Sign in to follow this  
aidan_walsh

[web] Paper: Why Phishing Works

Recommended Posts

(When I decided on posting this, it came down to a toss up between Web Development and The Lounge. I thought WD would be more relevant, so I posted it here. If any mod disagrees, by all means do yar thang...) This paper gives an interesting insight into how phising techniques are able to trick people into giving over their information. Its a very good read that offers a glimpse into the thoughts of a group of users who were asked to determine the real from the fake during a test of 19 websites, some phising sites that were cunningly constructed. In some ways it tells us things we already know (users don't read dialogs before clicking "OK"), but other things are just scary. Who knew that Chinese, two "v" characters, and a bear would could do so much potential damage...

Share this post


Link to post
Share on other sites
I once did an online test where you had to pick the pishers from the real sites in a similar manner. Even I couldn't get them all correct (though I probabely would have detected that Bank o/t West as a fake). Some phishing sites are *really* good.

Anyway, there's no chance of me ever getting duped for two reasons:

1) I view all my e-mail in text/plain. Phishing e-mails really stand out that way since you can easily see the fake URL's when Thunderbird converts an HTML e-mail to text.

2) I don't have the keys to my online bank account. Usually people have a list of codes or something similar that they have to enter at the bank's website each time they want to transfer money (TAN codes). I don't. When I want to transfer money, my bank sends me one TAN code by SMS. I can't give phishers access even if I would want to :-)

Share this post


Link to post
Share on other sites
Nice to see a quantative analysis on this subject for a change, but the 3 main reasons for why Phishing works are a bit obvious. However, I couldn't find in the paper if the sites were actually functional or if the participants had to guess from looking at the main site page only.

I think if a phishing site displayed the behavior visitors would expect from the original site, they'd be duped more easily. We pulled this prank on a college machine years ago, using the Windows hosts file to send people to a local webserver from which a customized version of the login page for Hotmail was displayed. Upon loging in, the login data would be send to a dynamic webpage that would save the login data in a DB and resubmit it to Hotmail for normal use. From the amount of addresses we gathered from that single machine, I don't think anyone noticed that the page changed twice [grin]

The ways to prevent this are a bit flawed. The easiest way would be to check by referrer, but that's not 100% reliable since afaik not all browsers pass this to the webserver, mostly for privacy reasons. Another option would be the "type this number" approach you commonly see on public web pages to prevent automated submissions, but this poses an inconvenience to visitors.

Disclaimer: no harmful things were done using the info we phished :)

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

Sign in to follow this