Are you vulnerable to Phishing? · Curiosity is bliss

Curiosity is bliss    Archive    Feed    About    Search

Julien Couvreur's programming blog and more

Are you vulnerable to Phishing?

 

You can try the MailFrontier Phishing IQ Test.
The quiz is a bit restrictive, as it doesn't provide access to the email headers, source or the linked pages. That simulates pretty much the experience of a "regular" user, except that the linked pages could be informative too. In any case, it shows that reliance on the content to tell legit emails from fake ones is a bad idea.

See that Code fish spam watch for more phishing examples.

The CEAS paper from MailFrontier, "Anatomy of a Phishing Email" lists social engineering and technical means to enhance these attacks.
Many of the technical tricks (onmouseover, borderless windows over the urlbar, ...) are really problems that should be solved at the browser/OS level. See "Secure Interaction Design" for some principles and examples related to secure UI design.
Here's an IE-only demo for a borderless window over the urlbar (thx Dungis).

Work arounds like phishmarks are just ways to rely on the browser's handling of cookies in a specific domain to give a visual indication that a page belongs to previously visited domain.
It doesn't work for domains that you've never been before and it doesn't work on machines that you never used before (that don't store your personal cookies).

Another possible solution, although extreme, would be to train the user never to click a link in an email.
Online businesses would have to provide a "communication" page attached to each user account.
Instead of wondering whether this email really comes from Paypal, I would just use my browser to log into Paypal and check the communication history. The notification email would simply say "Please check your Paypal account for some updates relative to x".

______________________________________

10 out of 10. whee

Posted by: michaela (August 13, 2004 06:54 AM) ______________________________________

I just assumed they were all false. hehe

Posted by: andy (August 20, 2004 04:00 AM)
comments powered by Disqus