| reply to Dude111
Re: Can You Identify Phishing? - Got Six out of Ten for the test.
I still think SSL is pretty safe, regardless of what they want to say. What is SSL anyway? Super safety locks? Oh, wait - Secure Socket Layer. It's meant to prevent people from listening in on the data transfer you're using. Thought I'd double check SSL in case I was wrong, but :
- »en.wikipedia.org/wiki/Transport_···Security
I have never visted any of the websites (Myspace, Capitol 1, etc. etc.) except Amazon and the first rule of thumb for checking emails is to see who the sender is (before you open it). Though the point of phishing scams is to trick you into giving your info away, I felt this test was pointed in such a way as to make you fail a few questions. I'm not paranoid enough to pass them all, I guess.
Do you open emails that aren't from anyone/institution you don't know or frequently use? You should be ashamed of yourself, then.
I don't have a paypal account. Why would I receive an email from them asking me to verify my account details?
Felt like a scare tactic. Thought it would have been a useful test to help me discover new methods of diverting phishing scams.
At least it was free.
Ranting done. |
|
 jdongEat A Beaver, Save A Tree.Premium
join:2002-07-09
Rochester, MI
kudos:1 | said by Phished_out : - Got Six out of Ten for the test. I still think SSL is pretty safe, regardless of what they want to say. What is SSL anyway? Super safety locks? Oh, wait - Secure Socket Layer. It's meant to prevent people from listening in on the data transfer you're using. Thought I'd double check SSL in case I was wrong, but : - » en.wikipedia.org/wiki/Transport_···Security The point the test was trying to make, is, I can register a site like "www.amazon.com.haha.this.is.fake.com", and buy a signed certificate for this site, and when you visit it, you'll get SSL and a padlock that shows this site is verified....
Signed SSL means
(1) Your transmission is secure (err let's save that argument for another day) from you to the server and back.
(2) The server you are visiting is certified by a trustworthy authority to be the one it claims to be.
It doesn't say anything like "this is an authentic bank" or those things. You still have to check the URL for validity, and so on.
--
UbuntuForums Administrator: try Ubuntu Linux |
|
 stevesaFormer Crunchie Iv HostPremium
join:2000-06-29
Holiday, FL | reply to Dude111
FWIW
YOU ANSWERED 10 OF 10 QUESTIONS CORRECTLY
Rating: Safety Guru  |
|
| McAfee SiteAdvisor Phishing Quiz
YOU ANSWERED 10 OF 10 QUESTIONS CORRECTLY
Rating: Safety Guru
The ones that let you see the URL are not hard, some were tricky though |
|
|
|
 MarkAWBarry WhitePremium
join:2001-08-27
Canada
kudos:16 | reply to Dude111
Aren't these like the same questions they had a couple years ago.
YOU ANSWERED 10 OF 10 QUESTIONS CORRECTLY
Rating: Safety Guru |
|
| 9 out of 10
I agree the test is not a fair way to judge a fake site but I will help some people. I have my site booked marked that I shop at so no worries there. I think the best way to tell fake site is by the URL
--
I bitch. People listen!! |
|
 MrMoodyFree range slavePremium
join:2002-09-03
Smithfield, NC | reply to Dude111
10/10 first try. |
|
| reply to Dude111
Lucky, I guess. |
|
thxmed
join:2005-06-02
Hollywood, FL | reply to Dude111
I got all ten answers correct too easy |
|
 tmaertinCrash Into MePremium
join:2002-04-03
North Tonawanda, NY | reply to Mele20
9/10 - i missed the capital one question as well - both seemed phishy to me. i find myself muttering "whats in your wallet" to no one in particular...
--
Hike up your skirt a little more, and show your world to me. |
|
mvduPremium
join:2003-07-28
Collegeville, PA
kudos:1
1 edit | reply to Dude111
I got 8/10 correct.
Missed the PayPal question. I go there, but didn't remember the security center link. I also got the name of the other scam wrong. I can't believe I hadn't heard the name. |
|
 madylarianThe curmudgeonlyPremium
join:2002-01-03
Parkville, MD | reply to Dude111
I got 10 out of 10 and I don't need Site Advisor to tell me to look at the actual url in a link.
mady
--
Honi soit qui mal y pense |
|
 StraphangerExpress is BackPremium,Mod
join:2001-12-08
Jackson Heights, NY
kudos:2 | reply to Dude111
I got 9/10...screwed up on the BoA one. |
|
 antiseriousThe Future ain't what it used to bePremium
join:2001-12-12
Scranton, PA | reply to Dude111
"YOU ANSWERED 10 OF 10 QUESTIONS CORRECTLY
Rating: Safety Guru
Nice work! Your practically clairvoyant knowledge of the Web allows you to spot even the most realistic looking spoofed sites. We're impressed!"
There was one guess in there, but some should have been obvious enough to raise flags for most everybody.
--
"Burn the land and boil the sea
You can't take the sky from me "
|
|
 rolandeCertifiablePremium,Mod
join:2002-05-24
Columbus, OH
Linksys
AT&T Midwest
| reply to Dude111
YOU ANSWERED 10 OF 10 QUESTIONS CORRECTLY
Rating: Safety Guru
Nice work! Your practically clairvoyant knowledge of the Web allows you to spot even the most realistic looking spoofed sites. We're impressed!
I agree with nwrickert  . The information provided was of marginal value to determine site spoofing or not. In a real situation you have a lot more info available to you.
The SSL certificate question is a red herring. SSL certificates signed by a trusted Root CA that match the domain name and company name you are attempting to communicate with provide a level of trust. But I can just as easily create and sign my own certificate with my own Root CA and trick you into loading my Root certificate into your browser.
The potential for "man in the middle" attacks for SSL are scary. I can see it as the next BIG backdoor for authorities to find out what someone is doing in real-time for tracking/monitoring purposes. This capability to transparently unlock SSL has been around for just over a couple years now.
All you need to do is drop a nice little trojan that adjusts the browser's proxy settings and adds your own Root CA certificate and with the right proxy product you can start capturing any and all SSL traffic from that client in the clear and they will not know the difference. Heck, with law enforcements power, all they need to do is drop an SSL proxy transparently inline with a particular users traffic at their ISP and they have the keys to the kingdom.
--
Ignorance is temporary...stupidity lasts forever!
»www.thewaystation.com/
»blog.thewaystation.com/ |
|
 jsimmonsPremium,MVM
join:2000-04-24
Falls Church, VA | reply to Dude111
10 out of 10... Surprised myself . I thought surely I'd miss one or two. A few were pretty tricky.
--
"Everything should be made as simple as possible, but not one bit simpler."- Albert Einstein |
|
| reply to Dude111
I never click on links in emails, even from financial institutions I do business with - I enter what I know to be the correct web address directly, then navigate where I need to go. |
|
| reply to rolande
But I can just as easily create and sign my own certificate with my own Root CA and trick you into loading my Root certificate into your browser. Umm, how are you going to do that? I could probably get a few suckers to install my root CA into their browser, but no one with any security savvy is going to do it.
All you need to do is drop a nice little trojan that adjusts the browser's proxy settings and adds your own Root CA certificate and with the right proxy product you can start capturing any and all SSL traffic from that client in the clear and they will not know the difference. If you can get a trojan in, you don't need a proxy or a root certificate or any such thing. Your trojan can just pull the data out in the clear before encryption or after decryption, and send it wherever you like. |
|
jdongEat A Beaver, Save A Tree.Premium
join:2002-07-09
Rochester, MI
kudos:1 | said by russotto:But I can just as easily create and sign my own certificate with my own Root CA and trick you into loading my Root certificate into your browser. Umm, how are you going to do that? I could probably get a few suckers to install my root CA into their browser, but no one with any security savvy is going to do it. That's the point -- security savvy people don't fall for this. However, from unscientific observatons I'd be willing to say 60% or more of the "average population" will click through an invalid certificate warning without a second thought -- or thinking how the f**** do I turn off this stupid annoying alert?
--
UbuntuForums Administrator: try Ubuntu Linux |
|
 aefstoggaflmOpen Source FanPremium
join:2002-03-04
Bethlehem, PA
kudos:2
 ·Verizon Online DSL
1 edit | reply to Dude111
8 out of 10 correct.
The ones that I got wrong were..
Which is the authentic Bank of America site?
Which is the authentic Amazon site?
----
Is there a way to get the right answers, without taking the test again?
[EDIT] I hope someone finds a way to get the McAfee SiteAdvisor Plug-in for Firefox, but from addons.mozilla.org 
--
Please use the "yellow (IM) envelope" to contact me and please leave the URL intact. |
|
