Why phishing reels punters in

By John Leyden → More by this author

31 Mar 2006 14:04

User stupidity, natch

To tech savvy punters most phishing sites are obviously bogus. But a recent study by academics at Harvard and Berkeley reveal that 23 per cent of users only look at the content of sites when deciding whether they are legitimate or not. The presence or absence of SSL certificates and the url of sites doesn't enter into the decision of these potential dupes.

The study, Why phishing attacks work (PDF), suggests that greater user education and improved technical safeguards in upcoming browsers (both Firefox 2.0 and IE7 promise anti-phishing features) is needed in order to bring the problem of online fraud under control.

The usability study involved only a small sample of 22 users who were shown 20 websites and asked to determine which ones were fraudulent.

"We found that 23 per cent of the participants did not look at browser-based cues such as the address bar, status bar and the security indicators, leading to incorrect choices 40 per cent of the time," the researchers reports. "We also found that some visual deception attacks can fool even the most sophisticated users."

The research cites separate academic studies that suggest some phishing attacks convince up to five per cent of their recipients to provide sensitive information. Another study suggested that even when toolbars were used to notify users of potential security problems, users were tricked into providing information 34 per cent of the time.

The aim of the Harvard and Berkeley study is to help security pros better understand the attack strategies of phishing fraudsters so more effective defensive strategies can be formulated.

The Anti-Phishing Working Group received reports of 9,715 phishing websites mimicking 101 brands in January 2006, the latest month where records are available. ®

Track this type of story as a custom Atom/RSS feed or by email.

Phishing with Rachna Dhamija (21 June 2006)
Why phishing catches punters (7 June 2006)
Phishers aim to hook MySpace users (5 June 2006)
'Smart' phishing attack targets BoI (2 May 2006)
Phishing goes international (26 April 2006)
IE7 Beta 2 is go (25 April 2006)
German Postbank uses e-signatures to curb phishing (7 April 2006)
Phishing fraudsters aim to outpace site shutdowns (8 March 2006)
Security glitch bites IE7 beta (2 February 2006)
Browser developers team up to thwart hackers (23 November 2005)
Lloyds TSB tests password-generators (18 October 2005)
Phishers and security firms in malware 'arms race' (24 August 2005)
Netcraft launches anti-phishing toolbar (26 May 2005)
Phishers tapping botnets to automate attacks (26 November 2004)

Top 20 stories All The Week’s Headlines

Whitepapers
Combating the increasing cost of email Life online: Mouse rage! Enabling the Data Center Metamorphosis Getting The Package Right

Breaking Hardware News

Rogue SF sysadmin coughs up passwords

City regains access to its own network

San Francisco City Council regained access to its own computer network today after Mayor Gavin Newsom convinced network administrator Terry Childs to give them the passwords.

Get the ChannelReg newsletters

Related Whitepapers

Solution Brief: Reduce Energy Costs
With Green IT Solutions
What Every E-Business Should Know about SSL Security and Consumer Trust
A Verisign Business Guide
Server Consolidation and Containment
With Virtual Infrastructure
SSL in High-Security Browsers
The Browser Security Revolution
Making Green IT a Reality
Customer Perspectives on the Impact of Storage Vendor Decisions on Power, Cooling, & Space in Enterprise Data Centers
How IT Management Can "Green" the Data Center
A Gartner Report

Top Stories