A few years ago I began telling relatives that I would not give them technical advice if they didn’t bother to have basic antivirus software or sent me chain mail, jokes or any “look at this” email that didn’t explain in a sentence where I’d be sent, with a link. Any story, no matter how tear-jerking, if it didn’t have a link to its source, would be ignored.

I would even change political parties if my most loathed candidate from the other party would grant me the license to deny Internet access to anyone who sent out 3 debunkable hoaxes that could be found in a 4-word Google search where “Snopes” is one of the words, as in “Snopes microsoft cash”

But what’s getting my goat is just how gullible most well-meaning folks are and how clueless they are about their habits. Bruce Schneier discusses social phishing, and how it is more who sends you an email than its contents that determine whether you’ll go to where it directs you, no matter how dangerous.

Phishing Studies

Two studies. The first one looks at social phishing:

Test subjects received an e-mail with headers spoofed so that it appeared to originate from a member of the subject’s social network. The message body was comprised of the phrase “hey, check this out!” along with a link to a site ostensibly at Indiana University. The link, however, would direct browsers to www.whuffo.com, where they were asked to enter their Indiana username and password. Control subjects were sent the same message originating from a fictitious individual at the university.

The results were striking: apparently, if the friends of a typical college student are jumping off a cliff, the student would too. Even though the spoofed link directed browsers to an unfamiliar .com address, having it sent by a familiar name sent the success rate up from 16 percent in controls to over 70 percent in the experimental group. The response was quick, with the majority of successful phishes coming within the first 12 hours. Victims were also persistent; all responses received a busy server message, but many individuals continued to visit and supply credentials for hours (one individual made 80 attempts).

Females were about 10 percent more likely to be victims in the study, but male students were suckers for their female friends, being 15 percent more likely to respond to phishes from women than men. Education majors had the smallest disparity between experimental and control members, but that’s in part because those majors fell for the control phish half the time. Science majors had the largest disparity–there were no control victims, but the phish had an 80 percent success rate in the experimental group.

Okay, so no surprise there. But this is interesting research into how who we trust can be exploited. If the phisher knows a little bit about you, he can more effectively target your friends.

And we all know that some men are suckers for what women tell them.

Another study looked at the practice of using the last four digits of a credit-card number as an authenticator. Seems that people also trust those who know the first four digits of their credit-card number:

Jakobsson also found a problem related to the practice of credit card companies identifying users by the last four digits of their account numbers, which are random. From his research, it turns out people are willing to respond to fraudulent e-mails if the attacker correctly identifies the first four digits of their account numbers, even though the first four are not random and are based on who issued the card.

“People think [the phrase] ’starting with’ is just as good as ‘ending with,’ which of course is remarkable insight,” he said.

Another attack comes to mind. You can write a phishing e-mail that simply guesses the last four digits of someone’s credit-card number. You’ll only be right one in ten thousand times, but if you send enough e-mails that might be enough.

A virus that compromises my friends’ email address book compromises me. I want to take all email I get from my family and friends seriously, but if they’re sloppy and lax and add me to their To: and cc: lines in their email headers to spread around jokes and stories I last thought were funny in 1998, not only do they put me at risk, but everyone they know now has my legit email address.

Don’t be sloppy with the email addresses of your friends, relatives and business contacts.

Discover and learn to love your email’s BCC.

I really don’t want to have to say these words under oath… “And that’s when I started pummeling them with my cluebat, your honor…”

This entry was posted on Wednesday, August 15th, 2007 at 1:01 am and is filed under Internet, Security, spam. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.