Smart Stupid People Click Phishing Links

[FrgMstr]

The Associated Press has uncovered that Fancy Bear hackers have "come within reach of stealing some of the nation’s most secret and advanced defense technology." The AP's crack team of investigators have uncovered that people at "defense giants like Lockheed Martin Corp., Raytheon Co., Boeing Co., Airbus Group and General Atomics were targeted," are stupid enough to click phishing links. In other news, don't click that link in an email, pretty much ever.


Most of the people on the target list worked on classified projects. Yet as many as 40 percent clicked on the hackers’ phishing links, the AP analysis indicates. That’s the first step in potentially opening their accounts or computer files to digital theft.

 

[c3k]

HAH! You can't get ME to click on that LINK!! Try your jedi mind tricks on someone else!

(See, I read the thread title and I've been taught about irony.)

 

[Gigus Fire]

If there only was a way to prevent this.
It's not as if lists such as https://www.phishtank.com/ don't exist. I guess their network admins can't be bothered to check the list for phising sites and block them. Nope, must be too hard.

 

[kju1]

If there only was a way to prevent this.
It's not as if lists such as https://www.phishtank.com/ don't exist. I guess their network admins can't be bothered to check the list for phising sites and block them. Nope, must be too hard.

Its not as if people should be smart enough to look at the underlying URL before they load the damn thing in their browser. Oh and verify the sender...

Common sense isnt so common anymore.

 

[Gigus Fire]

Its not as if people should be smart enough to look at the underlying URL before they load the damn thing in their browser. Oh and verify the sender...

Common sense isnt so common anymore.

Sometimes it's not that simple.
Some people get hundreds of emails every single day. Quickly glancing at a hyperlink which is off by one character that sends you to a phishing site isn't too uncommon.
The fact that lists out there exists and the company's dns servers can be used to redirect them to a temp page that shows them that this was listed as a phishing site and to contact IT if they think it's listed in error would eliminate 99.999% of the issue.

The alternative of not sending urls in emails or not linking anything in emails is so business stupid, it hurts.

 

[Jim Kim]

The alternative is....

To follow common security guidelines and never click on a link.

 

[Gigus Fire]

To follow common security guidelines and never click on a link.

That's retarded. Might as well disable html in emails and see how much work gets done.

 

[Dead Parrot]

Smart in one field doesn't imply smart in all fields. Someone might be very good at designing hyper-sonic jet engines yet fail to grasp why a 'nude Brittany' email might be dangerous. An email system that depends on the end user's common sense is pretty much a failure. Blocking all url's that link to outside destinations is a good start. Allow for someone in Cyber Security to do a case by case override.

 

[kju1]

That's retarded. Might as well disable html in emails and see how much work gets done.

I dont use HTML in work emails and it has ZERO impact.

 

[modi123]

.. and this is why my company runs random phishing link tests to our users. Still haven't gotten to implementing my 'wall of shame', but one day.. one day.

 

[Daarken]

Same thing happened to the Clinton Campaign Leader.. Who got phished and they accessed his account and released all of his emails. Unfortunately he never denied the contents of those emails.

 

[Daarken]

.. and this is why my company runs random phishing link tests to our users. Still haven't gotten to implementing my 'wall of shame', but one day.. one day.

I have done this myself, however I do have a wall of shame.
I have caught all the main employees.

 

[BSmith]

I dont use HTML in work emails and it has ZERO impact.

Ditto.

 

[Azphira]

People should phish using fake links to GPU's in stock.

 

[oldmanbal]

Almost every woman over 40 that I have ever seen search google on their iphone has no concept that the top links are all paid advertising content and believe that they are clicking on actual nuetral content that is the best for them. There's a reason why people still phish, because it just works. There are enough foolish people that don't understand how computers/netwoks really work and just make decisions without the proper knowledge to comprehend their ramifications. Knowing how to use a keyboard and send an email or surf the web is not the same as understanding programming, networking and hardware. There is absolutely no correlation.

Just because someone could be a doctor or PHD scientist doesn't mean that they have any concept of computer programming networking, ect. People tend to be specialized in a limited number of areas, which can give them the perception of being smart, however, when it comes to computers, unless you actually know your shit, none of that other ancillary ability really matters.

 

[Susquehannock]

Expecting that Nigerian Prince to be transferring funds into my bank account any day now.

 

[Gigus Fire]

I dont use HTML in work emails and it has ZERO impact.

I guess you don't do the same work I do. I have daily reports going out using tables in html. It's all automated, but it would sure by annoying to have to attach a file to the emails or something else that's not easily renderable on a smart phone.
I have dropbox links to file packages that are over 10-20 meg in size.
Posting a image when debugging something and having text in-line helps when trying to describe problems.

Email isn't just text. It's information and ordering that information in a easy to understand way is what makes it that much more valuable than a phone conversation.
If you treat it exactly like a phone conversation then you're doing it wrong.

 

[motomonkey]

They do that where I work. they sent out a mass mailing, with an external link asking for us to reenter our credentials or lose access to the Medical program we use to do everything. About 20% of our 3500 employees clicked the link, and 5% actually filled out the entire form.

This after repeated warnings not to click external links.

 

[kju1]

I guess you don't do the same work I do. I have daily reports going out using tables in html. It's all automated, but it would sure by annoying to have to attach a file to the emails or something else that's not easily renderable on a smart phone.
I have dropbox links to file packages that are over 10-20 meg in size.
Posting a image when debugging something and having text in-line helps when trying to describe problems.

Email isn't just text. It's information and ordering that information in a easy to understand way is what makes it that much more valuable than a phone conversation.
If you treat it exactly like a phone conversation then you're doing it wrong.

Work email is what you need it to be for your job so you telling me I am doing it wrong is just asinine. We eliminated the daily reports via email a long time ago and now we have web portals where authorized users can log in if they want to see reports that are generated.

We have a policy of not clicking on links w/out verifying senders first and our emails automatically identify and flag outside external senders to give you additional warnings that links and attachments may be dangerous.

 

[Nobu]

That's retarded. Might as well disable html in emails and see how much work gets done.

That's actually policy in the usaf, that and disabling preview.

 

[Gigus Fire]

Work email is what you need it to be for your job so you telling me I am doing it wrong is just asinine. We eliminated the daily reports via email a long time ago and now we have web portals where authorized users can log in if they want to see reports that are generated.

We have a policy of not clicking on links w/out verifying senders first and our emails automatically identify and flag outside external senders to give you additional warnings that links and attachments may be dangerous.

You said it was a-ok to disable html from emails and that you don't use them at work. How in the world do you click on links in plain text then?

 

[kju1]

You said it was a-ok to disable html from emails and that you don't use them at work. How in the world do you click on links in plain text then?

Have you ever heard of copy and paste into a browser? And I dont use HTML, I set my client to sent TEXT only. So do a lot of people at my work.

That's actually policy in the usaf, that and disabling preview.

Funny they still get work done too..

 

[Gigus Fire]

Have you ever heard of copy and paste into a browser? And I dont use HTML, I set my client to sent TEXT only. So do a lot of people at my work.



Funny they still get work done too..

So copying and pasting links into a browser is safer than clicking a link? Sounds like stupid hurdles for stupid people that doesn't give an inch of extra security.

As for the portals for reports, yeah, we have that as well. But for daily non-sensitive information and considering our enterprise reporting system isn't accessible outside the network, html reports work perfectly.

 

[kju1]

So copying and pasting links into a browser is safer than clicking a link? Sounds like stupid hurdles for stupid people that doesn't give an inch of extra security.

As for the portals for reports, yeah, we have that as well. But for daily non-sensitive information and considering our enterprise reporting system isn't accessible outside the network, html reports work perfectly.

Its a lot harder to hide what you are clicking on in plain text than it is in HTML. If I put this link vs https://www.google.com/search?q=goa...5TZAhWKtVkKHY5qDd0Q_AUICigB&biw=1536&bih=1100 in an email you can at a minimum know at least what domain you are going to be visiting. Clicking the first link is inherently more dangerous than taking the time to use the second one...

 

[Gigus Fire]

Its a lot harder to hide what you are clicking on in plain text than it is in HTML. If I put this link vs https://www.google.com/search?q=goa...5TZAhWKtVkKHY5qDd0Q_AUICigB&biw=1536&bih=1100 in an email you can at a minimum know at least what domain you are going to be visiting. Clicking the first link is inherently more dangerous than taking the time to use the second one...

Because hovering over a link to see the full text is too hard and difficult for people to do? That's a lame excuse.

 

[Gigus Fire]

Its a lot harder to hide what you are clicking on in plain text than it is in HTML. If I put this link vs https://www.google.com/search?q=goa...5TZAhWKtVkKHY5qDd0Q_AUICigB&biw=1536&bih=1100 in an email you can at a minimum know at least what domain you are going to be visiting. Clicking the first link is inherently more dangerous than taking the time to use the second one...

Also linking a search for goatse on a sfw board is a bit iffy. I hope you don't get anyone fired.

 

[modi123]

Folks should hover over the links and gauge if they feel the urge to click is worth what ever may reveal itself on the other end. Otherwise it's a lame excuse if they get fired.

 

[kju1]

Also linking a search for goatse on a sfw board is a bit iffy. I hope you don't get anyone fired.

If they do it only highlights my point...

 

[GlacierNine]

Because hovering over a link to see the full text is too hard and difficult for people to do? That's a lame excuse.

Stop being so obtuse.

If the convenience of not having to think about it is there, someone will take convenience over safety at some point, no matter how informed they are about what's actually safe and proper to do. Smart users will do it just as much as stupid ones if they're busy enough they'd rather save the few seconds so that they can rush onto the next urgent task they think is more significant than proper security protocol that 95% of the time is wasted on being vigilant, checking links that aren't dangerous.

And lets be honest, smart employees are often the most busy because bosses and managers rely on them more due to their competence, and end up dumping workload onto them.

By making it essentially mandatory to do the check, you waste little to no time (copying and pasting is not appreciably slower than hovering before clicking), and you FORCE proper link identification, no matter how stupid, or how over-busy, someone is.

 

[Comixbooks]

HAH! You can't get ME to click on that LINK!! Try your jedi mind tricks on someone else!

(See, I read the thread title and I've been taught about irony.)

 

[Gigus Fire]

Stop being so obtuse.

If the convenience of not having to think about it is there, someone will take convenience over safety at some point, no matter how informed they are about what's actually safe and proper to do. Smart users will do it just as much as stupid ones if they're busy enough they'd rather save the few seconds so that they can rush onto the next urgent task they think is more significant than proper security protocol that 95% of the time is wasted on being vigilant, checking links that aren't dangerous.

And lets be honest, smart employees are often the most busy because bosses and managers rely on them more due to their competence, and end up dumping workload onto them.

By making it essentially mandatory to do the check, you waste little to no time (copying and pasting is not appreciably slower than hovering before clicking), and you FORCE proper link identification, no matter how stupid, or how over-busy, someone is.

I'm not being obtuse. Links are made for clicking. Hovering over links to make sure they're correct is just something that's normal to me and probably a whole heap of other people.

If employees are too busy to manager their security, then there should be other systems in place that manage it for them. External emails with dubious links should be analyzed and put into the spam folder (or blocked entirely). The DNS should be restricted to block known phishing sites just like web content is typically.

Forcing people to copy and paste into a browser isn't any more secure. You're just making it take longer. Slowing down productivity isn't the correct way to address security issues. In both cases you're relying on things that can lead to humans making errors.

 

[Jeremy C]

My company does random phishing checks throughout the year. If you click the link or open the attachment it takes you to a "we are conducting a test. You just failed" type page with links to data integrity and other internal stuff. I think it took about 2 tries before I was able to get everyone on my team to "STOP *(&^#$ OPENING EVERYTHING THAT COMES IN!!!" Not sure why it's so hard to not open links from names you don't recognize.

 

[Gweenz]

The bottom line is that you're fucked either way. You can let users have all the freedom they want, embedded HTML, links, photos, attachments, and a certain percentage will fuck up no matter how much you train them. Or, you can take those freedoms away, which will add to their workload and decrease efficiency, and they will find new and exciting ways to fuck up. The way forward is a change in culture, to make each user aware that they are the front line of IT security, they are responsible for maintaining that security to the best of their ability, and that "I'm not good with computers" is no longer a valid excuse if your work is going to rely on operating them. Not understanding how a hard drive works is fine. Not understanding the pitfalls of email and how to best avoid them is not.

In my experience, the average user does not know how to mouse over anything. They don't know how to check sender's addresses for evidence of phishing. They don't know what an email client, web browser, or username is, even though they use them every single day. The change in culture will happen naturally, but it may take decades. In the mean time, send out regular phishing tests and reprimand the repeat offenders. People will get the point eventually if you continually hit them over the head with it.

 

[Gigus Fire]

The bottom line is that you're fucked either way. You can let users have all the freedom they want, embedded HTML, links, photos, attachments, and a certain percentage will fuck up no matter how much you train them. Or, you can take those freedoms away, which will add to their workload and decrease efficiency, and they will find new and exciting ways to fuck up. The way forward is a change in culture, to make each user aware that they are the front line of IT security, they are responsible for maintaining that security to the best of their ability, and that "I'm not good with computers" is no longer a valid excuse if your work is going to rely on operating them. Not understanding how a hard drive works is fine. Not understanding the pitfalls of email and how to best avoid them is not.

In my experience, the average user does not know how to mouse over anything. They don't know how to check sender's addresses for evidence of phishing. They don't know what an email client, web browser, or username is, even though they use them every single day. The change in culture will happen naturally, but it may take decades. In the mean time, send out regular phishing tests and reprimand the repeat offenders. People will get the point eventually if you continually hit them over the head with it.

I agree. However there's some interesting collaboration with technology that could really be used to limit this issue. Stuff that's kind of something that exists that people haven't done yet.

Just combine OpenCV with a browser bot. Anytime a new external link comes in, have OpenCV compare the website to known existing websites and see if it has too much of a similarity and block it. That would probably eliminate the phishing sites that are designed to look like something else. Combine that with known blacklists and that should eliminate the problem to a fraction of what it is today.
If people really need the link, have them email IT.
This is just something simple that i could think of from the top of my head. There's almost no need to rely solely on people to figure this out or understand the culture.

 

[defaultluser]

The latest unsuccessful phish from yesterday: an email from my Aunt. Who has been dead for 6 months

All it said was "Hi Defaultluser! Then a fairly obvious fishing link. They were not even trying with this one.

If people are falling for obvious shit like that, I don't know what to do with them.

 

[lcpiper]

Sometimes it's not that simple.
Some people get hundreds of emails every single day. Quickly glancing at a hyperlink which is off by one character that sends you to a phishing site isn't too uncommon.
The fact that lists out there exists and the company's dns servers can be used to redirect them to a temp page that shows them that this was listed as a phishing site and to contact IT if they think it's listed in error would eliminate 99.999% of the issue.

The alternative of not sending urls in emails or not linking anything in emails is so business stupid, it hurts.

Ummm, but that's exactly what the Army does on NIPRNET .............

 

[lcpiper]

That's retarded. Might as well disable html in emails and see how much work gets done.

It's not stupid, it's exactly what the Army does.

Of course, you could have challenged how much work was being done before we had the internets so ......

 

[lcpiper]

I guess you don't do the same work I do. I have daily reports going out using tables in html. It's all automated, but it would sure by annoying to have to attach a file to the emails or something else that's not easily renderable on a smart phone.
I have dropbox links to file packages that are over 10-20 meg in size.
Posting a image when debugging something and having text in-line helps when trying to describe problems.

Email isn't just text. It's information and ordering that information in a easy to understand way is what makes it that much more valuable than a phone conversation.
If you treat it exactly like a phone conversation then you're doing it wrong.

The first problem here is that you're trying to use email as a conduit for this work. It adds increased risks.

But that is the whole nature of the beast. Security is all about balancing performance and capabilities against risks. You can develop a great business process but to leverage that process there will be risks. There are things you can do to reduce or mitigate some of the risks but in the end it will come down to a decision to be made, what do I gain, and what do I risk, do the math.

So while I can call out your process as risky, it doesn't mean that the gains don't outweigh those risks. I could never make that decision for you, it's a question you and your company has to answer.

 

[lcpiper]

So copying and pasting links into a browser is safer than clicking a link? Sounds like stupid hurdles for stupid people that doesn't give an inch of extra security.

As for the portals for reports, yeah, we have that as well. But for daily non-sensitive information and considering our enterprise reporting system isn't accessible outside the network, html reports work perfectly.

Umm, the text of a link doesn't have to match the url itself. Come on, you've clicked here before right?

Actually, the Army doesn't remove the urls it identifies, it puts something like <Warning> in front of a text only copy of the url the link represents. If the url looks good you can cut and paste it into a browser on go on your merry way. And of course we have regular training but some people never get it so, there's that.

 

[Gigus Fire]

Umm, the text of a link doesn't have to match the url itself. Come on, you've clicked here before right?

Actually, the Army doesn't remove the urls it identifies, it puts something like <Warning> in front of a text only copy of the url the link represents. If the url looks good you can cut and paste it into a browser on go on your merry way. And of course we have regular training but some people never get it so, there's that.

Yeah but i'm thinking about corporations when i talk about security. For the military, security has a whole different meaning. Lives will always be more important.

The problem when it comes to security is either you restrict everything to deal with the lowest denominator, in which case you create artificial hoops for people to jump through. The smarter worker will actively try and circumvent those barriers because it's interfering with their jobs. That opens up a whole bunch of other problems down the line when they do figure out a way around whatever stupid thing you put in place and share it with everyone.

Or you take the smarter approach and figure that to really be secure is to plan for people to get infected and plan for people to fall for phishing schemes/randsomware eventually (because eventually someone will be dumb enough to get in trouble with this) and put systems in place to mitigate any potential damage. Daily/weekly backups for starters is a good way to get around half the problem. With phishing sites, monitoring internet traffic and blocking known phishing sites is a way to prevent this. Routinely testing people with phishing sites made to test employees and having the ones that fail take a mandatory class is another way to prevent through education. Making sure everyone is using ad/popup blockers in their browsers and limiting access to sensitive information is yet another. Start utilizing 2 factor authentication is yet another one which will eliminate the effectiveness of most phishing sites.

My whole point is disabling html in emails is like the least effective way to prevent phishing.