As promised, I’m getting back to you on the phishing subject and will divulge the correct answers for the challenge that I initiated in that previous weblog.
As said in the weblog, the screenshots aren’t that easy as they all look alike. To be honest, I tricked you a bit.
This is a real version of the SDN home page as it is before the login. Why does it look so different then? Remember the pimp up the jam Pimp up the jam: choose your favourite? I’m still using the Simperlify theme by Dries Horions which results in this screen
Again, this is a real version of the SDN home page before login. I must admit that I was in heaven when I saw this screen. Not that I like this kind of error, but these are typical of the sort of messages that you can expect to get on a fake site. Add this up with the above mentioned theme and you end up with a very suspicious looking screen. Maybe the SDN admins could provide a more self explanatory message when problems occur.
This is the normal version of the SDN home page before login.
None of the entries had 100% correct answers. So why is it so difficult to tell real from fake? Well import information is missing, namely the URL. It was my main point of criticism on the Phishing quiz that I mentioned in my earlier A phish called Wanda.
So what if we provide links? Can you then tell the difference between fake and real? Let’s have a look.
Link 1: http://www-sdn-sap-com.idizaai.be/index.htm points to a page which looks like the S(D)N forums page. This page is a fake. The important indicator is the URL.
First of all, a typical phishing site will try to imitate the original URL by putting the original URL in the domain of the phishing site. I’ve put hyphens, but a phishing site will make their own domain name as small as possible and put full stops between the subdomains.
Secondly, the real URL for the forums is http://www.sdn.sap.com/irj/sdn/forums. Note the http://www.sdn.sap.comhttp://www.sdn.sap.com/irj/sdn/forums at the end.
Thirdly when you click on the login, you would go to http://www-sdn-sap-com.idizaai.be/login.html. This might be a page that captures your userid and password, but in this case just redirects you to the genuine S(D)N main page.
Link 2: http://www-sdn-sap-com.idizaai.be/index.html looks rather similar to the URL of the first link. The only difference is that it’s not a fake. Why not? Well, it’s not the starting hyperlink that would make a site suspicious, although I admit that this URL doesn’t look very trustworthy.
It’s the end URL that counts. In this case the end result is nothing more than a redirect to the S(D)N logout. The SDN admins could make things more secure by not making the logout direct callable.
I received good answers for the link challenge, despite the fact that the supporting arguments weren’t always 100% correct.
I didn’t get that much feedback on this particular challenge, despite the fact that 76 ‘people’ visited the links in the earlier mentioned weblog. Now that gives me some rather mixed feelings. On the one hand I wish that more people had reacted. On the other hand, people clicked on the links not knowing what they would end up with, just taking my word for it that I wouldn’t infringe anybody’s privacy. Some (5!) people even clicked on the login button of the fake page, which was rather disquieting. That page might have saved critical info, which wasn’t the case in this particular example.