how-to block ads
|
Comments on news posted 2007-07-28 15:21:32: Phishing scams are on the rise. Emails from scammers posing as IRS and other government agencies “attempt to trick consumers into divulging personal financial information. ..
| |
 
pnh102
Reptiles Are Cuddly And Pretty
Premium
join:2002-05-02
Mount Airy, MD |  Problems With Test
--
Only SHATNER is Kirk. | |
| 
Shamayim
I already have a Messiah.
Premium
join:2002-09-23
2 edits | 1 wrong The only 1 I missed is a bank site I visit every day 
I got the others right mainly by reading the URLs, which they don't even talk about. Go figure.
--
"tick...tick...tick..."
»www.jtf.org/
| |
| 
dbuth
My Circadian Rhythm Leans To The Night
join:2001-12-23
Turlock, CA
 ·Pacific Bell - SBC
| Time to cut my cat-5 connection to the world I scored a 5 out of 10. My mistakes were due to the constant spelling and grammar mistakes I read in forums and blogs each day. I missed the fake sites misspelled words as my brain corrected the misspellings and grammar as I skimmed the sites. I did much better on the questions where I did not need peruse a web site.
--
"A friend is someone who knows everything about you and is still your friend."
| |
| | 
jayw
join:2000-08-03
Philadelphia, PA
| I hope Phishers Don't Take the Quiz! YOU ANSWERED 9 OF 10 QUESTIONS CORRECTLY
Rating: Safety Guru
The Amazon one got me as well.
The only problem with that quiz is if the phishers take it they will know what to correct in their future phishing schemes.  | |
| Ashtabula
Premium
join:2004-06-07
| sumbitch -- that was hard ! (yes. that's a space in front of the exclamation mark 
YOU ANSWERED 10 OF 10 QUESTIONS CORRECTLY
Rating: Safety Guru
I have not been to any of those sites nor received the emails. I relied on spelling/grammar and URLs when visible. I guess that this was geared toward those who know the corporate logos or whatever.
My issue is that this could have been more educational by including the URLs of the website questions.
Even though I am not a PayPal "constomer," I got two of the three visual clues that McAfee caught on #2. On the fake site, those are directories, and not arguments to a CGI script, in the URL. I think that folks taking the quiz would have been better served by learning that type of thing rather than memorizing the legitimate page and noticing a missing link. Contrast this with the myspace URL thing of #1.
#3, the BankOfAmerica, splits the "PayPal" name. (See McAfee's explanation of #2.) I'm just sayin'  "Your protection is our future medal" reminds me of George McFly's "I'm your density."
#4, the FROM: question appears to be answered correctly by most of us. I *really* wish that they would have mentioned looking at the headers. My wife received that recent "IRS" (?) phish. IIRC, the grammar was pretty good. The SMTP's domain was Belgian, and the email originated from Poland. Anyway, not the kind of "pedigree" that you would see in an IRS email. Also, on my "Send Us An Email" forms, I always toss the person's name into the FROM: in sendmail (lowers the SPAM score).
#5, Amazon, was the hardest. Again, I have not been to their site, so I had to rely on what I think are errors in both examples. I got the two mistakes of the fake site, but that is more of a testimony to my eyesight. The real one allows you the option of sending information across an unencrypted link. (Question: How do you pay if encryption is not working for you? My Point: If encryption is not working now when you are logging in, it won't be working later after you've done some shopping and proceed to the secure checkout, so logging in insecurely will not really help you reach your final goal of buying stuff.) Anyway, I did not think that a major player like Amazon allowed transmission of unencrypted email and passwords in 2007.
#6, the PayPal email is easy, a classic example. It occurs to me afterward, though, that the real one uses HTML. Its https: link could have a non-matching HREF field in its ANCHOR tag (click the link, and it goes to another website). Remember, this is an email, so the status bar which shows the real destination may not be there. Also, the logo on the fake one is that of both websites of the #2 PayPal question. That is, knowledge of the logo will trip you up. This is the prime example of why I am uncomfortable with their approach of relying on your memory of the site's design.
#7, CapitalOne is partly given away by the logo, according to McAfee. Again, I've never seen the logo. At first, I though it was a trick question due to the "Verisign Secured" graphic which appears on the real but not the fake. If I were making a phishing site, I would store that image locally, and serve it up. No link, just the image. (I typically put those "secured" IMG tags right next to the Submit button, along with a "don't click me if not secure" text thing.)
#8, AOL site with URL shown. They do not point out the URL, and instead rely on the logo not being up to date on the fake site. Again, AOL changed their business model and even corporate identity a few times recently. I would not be surprised to hear that the logo changed. Also, that red key (it means that security is good or bad?) I'm guessing that these are MS Vista browsers or something (not familiar)? The real PayPal site of #2 does not have the key. So this is a favico ("Favorites Icon" or small logo image)? Dang, if that's the case, then MS needs to get serious about shading the background of the Location bar when at a secure site, or doing something. Also, the URL runs beyond the right -- a missed opportunity to educate about about multi-subdomain phishing URLs of #1.
#9, Nigerian 419 scam. There is so much history here. One sentence would have taught the test taker something. ("419" is the section of the Nigerian criminal code that is violated.)
#10, the SSL question. Yeah, an SSL certificate just proves that you've got twenty bucks and access to the webmaster@... email address. (I'm from the old-school here. My personal thought is that SSL quickly became too invisible, a Flash plugin if you will.) The quiz's explanation was something about spoofing certificates. Whatever. I always felt that the certificate at its essence just says that there is no man-in-the-middle attack presently taking place. That is, "Yes, you really are connected to 'paypalconstomer.com', now give us your personal data."
----------
Gee whiz, clean up some of the grammar or just copy and paste the pages, and this quiz gets a lot tougher. I mean, buy something for five bucks at Amazon or donate $10 through PayPal, save the pages/images and style sheets, and none of this "look for the logo or missing link or bad grammar" advice applies any more. In the end, your best defense is the advice DSLR readers have been writing and reading for years.
Sorry about the long post. Full of adrenaline. So what do you think? | |
| 
fonzbear2000
Premium
join:2005-08-09
Saint Paul, MN | please help i'm at the site and i don't see the quiz | |
| | | |
|
