Helping people with computers... one answer at a time.
•
Listen to the podcast: If phishers had a
clue.... 
Transcript
This is Leo Notenboom for askleo.info.
Like most of you I'm sure, I get a fair amount of spam including a healthy share of virus-laden messages and attachments as well as phishing scams.
Most of these messages work by trying to trick you into doing something - perhaps buying something, opening up an attachment, visiting a web site, or at its worst, visiting a web site and entering your personal information.
Phishing absolutely amazed me on several levels.
For one thing, so many of them are absolute junk! Broken English, horrible formatting, even broken HTML in many cases - links that are obviously fake.
A good 90% of the spam I get falls into that "so obviously fake, why do they even try?" category.
Hence my second point of amazement: they work. As bad as those emails are, people fall for them every day. Even after all this time. And it's not an issue of stupidity, through I'm sure there's some of that out there, it's more about ignorance and education. What's "obvious" junk to you and me isn't so obvious to many.
But that leads me to my third point, which I find kind of scary: a phisher who would take the time to craft a proper message and write proper English could rule the day. With so many phishing, virus and other spam messages being so horribly, obviously broken, either in form or in language, a message that wasn't would stand out. Or rather, it wouldn't stand out as being so obviously bogus. And that would increase the chances of its success.
They are out there. I almost fell for one a few months ago. The timing was right - I was involved in transaction inquiry with my credit card company, and sure enough I got email that looked like it was from a credit card company and looked fairly legitimate. The phisher had taken the time to craft an appropriate lure. As a result of the coincidence of my expecting email from my credit card company, and the good imitation done by the phisher ... well, I almost clicked through. But I've trained myself. I always look at where the link really goes by hovering over it before I click. Sure enough - it was a total fraud.
And just to be clear, depending on your mail program, that "hovering over" I did can also be spoofed. Really, the only totally safe thing to do is simply never click on links in email unless you're totally certain that you trust the source.
Like I said, right now most spam is laughably bogus. But if more malware and phishing authors ever get a clue, it's going to get a lot more difficult to tell what's real from what's fake.
I'd love to hear what you think. Visit askleo.info and enter 12058 in the go to article number box to access the show notes, the transcript and to leave me a comment. While you're there, browse the hundreds of technical questions and answers on the site.
Till next time, I'm Leo Notenboom, for askleo.info.
Article C3225 - December 2, 2007
Leo A. Notenboom has been playing with computers since he
was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed.
After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers
to common computer and technical questions. More about Leo.
Leo, good buddy, I realize you know this 'work' better than Able himself BUT I am sure the phishers appreciate the information on how to improve their 'work'.BTW,what is "hovering" (as to email).How may one do that.Ole (_E=mc2_) here.
Posted by: Bob Pease Jr at December 8, 2007 5:13 PMI find it hard to believe that most spam or phishing works but the social engineering can work well on people who would never open up spam or a money scam.
A friend realized (right after she clicked) that the "package cannot be delivered" message was suspicious. She was waiting for a package that was a little slow.
My bank has a second page that will display a picture that you have chosen and text that you create, that you have to go through before signing in. My mother and siblings probably wouldn't guess the correct picture or the text that I attached with it. They are the only ones who would say "that makes sense".
The "show me a picture I'll reconize" security measures are somewhat laughable as they can be hijacked, in a sense, by what's called a "man in the middle" attack.
09-Sep-2009
I did the same stupid thing just a few days ago, and I know better. Lucky for me my Spysweeper from Webroot caught it in time.
Posted by: Paul G. Pousson at September 16, 2009 11:07 AMhis is a question.
Posted by: howiem at October 20, 2009 6:31 AMLet's suppose a user never clicks an email, web or any other link to any web site where financial transactions can be made, and does not respond to popups. He keeps his computer completely patched and all programs updated, has a stealthed firewall and high detection AV/AS programs.
The first time he visits a bank web site, he uses the URL he got from the bank. Then he bookmarks an https page within the web site after logging in.
He visits each bank site in a separate, dedicated sandbox (www.sandboxie.com). After each banking session he deletes the contents of the sandbox. When he does another banking session, he only uses the https bookmark to access the banking site. He opens only one tab in the sandboxed browser.
What I would like to know is how this user could get phished using these procedures and only these procedures?
My bank has now issued us all with a hardware device - free. But we can also buy more (at equivalent to about US$10 each) as spares and to carry or store in chosen locations. The device is useless in the wrong hands as it will only work if one of the correct, registered, ATM cards is inserted and the PIN entered when instructed by the readout on the device's LCD screen. At the last stage of screen login to online banking, on the final login webpage, the device must be set to generate a use-once numerical code and this must be entered into the on-screen fields, along with the last four digits of the registered ATM card that has been inserted in the device's reader. If it's all pukka, you're in. If you're outside the home and you have a shoulder-surfer or are being key-logged, the code is useless to anyone else as it won't work twice!!! The device is no bigger than a video iPod and has a battery life of several years. As I have more than one, battery failure is not an issue. When due, the bank will change them, or, for the tech savvy with the right screwdrivers, they are just internal button cells and there's no volatile memory to worry about. As an extra precaution, you get the usual three goes on each or your cards to enter the PIN when prompted. If you mess-up, that card - and only that one (so you can use your others in the meantime) - is locked-out until you can insert it in one of the bank's own ATMs, whereupon an unlock procedure will be supplied via the ATM's on-screen prompts. So, to hack one of this bank's accounts, you'd need all the preliminary on-screen login details, one of the devices, one of the registered ATM cards for that account and the correct PIN for that card. In addition to logging-in, different use-once codes will be required from the device to make instant online payments or credit transfers to any recipient who has not been pre-registered as a regular payee from that account. Oh yes, as this is European banking, all cards are, of course, "Smart" (Chip-n-PIN), so there's no way to clone any of them with magnetic readers either.
Posted by: Ian at October 24, 2009 7:18 AM