Skip to Content

Since my luggage (and my family off course too) is ready to go on holiday, this web log is a quick and short one.

I’ve read about this Phishing Quiz the other day. It claims to test if you distinguish a fake Web site from a real one and returns your safety grade. Since I’m very much interested in everything concerning spam fighting (see my web logs concerning this matter), I was rather curious about my score:

image

8 out of 10 looks at first a good result, but I’m not happy with it. It means that I was fooled 2 times and probably my personal/financial data will be misused and/or spread around for malicious use.
I claim in mitigation the fact that my wrong answers concerned US centric sites (which I will/can never use) and that, in my eyes, crucial information was left out. Maybe one did this deliberatly. One needs to promote/sell services after all.

After you’ve done the test, things are explained why a site is genuine or not, although I don’t always agree with the arguements given. It could even mean that phishing is the purpose of this web log. Anyway, give it a try and check your score. It would be nice if you put your score as comment to this web log.

To report this post you need to login first.

9 Comments

You must be Logged on to comment or reply to a post.

  1. Anton Wenzelhuemer
    wrong at
    – Bank of America
    – Chase
    – SSL

    the last wrong answer concerns me a little. got to work on that.

    Thanks Eddy for the pointer & Happy Holidays!

    anton

    (0) 
  2. Mike Bennett
    Eddy,

    Great blog, as per usual.  Thanks for the tip about this and know that I “only” caught 8 out of the 10 also.  As you said, good but not good enough.  Most of the sites (online-banking etc) I’ve never seen before so hey.

    Oh yes, there are thousands of Russian women madly in love w/ me so I’m told.  THAT I can believe!

    Enjoy your vacation and don’t be too grumpy.

    Peace,

    Mike Bennett

    (0) 
  3. Daniel Wroblewski
    Hi Eddy,

    OK, I got 10 out of 10 (hey, Eddy, you asked people to post their scores).

    I must admit that the first 2 were simple because you could see the URL, all but one of the others I actually went to the real site and compared the choices with a fine-toothed comb, and the last answer I took an educated guess (you knew the answer had to be false).

    I find the ways to tell if a site is a phishing site weird, since they mostly rely on finding small visual inconsistencies or grammatical errors. I would think that a good (or even mediocre) phisher could completely mimic a real site and, then, you could not distinguish based this way.

    There is a new thing I’ve seen where we get an email saying that someone has sent us an electronic greeting card. I was suspicious at first, and then when we got so many, I knew it was not real (we were never so popular).

    Daniel

    (0) 
  4. Anton Wenzelhuemer
    I have a question to those with 10/10 or close to it concerning the SSL spoofing question.
    Why is SSL unsecure?

    I researched it a bit and did only find

    a) the possibility where an invalid certificate is presented but the user simply neglects this, described e.g. here

    b) some rather old and long closed bugs in certain browsers

    but I didn’t find an actual reference to cases where valid certificates are presented by malicious sites.

    anton

    (0) 
    1. Eddy De Clercq Post author
      Anton,

      A certificate only guarantees secure communication between client and server. Nothing proves that the content on the server is not malicious.

      Eddy

      (0) 
  5. Dushyant Shetty
    Extremely interesting stuff!
    I got the Chase one wrong…
    I chose the wrong one because I thought a site that DOES NOT ask for a Social Security number along with personal details would be safer, turns out I was wrong because the fake McCoy had:
    1) Awkward phrasing at several locations
    2) Punctuation
    3) The inclusion of a real telephone number…
    OK, now this was meant for a predominantly English-speaking audience, but the Internet is not limited by boundaries of language and/or nationality…
    Now take a quick look at these “REAL” Indian Banking sites…
    Link 1
    Link 2
    and these “REAL” non-banking merchant sites…

    Link 3

    and examine them for their construction, use of punctuation, phrasing… and it quickly becomes obvious how challenging things can get when “REAL” sites don’t want to take the effort to look real enough!

    Dushyant Shetty

    (0) 
  6. Simon Scott
    Got the Chase site wrong
    And the last one – which is a bit worrying.

    Not sure I agree with the way they decide on how there determine fake sites.

    Regards,
    Simon

    (0) 

Leave a Reply