So you think you can spot a phishing email ?

[Paul Adams]

You got 10 out of 10 correct, or 100 %

Would have been terribly embarassing if I'd scored less, given my job for the last 3 years has been IT security

[IBM]

Nichomach ... I think you're missing the point.

How can it be a phishing mail if everything within the mail (with the exception of the lack of personalisation) is legit? All the links point to legit earthlink resources.

Just because it's a mail asking for confirmation of details? So what? You're going to be updating your details through an actual Earthlink page.

Anyways, I'll stand corrected. Since the page says that it's a phishing mail, then a phishing mail it must be....even so...

[Paul Adams]

Nichomach ... I think you're missing the point.

How can it be a phishing mail if everything within the mail (with the exception of the lack of personalisation) is legit? All the links point to legit earthlink resources.

Just because it's a mail asking for confirmation of details? So what? You're going to be updating your details through an actual Earthlink page.

No, Nichomach is spot on:
"...even if, say, a bank communicated with you via email there's no way that they'd include a clickable link and ask you to put your financial details in."

If a company were daft enough to give you icons or hyperlinks in an HTML email which allegedly take you to a site where they expect you to enter your login/financial details then they should be raked over the coals.

For example, read the genuine Hotmail one, it just tells you to go to the site and log in, it does not provide any link to take you there (or elsewhere).

Hyperlinks can be obscured - you can't go off the displayed text, for example, http://www.hexus.net (and with javascript you can stop the status bar telling you the real destination when hovering over it).
In some cases if you are testing by clicking the link then even the address your browser might say you are at is not correct - the most recent obvious case being the IE hole for login:password@site format URLs and %00.

Those who are savvy enough to view the HTML source might spot such tactics, even if it's unicoded URLs, but this test site is interesting as they don't give you that method - you have to use your common sense rather than technical ability to spot the phishers.

[IBM]

Paul ... you're in IT security right? And you're telling me that there aren't any companies out there who are that stupid? That level of stupidity is almost an industry standard....

The hypothetical situation set out by Nichomach isn't just possible, but in an actual fact has probably happened a huge number of times before people were made aware of the security risks.

You're quite correct, the hyperlink can be configured to mislead the user, but this one wasn't, and you can't obscure the URL once you reach the page - which in this case couldn't be viewed.

I'm not saying it's not a phishing mail, obviously I bow to those with more knoweldge in the field. I'm just saying it's possible and plausible that it's not, given that the links ALL go to valid Earthlink pages (I know the one given gets a 404, but that's not to say that it wasn't a 'enter login details - then enter billing details' page...and yes, I know that entering your login details from an embedded link is just as much a security risk, but again I fall back on the concept that companies ARE often that stupid.)

Just saying, possible and plausible....

[Apex]

IBM

Am sorry if i did not make my self clear.

When i said look at the bottom of the email i was meaning for you to study the urls.

The first part of the email is asking for you to log intio the billing department threw one url....while at the bottom of the email is says to update billing info click here if you follow my drift.

It strikes me has odd that they would give 2 different urls for the billing dept.

All it takes is a bit of common sense.

Take the hotmail email all it is saying is that if you don't log in for 30 days your acount will expire which is in the tnc's of hotmail useage for basic accounts.

The ebay ones, ebay state they will never send a email asking you to confirm your login details, how many people have failed to read even the basic faq on ebays site ?

The banks ones are the most common email that i have seen so am use to them being sent in the format they are.

Andrew

[Paul Adams]

Paul ... you're in IT security right? And you're telling me that there aren't any companies out there who are that stupid? That level of stupidity is almost an industry standard....

Yes, last 4 years I have been dealing almost exclusively with IT security in a financial environment.
A little harsh to say it's almost industry standard to have that kind of, well, crass stupidity - certainly in the case of organisations that are in control of customers' finances or personal data.
The big companies, especially finance-oriented ones, will have a lot of audits performed well before they get to set up any ecommerce sites, there are certain guidelines that must be adhered to.

But it's better to assume it is a scam, rather than it's genuine email from a moronic company.

The hypothetical situation set out by Nichomach isn't just possible, but in an actual fact has probably happened a huge number of times before people were made aware of the security risks.

You're quite correct, the hyperlink can be configured to mislead the user, but this one wasn't, and you can't obscure the URL once you reach the page - which in this case couldn't be viewed.

"How can it be a phishing mail if everything within the mail (with the exception of the lack of personalisation) is legit? All the links point to legit earthlink resources."
I said what I said to illustrate that you can't assume just because an HTML says something, that it is actually telling the truth - you said the links were genuine, but for the purposes of that test the links are deliberately obscured.

How do you know that a browser a customer is using does indeed say the correct address after clicking it?
IE had a vulnerability whereby if you crafted a URL of the form:
www.genuinewebsite.com%00@www.dodgyphishingsite.com
and then clicked on it, the address bar would say www.genuinewebsite.com but you would be really at the dodgy one.

This particular exploit was fixed, but you can never say that something like that is impossible - how do you know there isn't a variant or backdoor involving unicode, or a hack involving the shell protocol and trusted zone traversal?

I'm not saying it's not a phishing mail, obviously I bow to those with more knoweldge in the field. I'm just saying it's possible and plausible that it's not, given that the links ALL go to valid Earthlink pages (I know the one given gets a 404, but that's not to say that it wasn't a 'enter login details - then enter billing details' page...and yes, I know that entering your login details from an embedded link is just as much a security risk, but again I fall back on the concept that companies ARE often that stupid.)

Just saying, possible and plausible....

Ah, you trusting soul
I'd rather play the paranoia card and assume it's NOT genuine, than make a potentially expensive mistake.
If the link in question was indeed a genuine one which submitted information via a secure connection, then it would have been https, but again if verification is required then you cannot provide the link for them to click.
Also, the very last URL has a typo - no dot after 'www'.

While I don't think there are global "laws" to dictate how these things are done, there is most definitely a set of UK directives to follow for anyone wanting to maintain retrievable customer information on an ecommerce site.


Whenever I receive such an email, my basic rule of thumb is a simple checklist:

- Are there spelling mistakes?
Any company I dealt with that would send a template email with spelling mistakes on, I don't want to deal with, and phishers are notorious for typos (must be the excitement of possibly getting all that cash).

- Are they asking me to verify login credentials or threatening closure of an account within N days, and providing a hyperlink?
You just don't do it - you are asked for your credentials when you want to access something, not for them to verify they "have the right details on record" or something.

- Does the hyperlink destination match the display name?
If a hyperlink has been provided, I'll check the source and verify it, not click on it and then check.

- Was I expecting this email?
If I've just subscribed to a service and the email address needs validating, for example, then it's better than an out-of-the-blue email inviting me to login on "their" website.


I've used online banking, payment and credit card services and I have received the odd phishing attempt email - the companies I deal with do adhere to the common sense standard, so the phishing ones do stand out.

But it's a case of knowing how to spot these things - social engineering focuses on the weakest point in any system... the user.
Phone up a bunch of companies at random and say you're "John from Support" or something, and likely you'll not be challenged and will be freely given passwords, IP addresses, etc.

People have been phoned at home by someone saying they are from their bank, and for security purposes could they provide their passwords - not everyone would think that unusual (luckily the 2 people I know had this happen to them told the person to bugger off).

[Apex]

Once again paul spot on rep +1 for you

[gobbo]

9/10

I got one like this from "Halifax" asking me to log into my account to "check my details are correct"

There have been a few Halifax and Barclays ones going around at the moment, can be pretty bad if they do get your details

[Atomic]

8/10.

Had no idea about the Bank ones as Id never be with either of those banks and know that my bank never emails me.