Skip to Content
Author's profile photo Eddy De Clercq

A phish called Wanda

Since my luggage (and my family off course too) is ready to go on holiday, this web log is a quick and short one.

I’ve read about this Phishing Quiz the other day. It claims to test if you distinguish a fake Web site from a real one and returns your safety grade. Since I’m very much interested in everything concerning spam fighting (see my web logs concerning this matter), I was rather curious about my score:

image

8 out of 10 looks at first a good result, but I’m not happy with it. It means that I was fooled 2 times and probably my personal/financial data will be misused and/or spread around for malicious use.
I claim in mitigation the fact that my wrong answers concerned US centric sites (which I will/can never use) and that, in my eyes, crucial information was left out. Maybe one did this deliberatly. One needs to promote/sell services after all.

After you’ve done the test, things are explained why a site is genuine or not, although I don’t always agree with the arguements given. It could even mean that phishing is the purpose of this web log. Anyway, give it a try and check your score. It would be nice if you put your score as comment to this web log.

Assigned Tags

      9 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Former Member
      Former Member
      wrong at
      - Bank of America
      - Chase
      - SSL

      the last wrong answer concerns me a little. got to work on that.

      Thanks Eddy for the pointer & Happy Holidays!

      anton

      Author's profile photo Abesh Bhattacharjee
      Abesh Bhattacharjee
      The last question on SSL got me !
      Happy vacation Eddy 🙂
      Author's profile photo Former Member
      Former Member
      Eddy,

      Great blog, as per usual.  Thanks for the tip about this and know that I "only" caught 8 out of the 10 also.  As you said, good but not good enough.  Most of the sites (online-banking etc) I've never seen before so hey.

      Oh yes, there are thousands of Russian women madly in love w/ me so I'm told.  THAT I can believe!

      Enjoy your vacation and don't be too grumpy.

      Peace,

      Mike Bennett

      Author's profile photo Christian Loos
      Christian Loos
      usually you can tell just by looking at the URL
      Author's profile photo Daniel Wroblewski
      Daniel Wroblewski
      Hi Eddy,

      OK, I got 10 out of 10 (hey, Eddy, you asked people to post their scores).

      I must admit that the first 2 were simple because you could see the URL, all but one of the others I actually went to the real site and compared the choices with a fine-toothed comb, and the last answer I took an educated guess (you knew the answer had to be false).

      I find the ways to tell if a site is a phishing site weird, since they mostly rely on finding small visual inconsistencies or grammatical errors. I would think that a good (or even mediocre) phisher could completely mimic a real site and, then, you could not distinguish based this way.

      There is a new thing I've seen where we get an email saying that someone has sent us an electronic greeting card. I was suspicious at first, and then when we got so many, I knew it was not real (we were never so popular).

      Daniel

      Author's profile photo Former Member
      Former Member
      I have a question to those with 10/10 or close to it concerning the SSL spoofing question.
      Why is SSL unsecure?

      I researched it a bit and did only find

      a) the possibility where an invalid certificate is presented but the user simply neglects this, described e.g. here

      b) some rather old and long closed bugs in certain browsers

      but I didn't find an actual reference to cases where valid certificates are presented by malicious sites.

      anton

      Author's profile photo Eddy De Clercq
      Eddy De Clercq
      Blog Post Author
      Anton,

      A certificate only guarantees secure communication between client and server. Nothing proves that the content on the server is not malicious.

      Eddy

      Author's profile photo Dushyant Shetty
      Dushyant Shetty
      Extremely interesting stuff!
      I got the Chase one wrong...
      I chose the wrong one because I thought a site that DOES NOT ask for a Social Security number along with personal details would be safer, turns out I was wrong because the fake McCoy had:
      1) Awkward phrasing at several locations
      2) Punctuation
      3) The inclusion of a real telephone number...
      OK, now this was meant for a predominantly English-speaking audience, but the Internet is not limited by boundaries of language and/or nationality...
      Now take a quick look at these "REAL" Indian Banking sites...
      Link 1
      Link 2
      and these "REAL" non-banking merchant sites...

      Link 3

      and examine them for their construction, use of punctuation, phrasing... and it quickly becomes obvious how challenging things can get when "REAL" sites don't want to take the effort to look real enough!

      Dushyant Shetty

      Author's profile photo Former Member
      Former Member
      Got the Chase site wrong
      And the last one - which is a bit worrying.

      Not sure I agree with the way they decide on how there determine fake sites.

      Regards,
      Simon