A few years ago I began telling relatives that I would not give them technical advice if they didn’t bother to have basic antivirus software or sent me chain mail, jokes or any “look at this” email that didn’t explain in a sentence where I’d be sent, with a link. Any story, no matter how tear-jerking, if it didn’t have a link to its source, would be ignored.

I would even change political parties if my most loathed candidate from the other party would grant me the license to deny Internet access to anyone who sent out 3 debunkable hoaxes that could be found in a 4-word Google search where “Snopes” is one of the words, as in “Snopes microsoft cash”

But what’s getting my goat is just how gullible most well-meaning folks are and how clueless they are about their habits. Bruce Schneier discusses social phishing, and how it is more who sends you an email than its contents that determine whether you’ll go to where it directs you, no matter how dangerous.

Phishing Studies

Two studies. The first one looks at social phishing:

Test subjects received an e-mail with headers spoofed so that it appeared to originate from a member of the subject’s social network. The message body was comprised of the phrase “hey, check this out!” along with a link to a site ostensibly at Indiana University. The link, however, would direct browsers to www.whuffo.com, where they were asked to enter their Indiana username and password. Control subjects were sent the same message originating from a fictitious individual at the university.

The results were striking: apparently, if the friends of a typical college student are jumping off a cliff, the student would too. Even though the spoofed link directed browsers to an unfamiliar .com address, having it sent by a familiar name sent the success rate up from 16 percent in controls to over 70 percent in the experimental group. The response was quick, with the majority of successful phishes coming within the first 12 hours. Victims were also persistent; all responses received a busy server message, but many individuals continued to visit and supply credentials for hours (one individual made 80 attempts).

Females were about 10 percent more likely to be victims in the study, but male students were suckers for their female friends, being 15 percent more likely to respond to phishes from women than men. Education majors had the smallest disparity between experimental and control members, but that’s in part because those majors fell for the control phish half the time. Science majors had the largest disparity–there were no control victims, but the phish had an 80 percent success rate in the experimental group.

Okay, so no surprise there. But this is interesting research into how who we trust can be exploited. If the phisher knows a little bit about you, he can more effectively target your friends.

And we all know that some men are suckers for what women tell them.

Another study looked at the practice of using the last four digits of a credit-card number as an authenticator. Seems that people also trust those who know the first four digits of their credit-card number:

Jakobsson also found a problem related to the practice of credit card companies identifying users by the last four digits of their account numbers, which are random. From his research, it turns out people are willing to respond to fraudulent e-mails if the attacker correctly identifies the first four digits of their account numbers, even though the first four are not random and are based on who issued the card.

“People think [the phrase] ’starting with’ is just as good as ‘ending with,’ which of course is remarkable insight,” he said.

Another attack comes to mind. You can write a phishing e-mail that simply guesses the last four digits of someone’s credit-card number. You’ll only be right one in ten thousand times, but if you send enough e-mails that might be enough.

A virus that compromises my friends’ email address book compromises me. I want to take all email I get from my family and friends seriously, but if they’re sloppy and lax and add me to their To: and cc: lines in their email headers to spread around jokes and stories I last thought were funny in 1998, not only do they put me at risk, but everyone they know now has my legit email address.

Don’t be sloppy with the email addresses of your friends, relatives and business contacts.

Discover and learn to love your email’s BCC.

I really don’t want to have to say these words under oath… “And that’s when I started pummeling them with my cluebat, your honor…”

When the epicenter of spam in Nigeria meets the charitable intentions of One Laptop Per Child and the nature of children to explore where they ought not comes:

Nigerian pupils browse porn on donated laptops

Thu 19 Jul 2007, 15:34 GMT

ABUJA, July 19 (Reuters Life!) - Nigerian schoolchildren who received laptops from a U.S. aid organisation have used them to explore pornographic sites on the Internet, the official News Agency of Nigeria (NAN) reported on Thursday.

NAN said its reporter had seen pornographic images stored on several of the children’s laptops.

“Efforts to promote learning with laptops in a primary school in Abuja have gone awry as the pupils freely browse adult sites with explicit sexual materials,” NAN said.

A representative of the One Laptop Per Child aid group was quoted as saying that the computers, part of a pilot scheme, would now be fitted with filters.

Maybe “one laptop per child” got translated into “one lapdance per child”?

We should also have OLPC consider the wisdom of giving the world’s spam capital more tools to perpetuate their scams.

If you notice tomorrow that your inbox is a little less crowded, it might be because a Seattle jail cell is a little more full.

Federal authorities today arrested Robert Alan Soloway for mail fraud, wire fraud, e-mail fraud, aggravated identity theft, money laundering, and impersonating the licentious wife of a Nigerian oil minister. (okay, we made that last one up) But they did slam him with a 35 count indictment.

The young internet entrepreneur alledgedly crossed over to the dark side when he used hijacking viruses to take over the computers of unsuspecting internet users. Hunting down vulnerable pcs on local cable networks and DSL, he would (alledgedly) load a remote email module which could be activated at his discretion. This allowed him to steal bandwidth from various ISPs, cable companies. etc. and use their networks to distribute his marketing materials. In his scheme, he not only stole bandwidth, time, attention and resources of his recipients, but also the network resources of his unconscious slave mailers.

“He’s one of the top 10 spammers in the world,” said Tim Cranton, a Microsoft Corp. lawyer who is senior director of the company’s Worldwide Internet Safety Programs. “He’s a huge problem for our customers. This is a very good day.”

Soloway pleaded not guilty Wednesday afternoon to all charges after a judge determined that — even with four bank accounts seized by the government — he was sufficiently well off to pay for his own lawyer.

He has been living in a ritzy apartment and drives an expensive Mercedes convertible, said prosecutor Kathryn Warma. Prosecutors are seeking to have him forfeit $773,000 they say he made from his business, Newport Internet Marketing Corp.

He continued his activities even after Microsoft won a $7 million civil judgment against him in 2005 and the operator of a small Internet service provider in Oklahoma won a $10 million judgment, prosecutors said.

U.S. Attorney Jeff Sullivan said Wednesday that the case is the first in the country in which federal prosecutors have used identity theft statutes to prosecute a spammer for taking over someone else’s Internet domain name. Soloway could face decades in prison, though prosecutors said they have not calculated what guideline sentencing range he might face.

The investigation began when the authorities began receiving hundreds of complaints about Soloway, who had been featured on a list of known spammers kept by The Spamhaus Project, an international anti-spam organization.

The Spamhaus Project rejoiced at his arrest.

“Soloway has been a long-term nuisance on the Internet — both in terms of the spam he sent, and the people he duped to use his spam service,” organizers wrote on Spamhaus.org.

Our own Aaron G. has volunteered to serve on the Jury, but will likely be declined due to his regular calls for the death penalty for spammers

Tune in for our upcoming broadcast segment on protecting YOUR PC from zombie overlords.

ZDNet has an article entitled Massive Surge in Spam.

I’ve often made the argument that we hardly take the cost of spam seriously enough. May I suggest that we consider spam as micro-kidnappings or distributed shortening of lifespans. How so?

Let’s say a professional spammer sends out, conservatively, 100 million spams a week (article regarding one spammer allegedly having sent over 2 billion spams) and that each spam requires merely three seconds of human time (Australia’s Internet expert says 5 seconds per ) invested either in

• hitting a delete button
• working to purchase anti-spam software
• configuration and updating of the aforementioned software
• hiring technical staff at one’s company to address spam or
• any number of other incidental costs
• helping non-techie relatives and friends deal with their spam problems
• venting on a blog about the spam problem

300 million seconds is 5,000,000 minutes or 83,333 hours or 3472 days or 9.5 years of human potential stolen… per week. Allowing one spammer to continue like this for two months would exceed the average lifetime of human potential.

Let’s not even discuss what the billions spent on ameliorating spam could do if available to be used in healthcare, instead.

So, to address this, I’ve created a Spam Is Murder counter: Virtual Human Deaths by One Spammer calculated since the beginning of the 21st Century (that’s 1 January 2001, folks). That’ll appear in the left sidebar for a long time.

Of course, there are other solutions to the problem of spam.

What’s your solution?

Note: The opinions expressed in this article are not shared by the entire staff of TechTalk.