WebApp Sec mailing list archives
RE: (not really a) Proposal to anti-phishing
From: "Mike Andrews" <mike () se fit edu>
Date: Mon, 24 Jan 2005 14:39:11 -0500
-----Original Message----- From: Wall, Kevin [mailto:Kevin.Wall () qwest com] Sent: Monday, January 24, 2005 2:29 PM To: Mike Andrews; Rishi Pande Cc: webappsec () securityfocus com Subject: RE: (not really a) Proposal to anti-phishing Mike Andrews writes...I remember doing a quiz on phishing some time ago. After muchdigging,here's a link to the quiz (version 2) http://survey.mailfrontier.com/survey/quiztest.html Sorry, it doesn't give any results of the survey - perhaps someonecouldemail the company and ask about the results, especially which onespeopledidn't get.Of course, the "quiz" is pretty much useless. There are some obvious phishing attempts, but the few that look (are?) legitimate, one can't really tell because all they give you is an image, so you can't really see what the links are pointing to or do a 'view source', etc.
Yeah, I agree, but I think that what the company was trying to do is see if people can recognize phishing attempts just by the email content itself (and the status bar when you hover over a link). By using an image it forces the survey takes to use just their eyes and no other technical abilities - a pretty standard way of normalizing surveys same as choice lists.
But IMHO, I think that HTML e-mail should be outlawed, period. That alone might go a long way to eliminating a lot of phishing schemes, especially the ones that rely on bugs in the MUA's HTML rendering engine to entice the victims.
Here, here. Would also get rid of all those cutesy/fancy stationary schemes our secretaries insist on using :) Cheers, Mike.
Current thread:
- RE: (not really a) Proposal to anti-phishing Evans, Arian (Jan 19)
- <Possible follow-ups>
- RE: (not really a) Proposal to anti-phishing Scott, Richard (Jan 23)
- Re: (not really a) Proposal to anti-phishing Rishi Pande (Jan 24)
- RE: (not really a) Proposal to anti-phishing Mike Andrews (Jan 24)
- Re: (not really a) Proposal to anti-phishing Rishi Pande (Jan 24)
- RE: (not really a) Proposal to anti-phishing Wall, Kevin (Jan 24)
- RE: (not really a) Proposal to anti-phishing Mike Andrews (Jan 24)
- Re: (not really a) Proposal to anti-phishing Rishi Pande (Jan 24)
- RE: (not really a) Proposal to anti-phishing Scovetta, Michael V (Jan 24)