IanG on Tap

An 'IQ Test' for phishing has been doing the rounds lately. While I'm behind the general idea of a learning tool to teach people how to spot scams, I think this particular one has a flaw, because it encourages bad practice.

(Just in case you've not yet come across, it, phishing is a scam whereby you try to convince someone to reveal secrets by sending an email that purports to be someone else. For example, I get loads of emails every week claiming to be from a variety of banks, most of which I don't bank with. They use all the right graphics, and they link to web sites that look just like the real thing, only with a subtly wrong URL. The idea is to try and trick you into logging into this fake but convincing-looking site. If you type in your username password and any other information required to log into your bank account, the phishers now have this information. Depending on exactly how the bank usually authenticates you, they may or may not be able to log into your online bank account. Some banks deliberately don't ask for all your authenticating information each time you log in, so they might require several attempts. Or they could just ask you to reveal everything in one go - chances are if you got as far as typing in any credentials, you'll type in the whole lot if asked to... Phishing scams target all sorts of things - online banking, eBay accounts, webmail accounts - anything that might be used to the phisher's advantage.)

Using my normal techniques for determining whether a particular email is bogus or not, every single item in the 'IQ Test' scored high on my bogometer. Why? Two reasons, one of them good:

1. The domain is obviously wrong for the site it claims to be from - they are all hosted on the mailfrontier.com domain despite purporting to be from elsewhere. (Yes, I know, but this isn't the good reason...)
2. Every single link in the examples has been nobbled - they all attempt to display a URL in the status bar, but actually take you somewhere else entirely.

But according to the test, some of them are real. Of course point (1) is inevitable in a test web site, so we can ignore that - of course all of the examples in the test are on the test web site. It's point (2) that I think is really insidious. The reason they've nobbled all the links is so that they can bring up a message box if you actually try to follow any of the links. They all look something like this:

<a style="font-size:10pt" href="#" 
   onClick="MM_popupMsg('For the Phishing IQ Test, the Link has been disabled.')"
   onMouseOver="MM_displayStatusMsg('http://g.msn.com/3HMWENUS/1684');return document.MM_returnValue">

If you want to get full marks on the test, then you have to assume that the link it displays in the status bar is the real link.

But that's a TERRIBLE idea.

If you want to train people to be able to spot phishing scams, the last thing you should do is train them to trust what's in the status bar of their browser. The fact that this test fakes the contents of the status bar is surely proof enough that you can't trust the status bar. (In some browsers. Actually Firebird doesn't display anything in the status bar for these links.)

Of course this is a difficult problem. If they had just left the original link tags in there, then anyone who clicked on those links would have been taken through to the real phishing site, which is not really desirable. So I can see why they changed them, but I think it does more harm than good to train users to trust their status bar.