Something’s phishy? There may be more than money at stake…

by Eszter Hargittai on July 7, 2007

The term “phishing” refers to the malicious practice of trying to extract sensitive information (such as passwords) from users. Compared to numerous other Internet-related terms, “phishing” is one of the least understood ones among users. I have found this in my work as have others in theirs. Of course, it may be that people understand the concept of phishing without knowing it is called as such. It is difficult to do large-scale data collection using more elaborate methods, but I implemented some related questions on a survey recently taken by over one hundred students who were randomly sampled from a diverse group. (See the end of this post for details about the data set.)

In the context of a larger study, I showed participants three hypothetical emails and offered several options for how they might proceed (respondents could check off several actions such as “delete it”, “ignore it”, “forward to tech support with a question”, etc.). When shown an email that looked very much like the one that comes from the IT department of the university (one that would not be hard to replicate by someone with malicious intent) over half of respondents said they would “follow the instructions outlined in the email”, which included going to a Web site and entering their username and password. Even more students said that they would “click on the links in the message and follow the instructions on those pages”. Less than 15 percent checked off the option of contacting tech support with a question or reporting the email as abuse. And in the open-ended field where respondents could explain what else they might do, only one student described actions that suggested the potential problem with the email. This among the generation that is supposedly savvy about digital media. See my forthcoming paper on The Role of Expertise in Navigating Links of Influence for more on this (especially pp. 12-19.).

When I talk to my students (at a different school than where the above study was conducted) about online privacy and security issues, and ask them about the potential implications, the usual response is about financial concerns: credit card numbers stolen, money lost. However, as I try to remind them several times throughout the course, financial issues are not the only ones at stake when managing one’s identity and actions online. For example, in the realm of health and politics one can easily come up with examples of cases where third parties should not have access to our information.

And then there is reputation. I have noticed some troubling incidents on Flickr recently and wanted to write a post about these experiences to remind people about the importance of being vigilant. Don’t stop reading just because you are not a Flickr user, by the way. These same issues could occur on lots of other sites as well.

Flickr is a photo-sharing community site where people post photos and often comment on others’ images. These comments sometimes include cute little awards that let you add your photo to an invitation-only group or whatnot. Recently, I received such a comment on one of my photos and clicked on the link included within it. This led me to a login screen seemingly still within Flickr. The people behind that site did a very good job replicating Flickr. You had to be very conscious of your actions not to proceed and follow what you were being instructed to do, namely, enter your Yahoo!/Flickr username and password.

Lucky for me, I did realize that there was something phishy going on here. I was already logged into Flickr so this login request did not make sense to me. I checked the location bar of the browser, and as expected, it did not say Then I did a search for phishing on Flickr groups and confirmed that this was not something I wanted to pursue. Others had encountered similar issues and had already reported them so hopefully the admins were aware.

So what could one do with the username and password of Flickr users who were not as cautious or who simply did not realize what might be going on? First, one’s Flickr username and password is the same as one’s Yahoo! ID and password so it allows access to one’s email account and all other associated services, none of which is desirable. Within Flickr itself, it allows the malicious user to post comments on others’ photos using the account.

And that is precisely what I experienced this morning. Click here for a screen shot of a picture I posted and the comment that followed immediately after. Note that this comment came from someone who is not on my contacts list and whose account I had never seen as far as I recall. The comment on my photo of a Dublin door reads:


Someone at RAMCON said you sell nude images of children on flickr(loldee etc..) and i was just wondering(if this is true) then how much do you charge and what payment methods you accept?


There is very minimal chance that someone from a paid account would leave such a message publicly on a photo.

Searching on Flickr, I see that others are experiencing the same issue with the exact same message, but using different people’s accounts. This can be really damaging to the person whose account is used for such messages especially if this person does not realize or does not understand what is going on. Already several people have reported the person participating in that discussion thread accusing him of having left at least three such messages.

So I thought a reminder was in order: before entering your username and password anywhere, be sure to check that you are on the Web site you think you are on, look at the address of the Web site in the browser and if it is not the one you expected then beware.

[*] Details about the data set: In February-March, 2007, we administered a paper-pencil survey to students in the one class at the University of Illinois, Chicago (UIC) that is required of all students thus posing no selection bias as to who was in the sampling frame from the university. UIC is one of the most ethnically diverse research university campuses in the US. We have a 98% response rate of the 85 course sections, and an 82% response rate of all students enrolled in the class. The survey data about understanding the term “phishing” represents the responses of 1,236 participants. We used stratified sampling (on gender and user skill) for the follow-up observational study (March-May, 2007) that also included a short additional survey. We achieved a 58% response rate on that portion of the study with 103 students participating.

Thanks to the MacArthur Foundation for supporting this work.



shub-negrorath 07.07.07 at 9:30 pm

It’s really not that difficult at all to create more-than-reasonable facsimiles of web sites that legitimately request sensitive information. I’ve seen impressive spoofs of Ebay, Paypal, banking sites, etc., all of which have come to my attention via official-looking email addresses. The degree of web-savvy necessary to evade such fraud seems prohibitively high and not particularly likely to cultivate itself; perhaps our colleges and universities need to start instituting 1-credit Online Survival Skills courses as graduation requirements. I’d be surprised if a few haven’t already.


abb1 07.07.07 at 10:13 pm

They would’ve fooled many more people (including you, possibly) if they registered and used domain instead of their IP address.


Quo Vadis 07.07.07 at 10:19 pm

Poor password security can have implications that to far beyond the person whose account has been compromised. A lot of the unethical or criminal activity that takes place on the internet is conducted via compromised system and network accounts. Once someone has the ability to log into an account, they can use that account’s resources to broadcast spam, launch DOS and hacking attacks on other systems, distribute illegal content etc. It is possible to build networks of hundreds or thousands accounts that can be controlled remotely and it’s almost impossible to block such widely distributed attacks or to trace the activity back to the source.


Ben Saunders 07.07.07 at 10:30 pm

Must be more careful following those Facebook links…

Also I have had several recent surveys apparently from the university admin (on matters like graduate funding and alumni services). Since they don’t go to an official university site, hard to be sure – but they didn’t ask for any sort of password, and they must’ve already had my email address.

Scary, but thanks for the warning.


hallam 07.08.07 at 1:31 am

I work in the business of stopping criminals. The jargon is a real obstacle at times. I don’t object to phishing but I did object strenuously when folk tried to perpetrate pharming (attack via the DNS infrastructure) and vishing (telephone phishing via VOIP).

Without more details it is difficult to know exactly what the motive behind that particular attack might have been. The criminals can make use of pretty much any type of credential. For example there is a good chance (15% or so) that your Flickr username/password will match your Paypal account. The criminals can make money if the match is 1% or less.

There might be an attack similar to the EBay auction scams. I don’t use flickr so I can’t say whether there is a way to bank the reputation attached to an account.

The real issue is to stop the criminals. I have a book comming out in the fall on Addison Wesley, The dotCrime Manifesto which sets out a pretty thorough program.

One thing I am not very big on though is user education efforts. Not that I am opposed to telling people about the scams, what I object to is the view that Internet crime is a user problem. It isn’t, we built this world, not the users, we have to take the responsibility.

Actually, a lot of the crime is not even Internet crime, its bank fraud. The weaknesses that are being exploited are in the financial infrastructure. Take credit car numbers, totally bogus from a security point of view. The cards should all have chip and pin like they do in Europe.

Now I have the book pretty much complete I am looking to put together some YouTube videos to give the basics of how the crimes work: phishing, auction fraud and advance fee fraud (aka 419/nigerian letter).


Randolph Fritz 07.08.07 at 1:46 am

It bears statement that at best fixed passwords provide medium security; the way they are usually used passwords, they are low security. This is, in fact, a technical problem and deserves to be treated as such; it is difficult to learn to be always wary, and likely even the wariest of us will sometimes slip. Much, much, much better to use other sorts of authentication in combinations with passwords; physical tokens, smartcards, and the like.


John 07.08.07 at 2:29 am

Here’s a depressing story:

A few years back, the company at which I was working was acquired by HP. One day, as we were all busily preparing for the transition, I got an email, purportedly from our system administrator’s assistant, requesting that I email him my password so that he could configure my account.

Ha, ha. “The hacker pranksters at our company must be at play again,” I thought. I forwarded the mail to the sysadmin along with a quick, “Social engineering at work… Find out who and fix it, please” note. (I was director of engineering at the time, so well within my bounds.)

He responded by telling me that it was a real email. That it was official HP IT policy to request user passwords by email. And furthermore, that the engineering staff were the only ones to complain about the policy. And, of course, that he resented the ongoing concerted effort by engineering to make his life difficult.

It happened again later, while still within HP, from a different administrator, and I managed to find an actual written IT policy corroborating it.


Eszter 07.08.07 at 2:30 am

Abb1 – yeah, some similar name would probably confuse quite a few people even among those who do think to look.

Hallam – I look forward to learning more about your book. While I agree that it is important to find solutions at the technical level (and at the policy level as well), I don’t think it’s reasonable to just sit around waiting for those solutions to arrive and not do anything in the meantime at the user side. (Moreover, this seems to be a race and every time technical solutions come up there’s a good chance the malicious side figures out additional ways to pursue their goals.) So it seems to me that a multipronged approach is the way to go and we do need to think about how we can get more people to understand what’s going on.


Dan Simon 07.08.07 at 2:45 am

Eszter, I assume you’ve seen “Why Phishing Works”, by Dhamija et al.? It gives a pretty good explanation of why users tend to fall for such attacks. The basic point they make is that ordinary, non-vigilant users pretty much ignore all the (usually more reliable) information provided by the browser “chrome”, such as the address bar. Instead, they judge a page based on its content alone–which is under the complete control of whoever generated the page, and can therefore easily be made to look like, for example, any other normally-trustworthy page on the Web.

I would argue that phishing should be considered as fundamentally just another form of “social engineering”, otherwise known as con artistry. Claiming to be a large bank and asking for a phishing victim’s password or personal data isn’t really that different from claiming to be the relative of a recently-deposed dictator with a bulging bank account ready to be shared with anyone who’ll provide fees and bank routing information.

The appropriate rule of thumb is the same in either case: if someone comes to you–whether by email, comment spam, search engine ad, or any other means–there’s no reason to believe that they’re who they say they are, or that they can be trusted with anything you give them. If you want to give information–including a password–to someone you trust, make sure that it’s you contacting them, by a channel that you know and trust (such as a browser favorite/bookmark).


hallam 07.08.07 at 3:26 am

I agree that we have to attack the problem on multiple fronts. But before we try to educate the consumer we have to get the technology to a point where we can give comprehensible instructions.

For example, the FTC not so long ago told people to Stop, Look and Ask. Stop and and Ask make sense, but telling people to look at the messages does not. It can take an experienced professional ten minutes to work out what the trick being used is. Unless you really understand the Web and SMTP you are not going to spot a phishing message except by knowing that banks don’t send that type of message.

Only they do, we have spent a good three years stopping banks from sending out messages that ask the customers to do the same things that the phishing gangs do. And now they are in the telephone system and once again we are having to tell banks that it is a really really bad idea to robodial their customers and then ask them to enter their CC number. And yes, some really do do that.

On the policy front what we need to do is to better align the ability to act with the responsibility to act. For example, for a negligible cost cable ISPs could implement reverse firewall technology in the cable modem. That would essentially make the machine more or less worthless for purposes such as sending out spam, denial of service attacks and many other common criminal activities. The value of an owned machine would drop from the $5/month typical of a machine with unfettered broadband access to the $0.10/month that dialup machines fetch (if they fetch anything at all).

Crime is a policy issue, but we don’t want to hand over complete control over the Internet to the politicians. And they move very slowly, and they have other priorities.

In the medium term we have to get rid of the passwords altogether. Technologies such as Microsoft CardSpace offer credentials that cannot be stolen using social engineering attacks.

To date most of the measures we have applied have been tactical. My customers are pretty happy if I make their bank a less attractive phishing target than the bank next door, their loss rates go down dramatically just the same as if I had put the bad guys out of business completely. Then six months later every bank in the region has the same tactical measures and we are back to square one.

We have to change the Internet infrastructure to beat the criminals. We need to deploy deep strategic measures.

I certainly don’t beleive that I have the only or even the best ideas. But I think I can at least get us to the point where we can get past the refrain that ‘X is no good because the bad guys will only do Y’. Thats not a productive argument. Lets get into, ‘PHB proposes X but X’ would be more effective, or cheaper, or easier to deploy or whatever’.


Shane 07.08.07 at 7:11 am

There’s a lot of scarier, more sophisticated phishing tactics out there. I’m not sure if it’s been done in the wild, but I know there have been plenty of proof-of-concept demonstrations of exploits that even overcome the address bar url barrier to most phishers.

One example uses a zombie computer to log onto the home router with the default password (or even a dictionary attack) and reconfigures the settings to point to a malicious DNS server that operates normally except when serving paypal, ebay, common banking sites, etc. To the user, the address bar looks exactly as it should, regardless of browser or OS. One could easily imagine a scenario in which ordinary phishing tactics no longer work effectively, and the criminals move onto these more complex schemes.


Shane 07.08.07 at 7:19 am

Oh I just remembered some others – register domains that aren’t just typos of legitimate sites, but take advantages of some typography/font characteristics to look identical. With most san serif fonts (like almost every address bar font I’ve ever seen), fIickr (with capital i for second letter) looks just like flickr. There was an exploit before with certain unicode characters looked exactly like certain standard letters. One of the most devastating examples was a character that most systems would render as identical to the lowercase ‘a’. Think of all the banking sites that contain at least one ‘a’ in the url.

Also, the public should probably be educated more about better password policy. If you use the same email/username/password on some American Idol unofficial fansite forum that you do on your paypal account, and the forum administrators have malicious intent, you could be making yourself vulnerable. I personally keep different passwords for all my important accounts, and then a simpler password for things like logging into NYTimes or wordpress comments.


stuart 07.08.07 at 1:43 pm

One of the most devastating examples was a character that most systems would render as identical to the lowercase ‘a’. Think of all the banking sites that contain at least one ‘a’ in the url.

Isn’t this one of the things that the phishing filter on IE7 warns about isn’t it, this blog covers some of the details. I would imagine other browsers also deal with it, but don’t know for sure.


She who will not be named 07.09.07 at 4:00 am

Hmmm. I thought that I was an adroit avoider of phishers, but the survey says that I might be wrong.

So I went online to look for phishing tests. (How canny are you at distinguishing real emails from phishes?) All the tests I found featured HTML emails with no header information. I wouldn’t have responded to ANY of them, even the supposedly legit ones. I don’t give any info to sites linked from emails. I go there myself. I avoid dubious sites. If I have any doubts about a message, I check the headers, or even ownership of IPs through WHOIS. I’ve only recently switched to using gmail after using only a UNIX shell account for many years.

So I’m wondering — what form did the emails in the test take? Were they HTML mail with no header info and no access to code? Or were underlying header info and HTML code available? Just how savvy were the experts?

I’m not saying I couldn’t be conned or hacked, but I should think that it would have to be a more sophisticated attack than most phishers can manage.

I’m not using my real name lest my hubris be rewarded with a concerted attempt to prove me wrong :)


Eszter 07.09.07 at 2:51 pm

Some interesting feedback here, thanks all!

SWWNBN – The little you’ve told us about yourself already makes it very clear that you are an extreme outlier when it comes to Internet use. The fact that you’ve only now switched from UNIX makes that obvious as does the description of all that you do when you get an email. (Most college students today don’t even know what UNIX is, never mind ever having seen a command line or having used it.) The emails did not have full headers, they had basic headers. That’s because most people receive just the barebones and would have to take a conscious action to get the rest. And there were no links. However, as I mentioned, there was an open-ended answer option where people could add info about what they might do if the existing 11 categories didn’t match their actions. Several did add comments, they just didn’t mention things that would be particularly relevant per se. (While it’s fair to assume that fewer people may be inclined to bother adding responses to the Other category, this was a group of people who had already agreed to participate in a rather elaborate study so that kind of bias is less likely here.)


D Lacey 07.09.07 at 7:11 pm

My bank has added a security feature where they show me a selected picture and phrase to prove it’s them when I log in before I type in my password.

This seems like a good feature to help prevent phishing attacks, even ones like redirecting my DNS. When I didn’t see the picture and phrase I expected, I’d know it wasn’t really my bank.


Dan Simon 07.09.07 at 10:22 pm

D Lacey: Check out “The Emperor’s New Security Indicators”, by Schechter et al…


hallam 07.09.07 at 10:37 pm

Schemes like Sitekey work if you are alert. The problem is that they don’t work if the attacker sets up a man in the middle attack where the victim is directed to a site that simply scrapes up the authenticator image from the real site.

Another attack that has been tried is to simply replace the sitekey images with ‘image not found’. Most of the test subjects clicked through regardless.

With respect to the original attack, there are at least two ways the criminals could cash out stolen facebook credentials. One is to boost the credibility of an auction fraud. Another is to recruit people into a money mover scam. The way the criminals turn stolen accounts into money is to recruit ‘money movers’ who receive the stolen funds and wire them to the criminals less their commission. In addition to being illegal money laundering these scams usually result in bankruptcy for the recruits. The transfers of stolen money into the accounts are reversed but the recruit is responsible for all the money that was moved out.


jay bee 07.10.07 at 7:36 am

Thanks for the warning/reminder Eszter & great to see you were in Dublin with the Hungarian boxing team enjoying our wonderful summer weather!

I think the photo of the unidentified red door is the church on Dawson Street


anomyous 07.11.07 at 6:50 pm

I encountered a very clever one the other day — a seeming Bank of America email came to me saying that my on-line account was blocked because my sitekey password had been incorrectly entered. It had the BoA logos down well and I had recently been in the account and changed some items. Of course, checking the URL in the message revealed that it was routing to a non-BoA site and was a phishing attempt.

Comments on this entry are closed.