Come on, people. You’re probably aware of the big Hotmail scandal going on right now, what with some 30,000 account names and passwords having been leaked over the past few days. And now Gmail and Yahoo! e-mail accounts appear to have been compromised. The thing is, these leaks aren’t the result of a software glitch or anything, but the result of successful phishing attacks. I have one question: what the heck is wrong with you people?
Seriously, I don’t understand how, in the year 2009 (nearly 2010!) people can still fall victim to phishing attacks.
Let’s make this clear: your bank, eBay, Google… NOBODY is going to ask you to “validate your account” or anything like that. If you ever see anything even like that, then yes, it’s a scam.
(Phishing scams are pretty prevalent in World of Warcraft, too. You’ll get a message from a player saying something like, “You have won free gold from Blizzard! Just go to www.blizzard-free-gold-giveaway-us.com to claim your prize.” Um… no, thank you.)
Here’s a few tips I can think of off the top of my head:
• Do you even have an account with these people? The other day I got a Pretty Real™ looking e-mail from “eBay” sent to my CrunchGear e-mail account. Now, the e-mail looked real—it even addressed me by my first name!—but for the slight problem that I do not have an eBay account set up with my CrunchGear e-mail account; it’s set up with my old NYU e-mail address. Still, credit to whomever drew up the e-mail, because, again, it looked Pretty Real™.
• If, for whatever dumb reason, you do click on such an e-mail, be sure to check the URL. If it’s something like http://74.98.30.203/ebayaccountverify.php IT’S A SCAM! Same thing if it’s like http://ebay-verify.com: it’s more fake than your average WWE Diva’s breasts.
Again, again, and again: NO ONE IS GOING TO ASK YOU TO VERIFY AN ACCOUNT, OR PROVIDE YOUR USERNAME/PASSWORD AS PART OF AN ANNUAL CHECKUP.
You’re preaching to the wrong crowd my friend. Do you want my parents number?
lol…
I will say though that “no one is going to ask you to verify your account” is incorrect. Every website asks you to verify your account information and email address — but only when you first sign up. But, like Joshua said, you’re preaching to the wrong crowd.
they ask you to verify your account via email address, but you don’t have to email your username and password to them, they send you an email and you click the link that takes you back to the website…
Which is exactly how this attack worked… they clicked the link that takes them back to the FAKE (but very real looking) website.
Or the idiots Google interviewed asking what is a browser.
Haha soo true. Sad but true.
He further proves your point that he is preaching to the choir, with his World of Warcraft reference = Geek.
Not necessarily the wrong crowd…Several people I know who consider themselves relatively tech-savvy (Computer Science majors, etc…) routinely fall for these…and then there are the people I know who somehow read TechCrunch even though they think the computer’s broken when it’s just in Standby/sleep mode.
On a side note, it is fun milking the “I have magic powers” comments these people make when I “fix” their computer by waking it up.
I got one from an offical @microsoft.com address the other day, and today i got one from an official @yahoo.com. Both had official http// addresses for there respective sites in the links, which is pretty scary.
The giveaways were the poor spelling in the microsoft email, and the Yahoo one was sent to the wrong email address.
Otherwise, they looked REALLY legit.
Sorry Reece but this sounds unlikely – the link text might have been ‘official’ but the link itself for sure was not… When Nicholas says check the URL he means the ‘actual’ URL – not the one it’s pretending to go to…
Another thing – the e-mail address it comes from means nothing – that’s easily faked.
Anyway, the main thing is that since all these criminals have moved to the internet for their scams I can now start believing the Nigerian prince faxes I’m getting – that dude has sh*tloads of money he needs to move quickly… and I’m getting a hefty percentage… sweet!
I was talking about the actual URL.
I know it’s easy to set up a fake link.
Do it all the time to my friends in emails.
(my favorite is when i redirect them to the gorilla giving the finger. It’s a classic, and safe for work)
They both were actual company URL’s. I did report them both. The responses were pretty quick from them (Microsoft was about 10 minutes, Yahoo about 15). I’m quite sure they got hacked, not that they would ever admit it.
Infact, thinking about it, how easy is it to hack their server, set up a new address hidden amongst their millions and put an auto redirect to a hidden address outside of their server, or send the info on the form you just filled out to another address or eternal email……
Come on ppl. Do you not know what email spoofing is? Want an email from the whitehouse congratulating you on a job well done?
that reminds me of a yes please
Hey mom, if you’re reading this then please don’t fall for phishing emails.
Phishing i can handle …..Latest I was duped by a penny bid site in.bidvoo.com ….around 600$
These site are so fuk**** fake There should be really some law against these sites…..
in any large set of people, there will always be a few who fall for scams. that will never change.
phishing scams are profitable because large numbers of people can be reached for an extremely small cost per person. so they don’t need many people to actually fall for the scam in order to profit.
therefore the key to beating it lies in driving up the cost to the scammer of reaching those people, and not simply in educating people on how to avoid getting scammed (which is only one factor in driving up the scammer’s costs.)
You’re fishing for the wrong people here!!
I have gotten an email from Paypall. If you look closely and see the wrong spellings. That is also a tip-off.
Amen. I’ve been explaining phishing scams to people for years now, they fall for it every time…
I’m not sure people will ever learn if I’m honest :/
What an outstanding idiot!
“what the heck is wrong with you people? ”
Whats wrong with you, a geek working on blog site! Millions of ppl work outside IT sector and even not using email everyday. But they are still making $$$M in business, enjoy bein happy moms, grannys etc!
Protocols, sites, URL – who the heck needs these …?
No surprise that these ppl become fishing victims, just trying to login to yahoo mail on different site… Nobody asks their account in email! They just redirected to the fake site, where they are trying to login as usual!
Whats a point of having this on techcrunch?
okay, fine.
login: dovannoni
pswd: armpithair77
Your password sucks!
okay, I changed it, it’s now: worldpiece69.
Please let me know if you need any more of my personal info as I have my email, bank & bureau of thought crime accounts all in front of me now.
HA HA HA!!!
YOO FALLZ FOR MAH E-MAIL!! PWNED YA!!
Oh wait, this ain’t the site I redirected you to!! Sh*T!! Sorry! Aaaargh!!
:D
I’ll send the link to this page to my parents. It will probably take me half an hour to explain to them why they should read that page and another half an hour to explain what you want to tell them.
People that fall for those things are usually those that have not the slightest clue what the internet even is and how it works.
Good luck trying to make those people understand!
People fall victim to these scams because they are old and brand new to computers… For example, someone like my mother who just recently got on Facebook and starting to trot around the internet. I don’t know how many times I have told her to be careful but she still falls for this crap.. She doesn’t understand that there are actually more evil people on the web, then the trustful baby boomer years lol
Unfortunately some companies are absolutely retarded and actual emails from them look like phishes! They are confusing the users even further. This is an actual one I got a few weeks ago (that was legit..)
Note that this isn’t just some random site I signed up for but an ad network that brings in a substantial amount of revenue monthly for my business (and despite having an account for over a year I had never previously been required to change my password every 60 days).
Company name omitted to protect the guilty. Link changed to protect my account.
Title: [company-domain].com password reset
Message Body:
Please click the following link to update your [company-domain].com password:
http://www.company-domain.com/pw_reset?token=c#c#c#####b######d#a######a####b##d####&pub_id=###
We hope you do not mind the inconvenience of the password reset, but for your benefit we will regularly ask you to rotate your passwords every 60 days.
Thanks,
[Company Name]
I hate the ones asking me to verify my bank details, especially as they are nearly always with banks I’m not with, I’ve no idea what they hope to gain.
But they all divert straight to my junk mail folder now so I can delete them with one click.
I validated my girlfriend three times last night
+1
People still fall for phone and mail scams. Phishing easier, cheaper, more efficient and gets all the headlines.
Bruce Schneier has been saying for years that the banks must be made responsible for fraud.
“The bank must be made responsible, regardless of what the user does.”
“If you think this won’t work, look at credit cards. Credit card companies are liable for all but the first $50 of fraudulent transactions. They’re not hurting for business; and they’re not drowning in fraud, either. They’ve developed and fielded an array of security technologies designed to detect and prevent fraudulent transactions. They’ve pushed most of the actual costs onto the merchants. And almost no security centers around trying to authenticate the cardholder.”
http://www.schneier.com/blog/archives/2009/09/eliminating_the.html
And i can bet, hundreds of people would have fallen prey to such scam right after they read this….
Seriously, I don’t understand how, in the year 2009 (nearly 2010!) people can be into World of Warcraft. I mean come on.
Nicholas you shouldnt be giving advice to the public about serious things. Please stick to ipods.
There’s one solution to phishing – browser developers standing up and recognising they are a gateway to peoples’ financial world, and acting like it. Mozilla, Google, Microsoft, I’m calling you out. (hi opera!) Recognize your SSL connection with more than a silly little lock – talk to your user – tell them WHAT COMPANY is taking their information – and build a COMMON LANGUAGE for all users to understand they’re about to drop their trousers via YOUR browser.
+1
It’s not as easy to catch as you think. I’ve nearly fallen for it myself several times. Tricks like yesterday’s article on wwwtechcrunch.com are rampant. It’s easy to miss that unless you’re a power user that makes a habit of checking the URL bar every time they log into a system.
Email phishing schemes are pretty easy to catch, because there’s usually something off with the wording of the email which makes it sound fake.
But email isn’t the only way to phish.
You mean I’m NOT getting $45.5M from Dr. Francis Sonto Mbomam? Damn. Better change my PIN next week.
Didn’t someone say it was a keylogger scam as opposed to a phishing scam?
Getting 30′000 people to fall for a phishing scam is pretty impressive, unless they emailed every single person in the entire world ;)
Once a month my parents have a new trojan on their computer from a link in an email or a pop up they don’t recognize that they just clicked ok to close it. lol. No matter how much I explain not to do it, they faithfully keep doing it and deny they did.
Why don’t you help them install malware and virus block software? There’s even some good free ones.
good this you posted that on crunchgear
The economy of scale for phishing and spam aren’t changing anytime soon. It’s low hanging fruit for criminals. Phishing attacks are trending towards sophistication with improved editing and social engineering. The bad guys are narrowing their scope to certain groups with spear phishing attacks, and whaling attacks targeting a specific person are growing.
Smart people are being defrauded. I know of a case where a CFO was targeted with an email about a reunion. It was well crafted and plausible. Any of us, even in the infosec industry, would have fallen for it. It didn’t trip your critical faculty like scams with obvious grammar and spelling errors. The link installed malicious software that captured ACH transfer credentials and created their own. In this case the company was defrauded of $758,000 over a short period of time. It looked completely normal to the bank processing the transfers.
In the case of the email providers (and even WoW accounts) I wouldn’t immediately think the victims knowingly entered their username/password via a link in a phishing email. More likely users clicked on a link that installed a keylogger or were exploited via CSRF/XSS vulnerabilities which captured their credentials. When my WoW account was hacked last year, CSRF/XSS is how they got me. Twelve years in infosec and I was as helpless as your new-to-the-internet parents.
We are starting to see a few “Desktop” phishing attacks, using this method the user will actually see the REAL domain making it very difficult to indentify the scam.
Some good (and some very amusing) comments here. I have to agree with those who point out that sometimes it isn’t that easy to tell between phishing sites and legit ones, particularly if you’re not all that familiar with the internet (there ARE people, not all of them octogenarians, who use the internet solely for email and banking, which can be a deadly combination). Working for VeriSign I’m also very aware of the most effective safeguards — for example extended validation ssl, which alerts you to legitimacy with the green url bar, and two factor authentication, which requires a password generating token for log-in — but the problem is that most free email providers don’t have these safeguards in place, at least not yet. It’s getting to the point where no one should follow any links sent to them via email — if they want to access an account or website they read of, they should type the address in organically whenever possible. But hopefully this scam will inspire some swift improvements.
my password fails.
I believe education is the key and by saying so i think everyone who signs up to an ISP needs to take a test to see if they are educated enough to know right from wrong. If they fail the test, they have to take an online course prior to using the internet.
Now funding becomes the question here, perhaps there is a business here for someone to take, the point is using the internet is like driving a car, you do something wrong and something will crash.
I have not read any of the comments, but I am sure everyone is thinking the same thing! Why is this post here? It is written by a tech guy, for tech people – wrong audience my friend.
If you can reach out to my mom in India and teach her about phishing, only then will you earn back my respect.
Hey, you’re not too holy to read the comments, fuckface. Try printing this page off and mailing it to your mom if she’s literate. Why don’t you do something to help instead of badmouthing this guy for his actual contributions?
Your forgetting ICANN they do the verify bulls**t
And oh…btw…did you guys know that Bill Gates is sharing his wealth and distribution 1000 bucks for every comment on this post…! Click here for more details
Cant wait to get my check…!
:)
…
I swear to god there will be some geniuses even in this crowd that would go for this shit…!
While you’re at it, ask them to stop buying Canadian meds and cheap Viagra/Cialis. If they stopped getting responses, the spammers would soon run out of money and quit.
oh my god, there are so many these days….especially the one about the guy in london…who says they are ur facebook friend..and as soon as they say western union…ppl please note to urself…whom ever they are and they say wire via western union and decline a bank wire…ITS FAKE
When someone tries to send you a link to a website or program that can magically detect if you have been blocked on live messenger, aim etc… ITS A SCAM!!!! FFS drives me mad!