Sunday, December 31, 2006

how to recognize phishing emails the easy way

perhaps you've seen this phishing iq test before... if not, that's ok - it's basically a bunch of examples of legitimate emails and phishing emails and you have to try and figure out which are which... the root concept is that there are these heuristics or rules of thumb that you can apply so as to determine whether a particular email is phishy just by looking at it...

the fact that browsers now come with anti-phishing technology built in that tries to identify a phishing site just by looking at the URL is strong evidence that those rules of thumb for detecting phishing emails are a failure but take the test and look at some of those rules at the end and see if you can determine why those rules aren't going to work... if you ask me, those rules are just too complex for the average person to remember or apply... add to that the fact that the characteristics of a legitimate email are possible in phishing emails (for example, ebay starts their emails to you with your ebay user name but anyone who has interacted with you on ebay knows that user name and thus has the information necessary to make a convincing fake ebay email)... finally take into account that legitimate emails often display phishy characteristics (both in the test, where only one of the emails was completely free of phishy characteristics, and in this real world example) and it becomes clear that not only are the rules complex but they're pretty much completely unreliable too...

after getting through that test, if you're like me you're probably saying to yourself "there must be an easier way"... so you can imagine how glad i am that i don't need to try to remember and follow those screwy rules... instead, i do something i touched on in my spam avoidance article - i use disposable email addresses... now, while the spam avoidance techniques actually apply to pretty much all forms of email annoyance (if the bad guys don't know your email address they can't send you bad email), i'm actually talking about more than just keeping my email address out of the hands of phishers, something that works even when your real email address is known to the bad guys... i use unique (a different one for each site) unguessable disposable email addresses provided by sneakemail.com and then when i get an email from ebay or paypal or my bank i check and make sure that it was sent to the right address for that organization...

here's how the magic works - let's say i create an address like mgbwklw02@sneakemail.com and give that address to ebay and no one else... the address is a secret that only ebay and myself know and no one else can guess so when i get an ebay email sent to that address i'll know that it was sent by ebay because they proved who they were by using a secret known only to ebay and myself... it's like knowing the secret passphrase or handshake to get into an exclusive club (or, more technically, it's like a shared secret authentication protocol)... alternatively, if i get an email supposedly from ebay but sent to some other email address i'll know it's fake because it was sent to some address that i never gave to ebay in the first place... if someone really, really wanted to send me a convincing fake ebay email they would have to either guess exactly the right email address to send to or guess the label i gave my ebay address (sneakemail.com allows you to label your disposable addresses and includes the that label in the From: field to help you determine which address the email was sent to) and try to forge a sneakemail.com header...

could using unique unguessable disposable email addresses for sites/organizations and ignoring emails sent to the wrong address for the site/organization in question qualify as an anti-phishing safe hex rule? i think so... although it requires a little more work up front (creating a new address each time you create an account somewhere), it's conceptually simpler than the multitude of rules currently being suggested and it's a lot more reliable too since it doesn't depend on questionable criteria such as how the email was composed...

0 comments: