Maybe there could be some research on any correlation between the "quality" of the data "revealed" and the likehood of successful phishing. Or would that be helping the bad guys too much.

]]>Well, I find it extraordinarily interesting.Good luck to

all of you. And I’m sure you’ll do fine. Really. Just fine.

]]>Assume (for the purposes of my re-telling this story) that a given horse race has ten horses in it.

So the scammer sends to a thousand people a letter saying he has a system for knowing the race winner, and to prove it, he'll tell them the winner of a particular upcoming race.

One hundred of the letters name the first horse, one hundred name the second horse, etc.

After the race, he writes again to the hundred people who got the winning horse, and makes the same offer. Ten letters name the first horse, ten the second, etc.

Then he writes to the ten people whose horse won the second race, and says, "If you want any more, you'll have to pay."

They've just gotten the winners on two races. They might be inclined to believe him.

]]>> I got a phishing email purporting to be Bank of America, which is my current email. ....

> It was pretty funny seeing all the typos in the page

Didn't you mean "my current _bank_"? You thought you were investigating a phish, while in actuality you've now caught the "infective typo meme". Everyone redding your posts now will start two make ...

Never mind.

So all someone needs to do is pick a common credit card number, which is especially easy if you target a specific area and have access to a bank card from that area.

I remember a while back I got a phishing email purporting to be Bank of America, which is my current email. It struck me as odd, and I had to examine it for a while before I determined that it was indeed fake. I still followed the link just out of curiosity (literally never gotten a phishing email), but didn't input my credentials. It was pretty funny seeing all the typos in the page, which looked very much like a BoA page.

]]>The last four digits are often not random, especially for large companies. I cannot tell you the number of times I've seen consecutive cards in a sort of sequential order. i.e. xx10 is one while the next is xx28 followed by xx36, xx42, and onwards.

]]>Even if this only cuts it down by 1 digit, thats from 10,000 down to 1,000, giving a possible 10x increase in response rate. Certainly worth doing if you are playing the odds.

]]>That would be useful for test/audit data.]]>

So, how many people directly involved in the phishing study are women?

]]>If you pick 4 digits at random, 10,000 times, you aren't guaranteed to get 1 hit (assuming you email someone different each time). There's a 37% chance of getting 0 hits, a 37% chance of getting 1 hits, an 18% chance of getting 2 hits, a 6% chance of getting 3 hits, and a 1.5% chance of getting 4 hits. There's a .37% change of getting 5 or more hits.

If you send out 10,000 of these emails every day, you will average 1 hit per day, but the exact number of hits per day will follow the odds listed above.

(I'm assuming the last 4 digits of credit card numbers are set randomly.)

]]>If a target received an email with 3 out of 4 numbers correct, I bet they'd think it was just a typo or a "computer error". Especially if the incorrect digit was first or last in the 4-digit sequence.

]]>Start with Social Security Numbers. They should be unique.

Then match as much information as you can to them. Name, sex, age, address, phone numbers, any account information.

Then match those items to other items on other people. As in the article, if the phishing message APPEARS to come from someone you know, you are likely to follow the link.

And all it takes is one exploit on your computer and they can sort through all your financial data and email.

They then use that information to tune their phishing for your friends and such.

Eventually the bad guys will have more information about you than you do.

]]>It's like that Harvard/MIT study where most Internet banking users paid know attention when the space for the authentication image said "server down."

All that matters is that the representation is believable by the target. To be believable, it must fit the target's needs for belief.

]]>The worst case I've encountered was a corporate human resources management system, which appeared to "farm out" part of the management functions to another site. Moreover, the last four digits of my SSN was part of my USERNAME!

I had to complain several times to get my username changed, but no one seemed to understand my concern about the URL.

Each spam email I receive is sent directly to spamcops and phishing email reported to castlecops.

]]>]]>

you send one email each to 10,000 people. only one in 10,000 responds, but if you sent out enough emails it could be profitable.

]]>If we start seeing phish mails supposedly from a particular bank's credit card branch, which references the appropriate first four digits of the card, and if we hadn't seen such tactics before, that's a good sign someone is doing their homework...

]]>However, there are subtleties to this: for instance, the algorithm used to generate valid charge numbers might generate them in an order. Since all number are not yet generated, a better chance of last four match would happen earlier in the sequence. Although this sequence might be different for each 'first four'.

There is the finite chance there will be no matches or more than one match for a four digit pick, the odds of at least one match out of 10000 emails given a uniform distribution of issued 'last four' is greater than the probability of one and only one match (which is 1:10000)

]]>If you send out the same last-four to everyone, then you'll still have a 1-in-10000 probability per email, over the long term. But that method is more sensitive to the distribution of numbers in a small sample.

]]>]]>

Well, providing for the fact that it's 10,000, not 1000...

Each message sent would have a 1:10000 chance of being correct, assuming perfectly random distribution. When you send it to more than one person, however, you have the added complication that they might share the last four.

If you send it to 10000 people, each of whom has a unique last four, you'll get exactly one match. But since you're not guaranteed uniqueness, it's an application of the birthday problem - how likely is it that any two victims share the last four? I don't have the data to crunch the numbers on this one, but in a large enough group you'll still have a decent chance.

Of course, if you send DIFFERENT guesses to each mark, that changes things....

]]>10^4 possible combinations.

For each person you send mail to, you have a 1:10^4 chance of guessing the random four digit string correctly.

]]>I wonder how many people would trust a fradulent email that knew their routing number, or that claimed their routing number was actually their unique account number?

]]>Perhaps a math person can clarify this.

- Matt

]]>