For a particular value of 'you'.
Which won't include most of the people reading this article.
Nearly half (45 per cent) of those who visit the most convincing phishing pages are tricked into handing over personal information, according to Google. This effectiveness drops to just three per cent in the case of the most obviously scummy phishing sites, while the online giant reports that the account hijackers work quickly …
Yes that, but also for a given value of "convincing".
It's bad enough that users will fall for phishing emails asking for their work place credentials from the odd message that gets through the spam filters from total garbage addresses such as asdfg@hhjkls.ru not to mention receiving them from other staff (who have fallen victim to them already) who they know well and are fully aware have nothing to do with the IT department.
But more recently where I work some absolutely atrocious phishing pages which have clear indicators of not being genuine such as the massive banner ads for viagra across the top of the page have claimed a worrying number of victims.
The application of a small amount of logic and a pinch of cynicism should be enough to protect people from such terribly constructed phishing attempts, and if it doesn't they shouldn't be allowed to touch computers again.
AC, for obvious reasons.
Even with just a text screen it's usually bloody obvious that it isn't from a bank you've never used as most of the links are all the same and they point to some obscure email address.
I know a couple of people who have been got at and never actually asked themselves if they even were a customer.
They are your average punter, you buy a box, plug it in and MCaffee/Norton or whatever comes with the box will protect them from evil - that's what the PC World ad's say so it must be true.
What's happening is the same as with cars - not many people even know what's is under the bonnet these days. There's no need -- many never even check the basics as the annual service will sort it.
Does everyone even know where the bits are to change the wheel or even where the spare is kept?
http://www.youtube.com/watch?v=BHqL7dNujNc
(Standard Blazing Saddles clip as regards users)
"What's happening is the same as with cars - not many people even know what's is under the bonnet these days. There's no need -- many never even check the basics as the annual service will sort it."
I like the analogy but the flaw in it is that most people pay someone with training to service their car annually how many do this for their PC?
Most people will, if their car starts behaving weirdly or doing something it didn't do before, will seek professional advice, how many do this for their PC (before it's too late)?
Most people will, if they get someone knocking at their front door claiming to be from the garage and have come to service their car because it has a fault, when they hadn't called a garage about it, won't just hand over their keys. How many people fall victim to pop up ads, emails or even this spate of phone calls claiming their PC has a virus and needs looking at, just click here or type in this address to let us in to fix it?
The problem is, people don't view the things they access with their PC as "real" be it their email or their bank account, it's just on the computer so it's OK.
It should be obvious when a phishing page arrives ... but for some reason many people don't notice.
Maybe the Invisible Gorilla phenomenon explains why we often don't see something that should be obvious. It happens to all of us some on the time.
http://theinvisiblegorilla.com/gorilla_experiment.html
Absolutely!
A couple weeks back one of our drones forwarded an email to ask if it was real. It had all the classic marks of a phishing attack: Glaringly misspelled words (a good mark for me for spelling was a C+ when I was in school so anything I spot in 2 seconds is glaringly misspelled, even when posting on El Reg it's the spell checker that saves me from goofs), warning of a dangerous result (purged account) if you "DON'T ACT NOW!" by clicking on the included link, and from a visibly incorrect email address (.com instead of .gov; while a .gov address wouldn't necessarily prove it was legit, the .com definitely marks it as not legit). Also worth noting we have required IT Security Awareness training every year. Yes, Phishing is clearly covered in the course.
Still I'd rather answer that question than they just clicked through.
Don't do that. Use
935 Pennsylvania Avenue, NW
Washington, D.C. 20535-0001
(202) 324-3000
or
950 Pennsylvania Avenue, NW
Washington, DC 20530-0001
202-514-2000
or maybe
245 Murray Drive,
Building 410,
Washington, DC 20223
202-406-5708
instead. Have _fun_ with phishers.
When I worked for a University we found that students were quite willing to give their details to any official looking web page.
When we investigated we found that the mimicry of phishing pages were quite good. It would take the spammers and fraudsters about an hour to reproduce a login page once we had made changes. I can see why some of the students and staff were hoodwinked. Having said that it didn't stop me from lecturing them on security.
Yes, but here's the problem: Even though it is a self-selecting group, odds are strong that at least one of these morons is one of your fellow employees even if they aren't IT staff. They fall for the phishing, and now the phishers have access to or control of a legitimate account. The phishers then use that account to propagate targeted phishing attempts, and since the sending account IS legitimate one of your key lines of defense is gone. Especially problematic if you have a mail service like GMail where it isn't uncommon to simply link to one of their app docs. Next thing you know they have control of a critical account, possibly even an admin and ...
Yes, I wish I were making this up. AC for obvious reasons.
This is hardly surprising considering that many well known financial services organisatiions regularly send emails to their customers, with embedded HTML buttons inviting them to log in to their accounts and, presumably, enter their login details.
These emails are almost indistinguishable from competently crafted phishing attacks.
This is hardly surprising considering that many well known financial services organisatiions regularly send emails to their customers, with embedded HTML buttons inviting them to log in to their accounts and, presumably, enter their login details.
Totally agree with this. In fact this practice is not restricted to financial organisations. Generally I tend to never click on an email link no matter where it came from.
> many well known financial services organisatiions regularly send emails to their customers, with embedded HTML buttons inviting them to log in to their accounts [....] These emails are almost indistinguishable from competently crafted phishing attacks.
Not to mention that compared to the official bank, the phishing sites offer better customer service. :-b
I'm sure I recall a time when banks in the UK didn't send emails to customers at all as they just thought the risk too high. Once they'd got past 'your statement is ready' it was downhill all the way to the inevitable marketing drivel complete with, as you say, buttons and links. Its noticeable that phishing mails imitating my bank have gone up pretty much in line with the banks increased output, and often use recent marketing mails the bank itself has sent with most of the links still as they were in the original. The tactics are getting really sharp, even down to my correct name in some, presumably from some legit list they've got hold of, although the email address is obviously wrong. Even the excruciating spelling has almost disappeared.
The banks really only have themselves to blame for providing the scammers with the tools and the sense of familiarity that now goes with bank emails.
My bank sends emails which _always_ contain:
my name (my correct name, not the version I hand out to places not needing to actually know this)
the last four of my account number
a note suggesting that I log in to their site normally, and that I never, ever, click on a link in any email supposedly coming from them, as such an email would not be one of theirs.
I have got email allegedly from them which did not contain the above three items. In every case a look at the headers suggests that the email actually originated in Russia, Germany, Hong Kong, and, once, Brazil. The Brazilian one was memorable because it actually did have my correct name... but not the last four or the 'don't click' warning. it looked really good, too. I was tempted to go and see how closely they'd copied the bank's site, but settled for just forwarding it to my bank's anti-fraud people.
> My bank sends emails which _always_ contain:
> my name (my correct name, not the version I hand out to places not needing to actually know this)
> the last four of my account number
And emails being sent in the clear means you only need to intercept one of these in transit and you've got some excellent ammunition for a spot of spear phishing. Other posters are right: banks should never be emailing customers in the first place thereby setting the precedent for this type of attack.
NatWest are still pretty good. The last email I got about one of my accounts had a button on it, which took you to info about some changes they're making, but it was on a natwest.com domain - and didn't have any links to log into you account.
However Facebook have an interesting idea of security. I don't use it very often, and I always log out. So they've started quite heavily spamming me with emails, presumably in order to get me to use the damned site, and view lots of crappy adverts. I have relatives who post a lot, so there's always something to link to in an email. I know these aren't phishing because they have partial messages from people I know - and the links lead to FB. But when I click on the button, it logs me in to Facebook. Oddly if I then log out, and click on another mail (they often seem to send two or three at once) that time, I'm taken to the proper log in page. That is some particularly pisspoor security from Facebook.
I keep meaning to go and change my email preferences to none. But I probably log-in unprompted about once every 6 weeks.
I don't know why Facebook bother though. The quality of the ads they show me is shocking. It's spam and scam stuff. I know I've filled in virtually no personal info, but they can surely do better than ads for foreign brides, dodgy looking dating sites and 'competitions' to win free iPads/iPhones. I'm amazed any legitimate companies advertise with them. Occasionally I'll see a mainstream retailer - but it's mostly the sort of stuff you see on banner ads in the dodgier areas of the internet. I guess at least I've never seen an ad on FB for one of those "you have a virus use our free online scanners", so at least they have some standards and haven't completely plumbed the depths yet. That'll be for next year...
>[...]it's mostly the sort of stuff you see on banner ads in the dodgier areas of the internet.
From the fact that you're actually seeing the ads on FB, we can conclude that you don't use AdBlock. (You could be making an ethical exception for FB, as we all do for El Reg of course, but given your apparent disdain for them this seems unlikely.)
From that, I may tentatively infer that you don't use Ghostery either (or other means to thwart the colossal amount of tracking and profiling you're subjected to on the majority of the Web at large).
Iff we believe that all this profiling actually works (OK, this is the weak point in the logic, as I'm sure I will presently be informed via a litany of tedious anecdotes), then I may be so bold as to redraft the above passage for you:
>[...]it's mostly the sort of stuff you I see on banner ads in the dodgier areas of the internet.
Havin_it,
I couldn't be arsed. I know there's noscript, ghostery, adblock and all the rest. I installed a couple of them a few years ago. There was too much faffing around. You have to whitelist sites you want to get ads from, and sites where you want cookies (to show which articles you've already read), and I seem to remember you could download various whitelists and blacklists. So I played around with it all for half an hour, and ran it for a few days, and decided it was more effort than I could be bothered with.
A periodic cleanout of cookies, care about what sites I go to, and the fact that I use several different computers and devices every day, and log onto different services on each, keeps my data trail a bit messed up. In the end I decided it's more trouble than it's worth to do more.
I do run Flash Block sometimes, as that's nice and simple, and easy to allow stuff, as you just click on it.
If I used Facebook regularly, which I don't, I'd accept their ads. As that's the funding model these sites use, and it's my rule to cooperate, unless there's a reason not to.
Anyway I have ad-blocking software built into my brain. I don't notice them unless I choose to. Or obviously some annoying mis-behaving one zooms in to take over the screen or blares out loud noises.
My parents stuck me with no less than four saint's names. People who know me know which one I usually use (and no, it's not James). I can easily detect phishing attempts, and can have a good idea of where the phishers mined the initial info to make the attempt, based on which name (or the order of the names) I see in the phishing attempt. There would be a reason why I have multiple email accounts only a few of which have my actual preferred name.
Yes, Paypal.
I got and email at work with a HTML link to go to the Paypal website, to look at an update legal agreement on a new account.
The domain name was so obscure that I had to check it was legit and not just a phish.
Personally, if I need to go to any financial websites, I will log on to the website using my normal method, no matter what the email says..
Seems those who serve up online advertising rent space to any blackhat phisher of men that walks in their digital doors. Drive-by downloads, hidden links, trojans, spyware, typhoid, the clap -- all served up with a nod and a wink by Adsense, Atlas, WebiMax, and a host of others.
Remember, clicking on ads is like eating jellybeans off the pavement: the best you'll get is a few bugs.
The positive side is that making an argument against online advertising is made a lot easier by their own behaviour, which if anything appears to be getting worse. Eventually presumably it'll culminate in a malware delivery vicious and widespread enough to make the headlines in the mainstream press, then the fun really will start.
A spate of phishing emails we received a few weeks ago worked as follows: an email to one email account has a header suggesting that it should have been delivered to a different account on the same (company) domain. The body suggests that it was sent by a lawyer and has an attachment purporting to be a defence document relating to "your criminal prosecution". The person receiving the email is thus quite likely to be a work colleague of the person the email was "supposed" to be delivered to, and may be curious as to the criminal prosecution alluded to. The fact that almost everyone in the company got a similar email at the same time rather gave the game away.
I want to find out who is hosting the phish so I can get it nuked. The link e-mailed is usually a shady tracking service on on a network like eNom, Internap, Rackspace, or Unified Layer. What's behind it is usually a compromised machine running ancient PHP admin consoles.
This post has been deleted by its author