A few thoughts on phishing

It’s no secret that I write blog posts a few days in advance.  When I’m on a roll, I am sometimes a week or more ahead.  Well right now it is getting kinda late-ish on Wednesday night, and I don’t anticipate having much time to write on Thursday.  Since I have no other posts ready to go, I have to write Friday’s now.  Difficulty: I’m not feeling very well.  Oh yes, and I’m not really sure what to write about.

I guess I’ll write about phishing. Not the kind you do with your grandpa on a lazy summer day, but that kind that cleans out your bank account and runs over your cat.  It’s been many years since I first started seeing warnings on AOL chat windows letting me know that AOL employees will never ask for my password. Yet here we are, over a decade later and it is still a real problem.  As recently as a year ago, a professor in my department fell victim to one of the “reply to this message with your username and password” e-mails that occasionally get sent to people at large universities.

Of course, most phishing attempts are a bit more subtle.  Perhaps the university (or bank, or whatever) logo, complete with a link to an authentic-looking website.  Just enter your login information and voilà, your credentials are in the hands of the bad guys.  So how do you combat this?

As an admin, there’s not much you can directly do, it all comes down to user education.  Unfortunately, while user education is very effective, it is notoriously difficult to achieve.  People don’t want to bother thinking about whether the message they got from me has a valid S/MIME signature attached.  They’ll probably do whatever I tell them to do, whether or not I’m actually the one telling them.

Some people have taken to encouraging people not to click any links in e-mails (which is a good idea, but let’s face it, we all click links because its too damn inconvenient to not) and putting spaces between each character in the “http://” portion of the URL to prevent mail clients from automatically creating links.  I get the idea, but I think it’s generally silly.  For one, it looks funny and takes up extra space on the line.  For two, it doesn’t really address the problem.  Sure, the idea is that people will copy and paste the URL into their browser, but a sufficiently tricky phisher can create a URL that looks close enough to legitimate such that a distracted victim wouldn’t notice.  It also relies on the fact that people have been taught not to click on links in e-mail, which is pretty much a universal behavior, even among those who should know better.

There’s also some debate on whether or not it is appropriate to tell users about the latest round of phishing attempts.  My take, and several of my colleagues agree with me, is that telling users is a bad idea.  It might seem counter-intuitive, but consider this: if you always tell users, you’ll train them to think that their friendly admin will always let them know when the bad guys are at it again.  So then that one time you miss sending out a message, some users will assume it is legitimate and fall-victim.

So what’s the solution?  If I knew that, my blog would be as famous in the information security business as it currently isn’t. Realistically, it comes down to doing a better job of user education, but that’s hard.  And it doesn’t really address the ‘”how” aspect. Somehow, we have to train people to not click unverified links, and that starts with changing our own behavior.  Greater use of digitally signed e-mail is a good idea too.  There was an interesting discussion on Reddit about this earlier.

Where do we go from here? And how will we try to keep up with/ahead of the bad guys?