back to article Most convincing PHISHING pages hoodwink nearly half of you – Google

Nearly half (45 per cent) of those who visit the most convincing phishing pages are tricked into handing over personal information, according to Google. This effectiveness drops to just three per cent in the case of the most obviously scummy phishing sites, while the online giant reports that the account hijackers work quickly …

  1. Anonymous Coward
    Anonymous Coward

    For a particular value of 'you'.

    Which won't include most of the people reading this article.

    1. Anonymous Coward
      Anonymous Coward

      Re: For a particular value of 'you'.

      Yes that, but also for a given value of "convincing".

      It's bad enough that users will fall for phishing emails asking for their work place credentials from the odd message that gets through the spam filters from total garbage addresses such as asdfg@hhjkls.ru not to mention receiving them from other staff (who have fallen victim to them already) who they know well and are fully aware have nothing to do with the IT department.

      But more recently where I work some absolutely atrocious phishing pages which have clear indicators of not being genuine such as the massive banner ads for viagra across the top of the page have claimed a worrying number of victims.

      The application of a small amount of logic and a pinch of cynicism should be enough to protect people from such terribly constructed phishing attempts, and if it doesn't they shouldn't be allowed to touch computers again.

      AC, for obvious reasons.

      1. Elmer Phud

        Re: For a particular value of 'you'.

        Even with just a text screen it's usually bloody obvious that it isn't from a bank you've never used as most of the links are all the same and they point to some obscure email address.

        I know a couple of people who have been got at and never actually asked themselves if they even were a customer.

        They are your average punter, you buy a box, plug it in and MCaffee/Norton or whatever comes with the box will protect them from evil - that's what the PC World ad's say so it must be true.

        What's happening is the same as with cars - not many people even know what's is under the bonnet these days. There's no need -- many never even check the basics as the annual service will sort it.

        Does everyone even know where the bits are to change the wheel or even where the spare is kept?

        http://www.youtube.com/watch?v=BHqL7dNujNc

        (Standard Blazing Saddles clip as regards users)

        1. Phil W

          Re: For a particular value of 'you'.

          "What's happening is the same as with cars - not many people even know what's is under the bonnet these days. There's no need -- many never even check the basics as the annual service will sort it."

          I like the analogy but the flaw in it is that most people pay someone with training to service their car annually how many do this for their PC?

          Most people will, if their car starts behaving weirdly or doing something it didn't do before, will seek professional advice, how many do this for their PC (before it's too late)?

          Most people will, if they get someone knocking at their front door claiming to be from the garage and have come to service their car because it has a fault, when they hadn't called a garage about it, won't just hand over their keys. How many people fall victim to pop up ads, emails or even this spate of phone calls claiming their PC has a virus and needs looking at, just click here or type in this address to let us in to fix it?

          The problem is, people don't view the things they access with their PC as "real" be it their email or their bank account, it's just on the computer so it's OK.

        2. David Pollard

          Re: For a particular value of 'you'.

          It should be obvious when a phishing page arrives ... but for some reason many people don't notice.

          Maybe the Invisible Gorilla phenomenon explains why we often don't see something that should be obvious. It happens to all of us some on the time.

          http://theinvisiblegorilla.com/gorilla_experiment.html

      2. Anonymous Coward
        Anonymous Coward

        Re: For a particular value of 'you'.

        Yes that, but also for a given value of "convincing".

        Not helped in the slightest by mobile email clients habit of making it difficult/impossible to see the full headers, which are usually a dead giveaway.

      3. Anonymous Coward
        Anonymous Coward

        Re: but also for a given value of "convincing".

        Absolutely!

        A couple weeks back one of our drones forwarded an email to ask if it was real. It had all the classic marks of a phishing attack: Glaringly misspelled words (a good mark for me for spelling was a C+ when I was in school so anything I spot in 2 seconds is glaringly misspelled, even when posting on El Reg it's the spell checker that saves me from goofs), warning of a dangerous result (purged account) if you "DON'T ACT NOW!" by clicking on the included link, and from a visibly incorrect email address (.com instead of .gov; while a .gov address wouldn't necessarily prove it was legit, the .com definitely marks it as not legit). Also worth noting we have required IT Security Awareness training every year. Yes, Phishing is clearly covered in the course.

        Still I'd rather answer that question than they just clicked through.

  2. Anonymous Coward
    Anonymous Coward

    Do they check if the data is legitimate?

    Sometimes (when I'm bored) I visit these sites and stick in stupid data, in the hopes that enough crap results will cause them to dump the data.

    Do you think I count as a statistic?

    1. Kane
      Thumb Up

      Re: Do they check if the data is legitimate?

      "Do you think I count as a statistic?"

      Only as an outlier, friend.

      1. P. Lee
        Trollface

        Re: Do they check if the data is legitimate?

        +1 for outliers

        I managed to keep Windows Support on the line for 40 minutes until they were threatening my children with untold peril.

        1. JeffUK

          Re: Do they check if the data is legitimate?

          My record is 2 hours, and I got them to call me back 3 times...

    2. James O'Shea

      Re: Do they check if the data is legitimate?

      Don't do that. Use

      935 Pennsylvania Avenue, NW

      Washington, D.C. 20535-0001

      (202) 324-3000

      or

      950 Pennsylvania Avenue, NW

      Washington, DC 20530-0001

      202-514-2000

      or maybe

      245 Murray Drive,

      Building 410,

      Washington, DC 20223

      202-406-5708

      instead. Have _fun_ with phishers.

      1. mtp
        Boffin

        Re: Do they check if the data is legitimate?

        Gilbert Murray

        The Laboratory

        Gypping in the Marsh

        England

        The original site is down and has been ambushed but the internet never forgets.

        http://web.archive.org/web/20090222145238/http://scambuster419.co.uk/inventor.htm

  3. ukgnome

    When I worked for a University we found that students were quite willing to give their details to any official looking web page.

    When we investigated we found that the mimicry of phishing pages were quite good. It would take the spammers and fraudsters about an hour to reproduce a login page once we had made changes. I can see why some of the students and staff were hoodwinked. Having said that it didn't stop me from lecturing them on security.

  4. SteveK

    but what proportion of those users would also fill in the forms on the least convincing phishing pages?

  5. Sludged

    Self-selection

    "which exclude people who don't click on links to visit phishing pages" it's almost a self-selecting group then, isn't it?

    1. Anonymous Coward
      Anonymous Coward

      Re: Self-selection

      Yes, but here's the problem: Even though it is a self-selecting group, odds are strong that at least one of these morons is one of your fellow employees even if they aren't IT staff. They fall for the phishing, and now the phishers have access to or control of a legitimate account. The phishers then use that account to propagate targeted phishing attempts, and since the sending account IS legitimate one of your key lines of defense is gone. Especially problematic if you have a mail service like GMail where it isn't uncommon to simply link to one of their app docs. Next thing you know they have control of a critical account, possibly even an admin and ...

      Yes, I wish I were making this up. AC for obvious reasons.

  6. Anonymous Coward
    Anonymous Coward

    Hardly surprising

    This is hardly surprising considering that many well known financial services organisatiions regularly send emails to their customers, with embedded HTML buttons inviting them to log in to their accounts and, presumably, enter their login details.

    These emails are almost indistinguishable from competently crafted phishing attacks.

    1. Chika

      Re: Hardly surprising

      This is hardly surprising considering that many well known financial services organisatiions regularly send emails to their customers, with embedded HTML buttons inviting them to log in to their accounts and, presumably, enter their login details.

      Totally agree with this. In fact this practice is not restricted to financial organisations. Generally I tend to never click on an email link no matter where it came from.

    2. Anonymous Coward
      Anonymous Coward

      Re: Hardly surprising

      > many well known financial services organisatiions regularly send emails to their customers, with embedded HTML buttons inviting them to log in to their accounts [....] These emails are almost indistinguishable from competently crafted phishing attacks.

      Not to mention that compared to the official bank, the phishing sites offer better customer service. :-b

    3. Anonymous Coward
      Anonymous Coward

      Re: Hardly surprising

      I'm sure I recall a time when banks in the UK didn't send emails to customers at all as they just thought the risk too high. Once they'd got past 'your statement is ready' it was downhill all the way to the inevitable marketing drivel complete with, as you say, buttons and links. Its noticeable that phishing mails imitating my bank have gone up pretty much in line with the banks increased output, and often use recent marketing mails the bank itself has sent with most of the links still as they were in the original. The tactics are getting really sharp, even down to my correct name in some, presumably from some legit list they've got hold of, although the email address is obviously wrong. Even the excruciating spelling has almost disappeared.

      The banks really only have themselves to blame for providing the scammers with the tools and the sense of familiarity that now goes with bank emails.

      1. James O'Shea

        Re: Hardly surprising

        My bank sends emails which _always_ contain:

        my name (my correct name, not the version I hand out to places not needing to actually know this)

        the last four of my account number

        a note suggesting that I log in to their site normally, and that I never, ever, click on a link in any email supposedly coming from them, as such an email would not be one of theirs.

        I have got email allegedly from them which did not contain the above three items. In every case a look at the headers suggests that the email actually originated in Russia, Germany, Hong Kong, and, once, Brazil. The Brazilian one was memorable because it actually did have my correct name... but not the last four or the 'don't click' warning. it looked really good, too. I was tempted to go and see how closely they'd copied the bank's site, but settled for just forwarding it to my bank's anti-fraud people.

        1. Sarev

          Re: Hardly surprising

          > My bank sends emails which _always_ contain:

          > my name (my correct name, not the version I hand out to places not needing to actually know this)

          > the last four of my account number

          And emails being sent in the clear means you only need to intercept one of these in transit and you've got some excellent ammunition for a spot of spear phishing. Other posters are right: banks should never be emailing customers in the first place thereby setting the precedent for this type of attack.

        2. TkH11

          Re: Hardly surprising

          Don't we think it's about time the banks started using digital signatures?

        3. Captain DaFt

          Re: Hardly surprising

          "My bank sends emails"

          My bank never sends me emails... because when they asked for my email address, I said, "Sorry, don't have one."

          Technically true, I don't have one. :)

      2. Anonymous Coward
        Anonymous Coward

        Re: Hardly surprising

        "The banks really only have themselves to blame for providing the scammers with the tools and the sense of familiarity that now goes with bank emails."

        Verified by VISA anyone?

        The last time I had that pop up I chose "will collect and pay with cash" instead.

    4. Elmer Phud

      Re: Hardly surprising

      'These emails are almost indistinguishable from competently crafted phishing attacks.'

      Almost - until you hover over the main link

      1. JeffUK

        Re: Hardly surprising

        Except when the legitimate domain for the secure site is something like bankname-online.com rather than bankname.com . If the phisher used bankname-secure.com how would a user know the difference?

    5. I ain't Spartacus Gold badge

      Re: Hardly surprising

      NatWest are still pretty good. The last email I got about one of my accounts had a button on it, which took you to info about some changes they're making, but it was on a natwest.com domain - and didn't have any links to log into you account.

      However Facebook have an interesting idea of security. I don't use it very often, and I always log out. So they've started quite heavily spamming me with emails, presumably in order to get me to use the damned site, and view lots of crappy adverts. I have relatives who post a lot, so there's always something to link to in an email. I know these aren't phishing because they have partial messages from people I know - and the links lead to FB. But when I click on the button, it logs me in to Facebook. Oddly if I then log out, and click on another mail (they often seem to send two or three at once) that time, I'm taken to the proper log in page. That is some particularly pisspoor security from Facebook.

      I keep meaning to go and change my email preferences to none. But I probably log-in unprompted about once every 6 weeks.

      I don't know why Facebook bother though. The quality of the ads they show me is shocking. It's spam and scam stuff. I know I've filled in virtually no personal info, but they can surely do better than ads for foreign brides, dodgy looking dating sites and 'competitions' to win free iPads/iPhones. I'm amazed any legitimate companies advertise with them. Occasionally I'll see a mainstream retailer - but it's mostly the sort of stuff you see on banner ads in the dodgier areas of the internet. I guess at least I've never seen an ad on FB for one of those "you have a virus use our free online scanners", so at least they have some standards and haven't completely plumbed the depths yet. That'll be for next year...

      1. Havin_it
        Trollface

        Re: Hardly surprising

        >[...]it's mostly the sort of stuff you see on banner ads in the dodgier areas of the internet.

        From the fact that you're actually seeing the ads on FB, we can conclude that you don't use AdBlock. (You could be making an ethical exception for FB, as we all do for El Reg of course, but given your apparent disdain for them this seems unlikely.)

        From that, I may tentatively infer that you don't use Ghostery either (or other means to thwart the colossal amount of tracking and profiling you're subjected to on the majority of the Web at large).

        Iff we believe that all this profiling actually works (OK, this is the weak point in the logic, as I'm sure I will presently be informed via a litany of tedious anecdotes), then I may be so bold as to redraft the above passage for you:

        >[...]it's mostly the sort of stuff you I see on banner ads in the dodgier areas of the internet.

        1. I ain't Spartacus Gold badge

          Re: Hardly surprising

          Havin_it,

          I couldn't be arsed. I know there's noscript, ghostery, adblock and all the rest. I installed a couple of them a few years ago. There was too much faffing around. You have to whitelist sites you want to get ads from, and sites where you want cookies (to show which articles you've already read), and I seem to remember you could download various whitelists and blacklists. So I played around with it all for half an hour, and ran it for a few days, and decided it was more effort than I could be bothered with.

          A periodic cleanout of cookies, care about what sites I go to, and the fact that I use several different computers and devices every day, and log onto different services on each, keeps my data trail a bit messed up. In the end I decided it's more trouble than it's worth to do more.

          I do run Flash Block sometimes, as that's nice and simple, and easy to allow stuff, as you just click on it.

          If I used Facebook regularly, which I don't, I'd accept their ads. As that's the funding model these sites use, and it's my rule to cooperate, unless there's a reason not to.

          Anyway I have ad-blocking software built into my brain. I don't notice them unless I choose to. Or obviously some annoying mis-behaving one zooms in to take over the screen or blares out loud noises.

      2. P. Lee
        Trollface

        Re: Hardly surprising

        You think the fb "logout" button does something other than stop your name from being displayed?

  7. James O'Shea

    Phishing is Phun

    My parents stuck me with no less than four saint's names. People who know me know which one I usually use (and no, it's not James). I can easily detect phishing attempts, and can have a good idea of where the phishers mined the initial info to make the attempt, based on which name (or the order of the names) I see in the phishing attempt. There would be a reason why I have multiple email accounts only a few of which have my actual preferred name.

    1. Havin_it
      Pint

      Re: Phishing is Phun

      Excellent! I hope you thanked them for their foresight :)

      Signed,

      ****** Francis *******, brother of **** Augustine ******.

      [parents atheist, grandparents very much the opposite]

  8. Anonymous Coward
    Anonymous Coward

    *cough* PAYPAL *cough*

    Yes, Paypal.

    I got and email at work with a HTML link to go to the Paypal website, to look at an update legal agreement on a new account.

    The domain name was so obscure that I had to check it was legit and not just a phish.

    Personally, if I need to go to any financial websites, I will log on to the website using my normal method, no matter what the email says..

  9. Palpy

    And raise a pint to DoubleClick!

    Seems those who serve up online advertising rent space to any blackhat phisher of men that walks in their digital doors. Drive-by downloads, hidden links, trojans, spyware, typhoid, the clap -- all served up with a nod and a wink by Adsense, Atlas, WebiMax, and a host of others.

    Remember, clicking on ads is like eating jellybeans off the pavement: the best you'll get is a few bugs.

    1. Anonymous Coward
      Anonymous Coward

      Re: And raise a pint to DoubleClick!

      The positive side is that making an argument against online advertising is made a lot easier by their own behaviour, which if anything appears to be getting worse. Eventually presumably it'll culminate in a malware delivery vicious and widespread enough to make the headlines in the mainstream press, then the fun really will start.

  10. Cynic_999

    A spate of phishing emails we received a few weeks ago worked as follows: an email to one email account has a header suggesting that it should have been delivered to a different account on the same (company) domain. The body suggests that it was sent by a lawyer and has an attachment purporting to be a defence document relating to "your criminal prosecution". The person receiving the email is thus quite likely to be a work colleague of the person the email was "supposed" to be delivered to, and may be curious as to the criminal prosecution alluded to. The fact that almost everyone in the company got a similar email at the same time rather gave the game away.

    1. Anonymous Coward
      Anonymous Coward

      That's one of the reasons I'm belatedly grateful to my habit of proliferating a ridiculous number of addresses over the years - dodgy emails are made a lot more obvious when they appear half a dozen times in the space of a few minutes.

  11. Kevin McMurtrie Silver badge

    I follow the link

    I want to find out who is hosting the phish so I can get it nuked. The link e-mailed is usually a shady tracking service on on a network like eNom, Internap, Rackspace, or Unified Layer. What's behind it is usually a compromised machine running ancient PHP admin consoles.

  12. Anonymous Coward
    Anonymous Coward

    I might inhale

    But I never click!

  13. Zog_but_not_the_first
    Facepalm

    Example?

    It would be helpful to have a link to an example of a convincing phishing site.

    No, wait...

  14. This post has been deleted by its author

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like