Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

If phishers had a clue…

Most spam and phishing attempts are laughably bogus. What if they weren’t?

Become a Patron of Ask Leo! and go ad-free!


Transcript

This is Leo Notenboom for askleo.info.

Like most of you I’m sure, I get a fair amount of spam including a healthy
share of virus-laden messages and attachments as well as phishing scams.

Most of these messages work by trying to trick you into doing something –
perhaps buying something, opening up an attachment, visiting a web site, or at
its worst, visiting a web site and entering your personal information.

Phishing absolutely amazed me on several levels.

For one thing, so many of them are absolute junk! Broken English, horrible
formatting, even broken HTML in many cases – links that are obviously
fake.

A good 90% of the spam I get falls into that “so obviously fake, why do they
even try?” category.

Hence my second point of amazement: they work. As bad as those emails are,
people fall for them every day. Even after all this time. And it’s not an issue
of stupidity, through I’m sure there’s some of that out there, it’s more about
ignorance and education. What’s “obvious” junk to you and me isn’t so obvious
to many.

But that leads me to my third point, which I find kind of scary: a phisher
who would take the time to craft a proper message and write proper English
could rule the day. With so many phishing, virus and other spam messages being
so horribly, obviously broken, either in form or in language, a message that
wasn’t would stand out. Or rather, it wouldn’t stand out as being so obviously
bogus. And that would increase the chances of its success.

They are out there. I almost fell for one a few months ago. The timing was
right – I was involved in transaction inquiry with my credit card company, and
sure enough I got email that looked like it was from a credit card company and
looked fairly legitimate. The phisher had taken the time to craft an
appropriate lure. As a result of the coincidence of my expecting email from my
credit card company, and the good imitation done by the phisher … well, I
almost clicked through. But I’ve trained myself. I always look at
where the link really goes by hovering over it before I click. Sure
enough – it was a total fraud.

And just to be clear, depending on your mail program, that “hovering over” I
did can also be spoofed. Really, the only totally safe thing to do is simply
never click on links in email unless you’re totally certain that you trust the
source.

Like I said, right now most spam is laughably bogus. But if more malware and
phishing authors ever get a clue, it’s going to get a lot more difficult to
tell what’s real from what’s fake.

I’d love to hear what you think. Visit askleo.info and enter 12058 in the go
to article number box to access the show notes, the transcript and to leave me
a comment. While you’re there, browse the hundreds of technical questions and
answers on the site.

Till next time, I’m Leo Notenboom, for askleo.info.

Do this

Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.

I'll see you there!

10 comments on “If phishers had a clue…”

  1. to ask leo
    just this morning i got quit asupprise i was advised by a solicitor that a person with the same last name as mine.he and his family where killed in a car accident.he was adopted but his parents had passed away in 1976.and the solicitor had no history off his prior life before being addopted saying that there is 6.8 million dollars left in said trust and that by some law in enland if aclose ralative is not found.his attorel has authority to nominate a benefiiary from the family,so finding me there is a lot more legal stuff but i am only a layman.he said that he would send ph,no ext when he my confidence.he has what seems to be a proper letter head ph,no,adress name it does seem to be orriganale but i have had a trojen before and it took weeks to get rid off it.i am temted but not sure if i should open it and reply or not .i could send you the full letter but do not know how.
    yours sincerly garry

    Reply
  2. I to try to be very careful and check links, and i too have been duped by a better then average piece of spam. However, But I also tell people that they should have a pretty good idea of what emails they have signed up for, and those emails should have a higher then normal level of trust. People should also be aware of what they sign up for, and a good example is…

    Down at the mall I occasionally see a new car with a table and small slips of paper asking for your name and address. The slips also state that they could win this car by entering. People write there info down then forget it about it. Weeks or months later they get a notice from some place that wants them to come hear a lecture (typically 2 hours) and win a prize! Many people fall to realize that the two events are directly related and that people signed them up for that junk mail. So i would add in be careful with what you sign up for a site should not be asking for your address to look around. Even then most providers give multiple email addresses and there are plenty of free ones, so have one email account for family and friends and make sure they know it is just for them. Then use an alternative email for signing up for things and when you start getting to much spam turn it off. Another point…if you suspect it is spam do not open it because then they know that address is legit and will give it/sell it to others…they might do so even if you do not open it, but you wont get as much spam.

    Reply
  3. I wrote some relevant blog postings on this

    Defending against a phishing email message.
    http://blogs.cnet.com/8301-13554_1-9805875-33.html

    I set up an autoresponder that you can use to test if your email program can be manipulated with JavaScript to show the wrong link destination
    Test your e-mail program
    http://blogs.cnet.com/8301-13554_1-9806037-33.html

    Is that e-mail message legit? How a computer nerd analyzes it
    http://blogs.cnet.com/defensive-computing/8301-13554_1-9814781-33.html

    Reply
  4. Recently my credit card expired and was upgraded but I forgot/neglected to tell my ISP which tried billing me with the old details and they then sent me an email asking me to update my details via the link prrovided in the email. While the email turned out to be genuine, how different was that from the usual phishing emails which are always asking you to update details for your bank accounts or whatever. I contacted the ISP via my usual web link and commented about their look alike phishing email and they said they had always done it that way. So no wonder people keep getting caught by these things.

    Reply
  5. two things about this, one is perhaps a phish might look obvious to one machine but not the same to another, the second is that its as atrocious as what a computer attempting literal reasoning in speech…so maybe this is machine generated and unique to each machines display that receieves it…or set of common variables?

    Reply
  6. Leo, good buddy, I realize you know this ‘work’ better than Able himself BUT I am sure the phishers appreciate the information on how to improve their ‘work’.BTW,what is “hovering” (as to email).How may one do that.Ole (_E=mc2_) here.

    Reply
  7. I find it hard to believe that most spam or phishing works but the social engineering can work well on people who would never open up spam or a money scam.
    A friend realized (right after she clicked) that the “package cannot be delivered” message was suspicious. She was waiting for a package that was a little slow.

    My bank has a second page that will display a picture that you have chosen and text that you create, that you have to go through before signing in. My mother and siblings probably wouldn’t guess the correct picture or the text that I attached with it. They are the only ones who would say “that makes sense”.

    It’s actually scary how many people do purchase from or fall for spam/scam emails. Enough to make spaming a very lucrative, if illegal, business.

    The “show me a picture I’ll reconize” security measures are somewhat laughable as they can be hijacked, in a sense, by what’s called a “man in the middle” attack.

    Leo
    09-Sep-2009
    Reply
  8. his is a question.
    Let’s suppose a user never clicks an email, web or any other link to any web site where financial transactions can be made, and does not respond to popups. He keeps his computer completely patched and all programs updated, has a stealthed firewall and high detection AV/AS programs.
    The first time he visits a bank web site, he uses the URL he got from the bank. Then he bookmarks an https page within the web site after logging in.
    He visits each bank site in a separate, dedicated sandbox (www.sandboxie.com). After each banking session he deletes the contents of the sandbox. When he does another banking session, he only uses the https bookmark to access the banking site. He opens only one tab in the sandboxed browser.
    What I would like to know is how this user could get phished using these procedures and only these procedures?

    Reply
  9. My bank has now issued us all with a hardware device – free. But we can also buy more (at equivalent to about US$10 each) as spares and to carry or store in chosen locations. The device is useless in the wrong hands as it will only work if one of the correct, registered, ATM cards is inserted and the PIN entered when instructed by the readout on the device’s LCD screen. At the last stage of screen login to online banking, on the final login webpage, the device must be set to generate a use-once numerical code and this must be entered into the on-screen fields, along with the last four digits of the registered ATM card that has been inserted in the device’s reader. If it’s all pukka, you’re in. If you’re outside the home and you have a shoulder-surfer or are being key-logged, the code is useless to anyone else as it won’t work twice!!! The device is no bigger than a video iPod and has a battery life of several years. As I have more than one, battery failure is not an issue. When due, the bank will change them, or, for the tech savvy with the right screwdrivers, they are just internal button cells and there’s no volatile memory to worry about. As an extra precaution, you get the usual three goes on each or your cards to enter the PIN when prompted. If you mess-up, that card – and only that one (so you can use your others in the meantime) – is locked-out until you can insert it in one of the bank’s own ATMs, whereupon an unlock procedure will be supplied via the ATM’s on-screen prompts. So, to hack one of this bank’s accounts, you’d need all the preliminary on-screen login details, one of the devices, one of the registered ATM cards for that account and the correct PIN for that card. In addition to logging-in, different use-once codes will be required from the device to make instant online payments or credit transfers to any recipient who has not been pre-registered as a regular payee from that account. Oh yes, as this is European banking, all cards are, of course, “Smart” (Chip-n-PIN), so there’s no way to clone any of them with magnetic readers either.

    Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.