[Cryptography] phishing attack again - $300m in losses?

Michael Kjörling michael at kjorling.se
Mon Feb 16 14:51:04 EST 2015


On 15 Feb 2015 18:35 -0800, from huitema at huitema.net (Christian Huitema):
> Note that this is a very hard problem. For example, ensuring that
> the mail really comes from the source address "John Doe
> <john at example.com>" would help, but would still leave open forgeries
> like a source set to "John Doe <john2345 at email-for-dummies.com>".
> Part of the problem is indeed between the chair and the screen, and
> fixing that requires lots of work on the user interface.

I keep wondering about this; people repeatedly fall for exactly the
type of trap you are describing (as well as some others, obviously,
but let's deal with one problem at a time), yet I don't see even any
real _attempts_ at mitigation. Is there any MUA out there that, say,
categorizes sender email addresses? I'm thinking something like "red =
beware, new/unknown/suspicious address", "yellow = an address you have
had limited dealings with in the past" and "green (or whatever
standard color) = an address with which you have corresponded several
times in the recent past". Or some sort of symbols to aid those with
color-vision disabilities. That sounds like it could greatly reduce,
albeit admittedly far from eliminate, the attack vector you are
describing. If it can be combined with DKIM, SPF and perhaps even
cryptographic identities like matching up against PGP public keys, all
the better.

Something like that probably wouldn't do much to protect against
directed attacks, but it would probably do a _lot_ to reduce the
problem of random phishing going on. And even that would seem to me to
be a big win.

-- 
Michael Kjörling • https://michael.kjorling.semichael at kjorling.se
OpenPGP B501AC6429EF4514 https://michael.kjorling.se/public-keys/pgp
                 “People who think they know everything really annoy
                 those of us who know we don’t.” (Bjarne Stroustrup)


More information about the cryptography mailing list