Experts Weigh In On Why Phishing "Works"
By Tony Bradley, CISSP-ISSAP, About.com
Many people enjoy fishing. It can be relaxing and peaceful and if you are really lucky there may actually be fish involved. If you have ever actually gone fishing you might appreciate one of the current Coca Cola radio commercials where they point out that there is a significant difference between "fishing" and "catching". Anyone can fish, but catching takes skill.
Fishing of a different sort has become a serious security threat. Dubbed "phishing", it involves luring unsuspecting users to take the cyber-bait much the same way fishing involves luring a fish to bite the bait.
Douglas Schweitzer, author of Incident Response, describes phishing scams like this: "Phishing attacks use “spoofed” e-mails and fraudulent websites with the attempt to trick unsuspecting Internet users into divulging confidential personal information such as credit card numbers, account usernames and passwords, social security numbers, etc. By hijacking the trusted brands of well-known institutions, phishers are able to convince a small percentage of recipients to respond to them."
One question is whether or not phishing scams are a result of underlying security flaws in software or simply the result of poor judgment on the part of the user. Ed Skoudis, author of Counter Hack and the Hack - Counter Hack Training Course, says "Both. Users often respond to even lame attempts at phishing, which sometimes include e-mail solicitations full of typos, bad grammar, and other obvious signs that they are not legit. Beyond users, though, the technology doesn't really support us enough in determining what is a real site. Phishers use all sorts of tricks to disguise their URLs and fool browsers. Getting a legit-looking SSL certificate is trivial. Many users blindly click "accept" when they get an SSL cert warning. Because SSL puts all trust decisions in the hands of users, it's really easy to pull off a phishing attack that uses HTTPS. That's because of a combo of user ignorance and technical limitations. And that's only one example."
Marcus Ranum, author of Myth of Homeland Security and Senior Scientist at TruSecure Corporation, leans more toward the naive user as the crux of the phishing problem "It's silly to try to solve this problem with underlying software. The bottom line is that "phishing" is just an instance of a social engineering problem. The root cause (on one side) is the criminal, and (on the other side) the gullibiltiy of the victim. "Phishers" could just as easily be phoning people at home and claiming to be the credit card company, etc., etc. Adding attempts at technological "quick fixes" isn't going to work."
The problem of ignorant or naive users will not be going away any time soon. Security awareness has improved due to computer hacks and malware being front page news so often, but a good percentage of the users are still relatively clueless about even basic security measures and new users start surfing the Web and using the Internet for the first time every day so it is difficult, if not impossible to stay ahead of that curve.
Dan Appleman wrote a book aimed at trying to educate teens, some of the newest members of the Internet community, about basic computer and Internet security- Always Use Protection. On the issue of phishing scams Appleman says “For the average computer user the focus should be first on the basic security precuations they should be taking - those precautions will do a good job of blocking the wide array of specific vulnerabilities as they appear. The focus next should be on education and practice.”The latest web browsers such as Internet Explorer 7 and Firefox 2.0 contain phishing filters that can help to alert you to potential phishing scam sites. In an interview posted on the ha.ckers.org blog site, an actual "phisher" discusses some of the how's and why's of phishing attacks and states that Internet Explorer 7 and Firefox 2.0 are about the best defense he has yet encountered.