Why phishing catches punters

Hook, line and sinker

The Essential Guide to IT Transformation

Even the more sophisticated users were largely fooled by the fake www.bankofthevvest.com site. Take a look at that URL again. See it? Instead of "west", the researchers used "vvest," with two vs. This fooled 91 per cent of the participants. Even if you look at the address bar regularly, and pay attention to the links you click, I could see how that would pass right by.

Users are confident that they're right

Damn Interesting is a blog that posts something every day or so about things that are, well, usually pretty damn interesting. In March it was a post titled "Unskilled and Unaware of It" that showed those who lack knowledge or skill at something not only don't realise it, they also think they're far better than they actually are!

The more incompetent someone is in a particular area, the less qualified that person is to assess anyone's skill in that space, including their own. When one fails to recognise that he or she has performed poorly, the individual is left assuming that they have performed well. As a result, the incompetent will tend to grossly overestimate their skills and abilities.

These assertions were certainly borne out by the phishing study, which found that the participants were almost always very confident of their abilities to tell a fake site from a real one...even when they were grotesquely incorrect. And remember, that includes those folks who never look at the address bar to even see if they're on an HTTPS site. Doesn't exactly improve your confidence, does it?

Worse things are coming

Computer Science professor John Aycock and his student Nathan Friess recently published a warning about the coming threat of spam zombies from outer space. The title is straight out of something directed by target="_blank"Ed Wood, but the concept isn't nearly as funny.

These new zombies will mine corpora of email they find on infected machines, using this data to automatically forge and send improved, convincing spam to others.

The next generation of spam could be sent from your friends' and colleagues' email addresses - and even mimic patterns that mark their messages as their own (such as common abbreviations, misspellings, capitalisation, and personal signatures) - making you more likely to click on a web link or open an attachment.

Couple this with the statements made by the phishing study participants that they "regularly" follow links sent to them in emails from friends, co-workers, and employers, and we can easily see disaster looming.

What can we do?

At this point, I honestly feel pretty befuddled. Education is a piece of the solution, but how do we do that in the most effective manner? The browser and the web have gotten increasingly complicated over the past decade, so that your average user now has quite a lot to learn before we can feel comfortable turning him loose on the wild 'n wooly web. Maybe too much, in many cases.

Clearly, using more popup warnings isn't the answer, and the study bears this out: when confronted with a browser warning about a self-signed cert, well over half the users immediately clicked on OK to remove the warning without reading it. And adding additional warnings into the browser's chrome - more icons, more address bar colours, and so on - won't help when a substantial number of users never even look in those areas.

Should we just build web browsers so that they simply do not allow users to visit dangerous or questionable sites? There are already a number of initiatives in place that seek to create a central database of bad sites that software programs can reference; for instance, the next version of Firefox uses one maintained by Google (a service also provided by the Google toolbar for Firefox), while IE 7 will use one run by Microsoft.

Anti-phishing warnings are on by default in the upcoming versions of both browsers, which is good, but they both default to a warning message that can be quickly clicked past by the user. Maybe that shouldn't be allowed, or at least be made a lot more difficult to circumvent.

I know a lot of you are going to kick and holler about that, but if you're reading this, you're by definition different than the vast majority of users out there. Answer me this truthfully: do you really trust Aunt Sally or Steve in Accounting or your kid sister Brooke to carefully read an anti-phishing warning, ponder the ramifications, and then make a wise choice? If you answer in the affirmative, then you haven't read Why Phishing Works. Go read it, and you may change your mind.

But what about you? Do you have any ideas? Let's see if we can't come up with some ways to fix this problem...or at least lessen the likelihood that others will be fooled. That way we can get back to dealing with criminals that have just a touch of panache about them, like Arnold Rothstein and his ilk. Certainly we should wish a pox on both their houses, but better a Rothstein than the plague of phishers we see today.

Copyright © 2006, SecurityFocus

This article originally appeared in Security Focus.

Scott Granneman teaches at Washington University in St Louis, consults for WebSanity, and writes for SecurityFocus and Linux Magazine. His latest book, Hacking Knoppix, is in stores now.

Build a business case: developing custom apps

More from The Register

next story
14 antivirus apps found to have security problems
Vendors just don't care, says researcher, after finding basic boo-boos in security software
Only '3% of web servers in top corps' fully fixed after Heartbleed snafu
Just slapping a patched OpenSSL on a machine ain't going to cut it, we're told
'Things' on the Internet-of-things have 25 vulnerabilities apiece
Leaking sprinklers, overheated thermostats and picked locks all online
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Israel's Iron Dome missile tech stolen by Chinese hackers
Corporate raiders Comment Crew fingered for attacks
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
Four fake Google haxbots hit YOUR WEBSITE every day
Goog the perfect ruse to slip into SEO orfice
prev story


Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.