills and abilities.

These assertions were certainly borne out by the phishing study, which found that the participants were almost always very confident of their abilities to tell a fake site from a real one...even when they were grotesquely incorrect. And remember, that includes those folks who never look at the address bar to even see if they're on an HTTPS site. Doesn't exactly improve your confidence, does it?

Worse things are coming

Computer Science professor John Aycock and his student Nathan Friess recently published a warning about the coming threat of spam zombies from outer space. The title is straight out of something directed by target="_blank"Ed Wood, but the concept isn't nearly as funny.

These new zombies will mine corpora of email they find on infected machines, using this data to automatically forge and send improved, convincing spam to others.

The next generation of spam could be sent from your friends' and colleagues' email addresses - and even mimic patterns that mark their messages as their own (such as common abbreviations, misspellings, capitalisation, and personal signatures) - making you more likely to click on a web link or open an attachment.

Couple this with the statements made by the phishing study participants that they "regularly" follow links sent to them in emails from friends, co-workers, and employers, and we can easily see disaster looming.

What can we do?

At this point, I honestly feel pretty befuddled. Education is a piece of the solution, but how do we do that in the most effective manner? The browser and the web have gotten increasingly complicated over the past decade, so that your average user now has quite a lot to learn before we can feel comfortable turning him loose on the wild 'n wooly web. Maybe too much, in many cases.

Clearly, using more popup warnings isn't the answer, and the study bears this out: when confronted with a browser warning about a self-signed cert, well over half the users immediately clicked on OK to remove the warning without reading it. And adding additional warnings into the browser's chrome - more icons, more address bar colours, and so on - won't help when a substantial number of users never even look in those areas.

Should we just build web browsers so that they simply do not allow users to visit dangerous or questionable sites? There are already a number of initiatives in place that seek to create a central database of bad sites that software programs can reference; for instance, the next version of Firefox uses one maintained by Google (a service also provided by the Google toolbar for Firefox), while IE 7 will use one run by Microsoft.

Anti-phishing warnings are on by default in the upcoming versions of both browsers, which is good, but they both default to a warning message that can be quickly clicked past by the user. Maybe that shouldn't be allowed, or at least be made a lot more difficult to circumvent.

I know a lot of you are going to kick and holler about that, but if you're reading this, you're by definition different than the vast majority of users out there. Answer me this truthfully: do you really trust Aunt Sally or Steve in Accounting or your kid sister Brooke to carefully read an anti-phishing warning, ponder the ramifications, and then make a wise choice? If you answer in the affirmative, then you haven't read Why Phishing Works. Go read it, and you may change your mind.

But what about you? Do you have any ideas? Let's see if we can't come up with some ways to fix this problem...or at least lessen the likelihood that others will be fooled. That way we can get back to dealing with criminals that have just a touch of panache about them, like Arnold Rothstein and his ilk. Certainly we should wish a pox on both their houses, but better a Rothstein than the plague of phishers we see today.

Copyright © 2006, SecurityFocus

This article originally appeared in Security Focus.

Scott Granneman teaches at Washington University in St Louis, consults for WebSanity, and writes for SecurityFocus and Linux Magazine. His latest book, Hacking Knoppix, is in stores now.

Secure remote control for conventional and virtual desktops

More from The Register

next story
Google recommends pronounceable passwords
Super Chrome goes into battle with Mr Mxyzptlk
Apple Pay is a tidy payday for Apple with 0.15% cut, sources say
Cupertino slurps 15 cents from every $100 purchase
Reddit wipes clean leaked celeb nudie pics, tells users to zip it
Now we've had all THAT TRAFFIC, we 'deplore' this theft
Enigmail PGP plugin forgets to encrypt mail sent as blind copies
User now 'waiting for the bad guys come and get me with their water-boards'
YouTube, Amazon and Yahoo! caught in malvertising mess
Cisco says 'Kyle and Stan' attack is spreading through compromised ad networks
TorrentLocker unpicked: Crypto coding shocker defeats extortionists
Lousy XOR opens door into which victims can shove a foot
prev story


Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.