In the summer of 2001, I saw my first phishing attempt. A reader sent me a link to a site that, at first glance, appeared to be hosted on AOL; the site asked you to update your account. But as I read through the requests for information on the page--social security number, mother's maiden name, and other extraneous personal details--it became clear this was not an official AOL site, despite the overall look and feel of the page. Five years later, phishing has grown enormously. According to security vendor MessageLabs, it accounts for 14.5 percent of all malicious e-mail intercepted. Phishing is rapidly becoming the number one threat to home computer users, displacing spyware and viruses. And don't count on security tools or software to come to your rescue. Where you click and--more importantly--why you click remains largely up to you. And if you think you are too smart to fall for a phishing attack, you might be surprised by the results of a new survey by researchers at Harvard and the University of California at Berkeley, who found that the best fraudulent sites could still fool more than 90 percent of the survey's highly educated participants.

	Researchers at Harvard and the University of California at Berkeley found that the best fraudulent sites could still fool more than 90 percent of the survey's highly educated participants.

Why phishing works
The 22-person Berkeley/Harvard study entitled "Why Phishing Works" is much too small to be statistically relevant, yet what it had to say about current Internet browser security tools, such as Secure Socket Layer (SSL) and site certificates, is interesting.

The researchers hypothesized, and found, that some Internet users have mistaken impressions about Web security and often base their trust of a site on collateral data such as "professional-looking images, animation, and ads"--all of which, of course, can be spoofed. Worse, among this limited group, the researchers also found a basic ignorance of common security tools currently employed within browsers and by Web sites. In other words, what we're doing today just isn't working.

Again and again this phishing study came back to the idea that the content on the page, not the address or the security icons displayed within the browser frame, mattered the most.

What is safe?
In the world of Internet browsers, the padlock icon is used to indicate that an SSL has been established so that data transmitted between your computer and the server being accessed is encrypted. While SSL is not entirely foolproof, it's good enough for most secure transactions conducted on the Internet today. Yet 5 percent of the participants in the study judged a site solely on its content, with several participants stating (incorrectly) that a given page was more secure if the SSL padlock icon appeared on the page rather than somewhere else; the correct answer is the padlock should be part of the browser, either in the address bar or along the lower-right or lower-left frame. (As a side note, not all financial institutions require SSL transactions for online banking.)

Newer browsers, such as Firefox 1.5 and the new IE 7, go beyond the traditional padlock icon by color-coding the address bar to indicate a locked SSL session. Of the 22 participants in the phishing study, 17 did not notice the changes within the Firefox address bar and one even commented "I thought that was just part of the Web site design."

Site certificates? What's that?
Another security tool currently used to identify secure Web sites is the use of site certificates. When accessing a secure site, your browser will check to see if it has certificate signed by a trusted third party, such as the VeriSign-owned company Thawte. If the site has been accessed before and a valid certificate has been stored on your hard drive, you won't see a dialog box regarding that site's certificate; however, if you visit a new site, you should see a dialog box asking you to accept or deny access to the site based on the certificate. As mentioned, most certificates are signed by trusted third parties and are relatively hard to impersonate; a few, however, are self-signed, which is not always an indicator of trustworthiness.

In this limited study, more than half of the participants accepted self-signed certificates, ignoring the accompanying warning that doing so might expose their personal information to unknown others. Here's the scary part: when asked about their decisions regarding whether to accept the self-signed site certificates, 18 responded they really didn't understand the meaning behind their answers, and 3 thought they were either accepting the use of cookies, saving their password for future use on a Web form, or acknowledging some message about spyware.

Domain? What's a domain?
A majority of the phishing e-mail I get resolves to numeric addresses registered in foreign countries or misspellings of common names, such as www.hase-chase.com. The study found that participants didn't pay attention to the final addresses displayed in their Internet browser; the content on the page mattered more to them. To prove it, the study provided a spoofed Bank of the West address that used two Vs to simulate the letter W: bankofthevvest.com. Even with this URL, participants thought it was a legitimate site.

How common is the practice of misspelling or piggybacking new names on top of established domain names? Antivirus vendor F-Secure did some Internet registry research and found variations of well-known financial institutions names registered to people in Nigeria. The numbers that F-Secure found are astounding: 497 domains have been registered with the name Citibank in them, 407 were registered with the name Bank of America, and a whopping 8,057 have been registered with the word eBay in them. Recently Microsoft published a new tool that allows companies to check common variations of their brand names for cybersquatters who might use those registered names to conduct phishing activity. What I don't understand is why the domain name registrars don't flag these obvious frauds from the outset.

What's in a picture? Everything
Again and again, this phishing study came back to the idea that the content on the page, not the address or the security icons displayed within the browser frame, mattered more to the sample group of highly educated Internet users. Worse, the authors concluded that legitimate, secure login pages from banking sites were not trusted by this sample group because they lacked pretty pictures. Within the study, one of the participants chose a fake Bank of the West login page simply because it had a professional-looking animation of a bear, whereas the legitimate Bank of the West login page did not. The participant reasoned the fraud site had to be real because "the animation was too professional."

What makes phishing so complicated is that often those "professional" graphics are legitimate, even when the page is not. Phishers commonly copy the HTML code from a legitimate site, using the graphics from legitimate servers while redirecting only the input lines and forms to their own sites. Realizing this, F-Secure suggested a simple solution: if the bank server gets a request to host an image on a page outside its domain, then the end user would not see that image but an image with text that reads, "If you see this message, don't type in your PIN." So far no financial institutions that I'm aware of have done this.

Indeed, the study authors conclude that e-commerce and financial sites should build pages that are difficult to spoof, and I imagine the task would be similar to the Federal Reserve redesigning U.S. currency. In recognition of color laser printers being used by counterfeiters, the Federal Reserve now embeds threads and ghost images within fabric of the 10, 20, and 100 dollar bills. Site designers could weave various watermarks within the page itself and restrict the redirection of images beyond their own domains.

Where are the new tools?
Technology may be able to help. McAfee SiteAdvisor changes color whenever you surf to an unsafe page, but if people aren't noticing the address bar change color, they won't notice the color change of a tiny icon in the corner of their browser. Microsoft is also touting new antiphishing tools that will be built within the upcoming Internet Explorer 7. Microsoft recognizes that people aren't necessarily looking at symbols or colors, so IE 7 displays instead a dialog box that says something along the lines of "We don't think this site is safe." Unless you click OK, you won't gain access to the page in question.

While these new tools will help, ultimately we need better-designed Web pages and more public awareness that serious fraud is possible on the Internet.

Have you ever fallen for a phishing attack? Talk back to me.