Half Of People Click Anything Sent To Them (arstechnica.com) 156
Want to know why phishing continues to be one of the most common security issue? Half of the people will click on anything without thinking twice ArsTechnica reports: A study by researchers at a university in Germany found that about half of the subjects in a recent experiment clicked on links from strangers in e-mails and Facebook messages -- even though most of them claimed to be aware of the risks. The researchers at the Friedrich-Alexander University (FAU) of Erlangen-Nuremberg, Germany, led by FAU Computer Science Department Chair Dr Zinaida Benenson, revealed the initial results of the study at this month's Black Hat security conference. Simulated "spear phishing" attacks were sent to 1,700 test subjects -- university students -- from fake accounts. The e-mail and Facebook accounts were set up with the ten most common names in the age group of the targets. The Facebook profiles had varying levels of publicly accessible profile and timeline data -- some with public photos and profile photos, and others with minimal data. The messages claimed the links were to photos taken at a New Year's Eve party held a week before the study. Two sets of messages were sent out: in the first, the targets were addressed by their first name; in the second, they were not addressed by name, but more general information about the event allegedly photographed was given. Links sent resolved to a webpage with the message "access denied," but the site logged the clicks by each student.
Browser bugs (Score:1)
If "clicking on something" is all that it takes to infect your computer, then that is a really shitty crappy browser.
This is what happens (Score:5, Interesting)
This is what happens when browser makers hide the status bar, hide the location url/protocol and generally dumb down the location parts of the UI.
Removing those essential browsing elements are like removing streets signs because everyone has a GPS, bring back the status/url bars and educate people to know what their function is.
Re:This is what happens (Score:5, Insightful)
Yeah you're exactly right, the half of the population who click on anything would totally not do that if only they could see the protocol. Because that's what was keeping everyone safe for so many years back in the halcyon days of innocence when everyone used IE6 and malware was non-existent.
I don't think the URL field has been dumbed down at all, it hides things that you don't generally need to see (there's still an indicator if the page is secured or not, instead of expecting random people to know the difference between "http://" and "https://"), and it emphasizes things that are more important, like making the root domain stand out and writing the rest in a lighter shade. That actually helps people who got sent to facebook.com.pwned.net figure out which site they're actually on, it doesn't make anyone stupider. I can look at the URL and obviously tell that I'm on a subdomain of slashdot.org, because the root domain is written darker.
And the status bar? Really, grandma? Can you name a single browser that does not show the URL of a link that you're pointing to when you point at it? Why have an area of the UI dedicated to showing that, which isn't being used if you're not hovering over a link? If you're thinking of some other purpose of the status bar that we've lost without a replacement, just what sage advice do you think it was dispensing that we need to bring back?
Re: (Score:2)
To be fair, some of us click the links within a VM just to see what kind of nastiness is hiding on the other end.
As for the status bar simple javascript can keep it covered with something else... or do you not remember the scrolling ticker tape status bars on the pages of the late 90s and early 00s?
Re: (Score:2)
That's dwarfed by other nasty Javascript effects, such as inhibiting right-clicks, move/shake the browser window, make popups, modal alert() loops that require restarting the browser, etc.
In any case, Firefox finally added a checkbox somewhere in 1.x to prevent Javascript from doing the most common annoyances. A little on the late side, but at least it can get stopped.
Re: (Score:2)
Can you name a single browser that does not show the URL of a link that you're pointing to when you point at it?
To be fair, most pages use Javascript to handle links, so even the damn Back button doesn't work anymore, let alone the status bar.
Another innovation of modern "apps."
Re: (Score:2)
I don't think that I've ever seen that, though I'll be looking for it in the future.
"most sites"? Really? got any numbers to back that up? Or do you mean "most sites that I use" (checks : it's not an AC comment), which may be a very different thing.
Re: (Score:2)
Browser makes need to take a much stronger position on removing/limiting stupid web technologies.
Flash should have died years ago. Audio should default to off with a per-site permission required, and no audio from 3rd party sources. Javascript should have features like pop-up dialogues and on-click removed, or at least limited to trusted sites. Redirects should require confirmation from the user. Cookies should default to blocked. AdBlocking should be standard, and probably block most 3rd party content too.
Re: (Score:2)
Audio should default to off with a per-site permission required, and no audio from 3rd party sources. Javascript should have features like pop-up dialogues and on-click removed, or at least limited to trusted sites. Redirects should require confirmation from the user. Cookies should default to blocked.
If all of those suggestions were implemented then the very first thing that people would want to do when they start a browser on a new computer is to go enable everything so that websites work again. The #1 search terms would all involve "how do I change my browser so websites work", and then we're right back to the start.
I'm sorry if you're personally annoyed that web pages are able to play audio, but it was added in HTML 5 for a reason. I don't think that audio is an inherent security threat.
Hardly any
Re: (Score:2)
Yeah you're exactly right, the half of the population who click on anything would totally not do that if only they could see the protocol. Because that's what was keeping everyone safe for so many years back in the halcyon days of innocence when everyone used IE6 and malware was non-existent.
Even if you're dumb enough to click anything and everything, your brain is pretty good at pattern matching. Even the worst offenders when it comes to irresponsible computer usage generally at least subconsciously notice when a URL says something like somenefariousprotocol://Bank0fAmerica.com instead of https://bankofamerica.com./ [bankofamerica.com.] Speaking from some pretty extensive experience scamming people in EvE Online, I can tell you that even the slightest deviation from what's expected by the target (even if it's not
Re: (Score:2)
What "nefarious protocol" are you referring to? And, for that matter, why the hell are browser vendors adding support for things that are clearly nefarious?
Scammers use HTTP/HTTPS, why do they need to even use another protocol?
Re: (Score:2)
What "nefarious protocol" are you referring to?
I have no idea, you were talking about protocols so I thought you had something in mind. Replace it with whatever other slightly off looking malicious link you'd like if it makes more sense that way.
Re: (Score:2)
There's nothing about a URL that I 'don't need to see'.
I completely understand that, I often find myself browsing web pages and wondering "wait a second, is this web page being served to me over the gopher protocol, or NNTP?" And then, because I understand that I can actually change settings in my browser, I go to the settings page and check the box to show the full URL and think to myself "oh wow! It turns out that this web page is actually served using the hyper text transfer protocol, I totally wasn't expecting that!"
Show me fancy highlighting and crap and as an attacker the first thing I'm going to do is figure out how to highlight things
OK, then I guess the world is waiting f
Re: (Score:2)
Mobile doesn't really have a hover event either, at least not until phones can detect the presence of your finger pointing at something before you touch the screen. There's not really a way to enable that for mobile at all (status bar or no) other than showing the URL you just clicked on and requiring a confirmation to go there, which isn't something that people would accept. In addition to doubling the number of clicks that browsing requires, it's again going to lead to the situation where people blindly
Re: (Score:2)
Mobile doesn't really have a hover event either, at least not until phones can detect the presence of your finger pointing at something before you touch the screen. There's not really a way to enable that for mobile at all (status bar or no)
I've seen this implemented on my browser on my android phone using the standard built-in browser, whatever came with Android 4.4. If I click and hold somewhere on a webpage, it'll pop up a context menu AND it acts like a hover. I hit 'back' to get rid of the context menu, and the end result is I got a hover without a click. It's clunky and slow, but it works.
Re: (Score:1)
Yeah, no. People will click regardless, I've seen people go through hoops to be able to access links sent to them that first the email client, then the antivirus, then the web browser all tried to stop them.
People are stupid, it doesn't matter how much information you give them or don't give them, they will click.
Re: (Score:2)
This is what happens when browser makers hide the status bar, hide the location url/protocol and generally dumb down the location parts of the UI.
Removing those essential browsing elements are like removing streets signs because everyone has a GPS, bring back the status/url bars and educate people to know what their function is.
This also happens because companies use 3rd-party email providers, which cause email links for banks and credit card companies to point to some3rdparty.com instead of the bank itself.
I regularly forward that crap back to the bank's spam/phishing prevention email address. I always start the email with something like "this looks like a phishing attempt."
Re: (Score:2)
You have a bank that conducts business my EMAIL ??? Who the hell are they, so I can avoid them?
Personally, I much prefer to check out my bank's security by kicking the bottom of the door as I walk in, to check if it sounds rotten. I do log onto my bank account every month or three - in fact I'll need to do it on Monday night -
Re: (Score:2)
You have a bank that conducts business my EMAIL ??? Who the hell are they, so I can avoid them?
Is it really that bad for a bank to send an email alert that a payment is due? Or that this month's electronic statement is available?
I don't think so.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
This is what happens when browser makers hide the status bar, hide the location url/protocol and generally dumb down the location parts of the UI.
Removing those essential browsing elements are like removing streets signs because everyone has a GPS, bring back the status/url bars and educate people to know what their function is.
left-half right-half
or
top-half, bottom-half
Half the people, ehh
Re: (Score:2)
Re: (Score:2)
Both Firefox and Chrome pop up the link destination when you hover over a link. It's just like having the status bar, but it doesn't take up space when you don't need it.
Totally agree (Score:2)
Agreed, that is why you override that setting and unhide registered file types, and show system files, in addition to showing the status bar on your browser and explorer. I have to ask was it Micro$loth that first hid extensions or crApple, I genuinely don't remember but it seemed a bad decision either way.
Re: (Score:2)
Pre-OSX MacOS files had two four-byte identifiers, for file type and subtype. Applications (to be run) had 'APPL' in the file type and the application name in the subtype. Other files would have the application name that created them or would run them in the type, and what they individually were in the subtype. Post-OSX, file names did have extensions, but the extensions did not determine what could execute, that being determined by the permission bits.
It was a long time ago, but I believe CP/M figure
Ahh thank-you (Score:2)
Thanks for the info. It makes much more sense when you explain it that way and still sounds more secure. Cheers and have a good day.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
> The icon tells you the extension type.
Uhmmm... not always. If someone is malicious enough to write/deploy malware, they're malicious enough to tamper with the program icon. And, yes, you can edit/replace the default icon of a program http://stackoverflow.com/quest... [stackoverflow.com] The developer is asking on stackoverflow about getting a custom icon to display on the executable. Sticking in a "textfile" or "pdf" icon into an exe file is relatively easy.
Re: (Score:2)
Color me surprised (Score:5, Funny)
Half Of People Click Anything Sent To Them
Actually 49.5% of people click anything sent to them, another 49.5% double click anything sent to them. The remaining 1% are nerds who know better.
Re: (Score:3)
And to riff off an old tech support joke, they're called foot pedals, not mice.
If you've never heard that one, here it is with a few others. [mistupid.com] I literally got the "Press Any Key" one working tech support, so yes I believe them. Compaq offered free tech support in the early days and people would call them for all kinds of reasons without actually trying anything, so that doesn't surprise me at all. Note I didn't work for Compaq, I did tech support contracting work for Bell Atlantic and we had a business relati
Re: (Score:2)
And to riff off an old tech support joke, they're called foot pedals, not mice.
Unrelated to the discussion thread but completely related to that anecdote: I knew an electrical engineer with bad carpel tunnel who made a foot pedal for clicking the mouse buttons. He also stripped the guts from a gyro mouse and mounted them on a headset. I think the controls were basically left foot to click, right foot to tell the gyro mouse to start tracking, and then he'd hunt and peck type holding a stylus in each fist. Watching him operate his computer was hilarious. His head would be twitching and
Re: Color me surprised (Score:2)
I believe that, because the percentage of actual Linux desktop users represents a rounding error in most surveys. Last I looked, Windows ME was still more popular/prevalent as a desktop OS than Linux.
People actually click on email links? (Score:5, Insightful)
I actually get really frustrated because 99% of all email links cannot be clicked because of embedded tracking information. It makes pretty much any email newsletter/update/etc. completely useless. I spend far too much time going to a website and finding something I want to look at, all because I refuse to click on a link that contains tracking information. I can't believe so many people, especially students, are dumb enough to do this. And yet, I can believe it. It's just sad.
Re: (Score:2)
Re: (Score:1)
Mailchimp. 99% of the time the person doing the tracking is the person who sent you the email, from the list that you signed up for, and the link usually points to their own site. The bulk mailer being used automatically does the link replacement.
Curious, do you use google.com? Note the cloaked tracking on every link in their search results. Don't like that? (I don't) Use duckduckgo.com (and let the Russians have the info instead).
So, um, yeah.
Re: (Score:1)
So you've willingly given your email address X to a website and expressed an interest in subject Y in doing so (thus linking X and Y), yet you won't click a convenient link that pretty much only re-affirms that initial X-Y link because...?
Re: (Score:2)
Hmmm, An option that might be useful could be mapping (some control key+ CLICK) to "present URL in editable window and then follow link after editing".
I regularly chop of all that tracking shit when forwarding links to people. It does get tedious after a time.
Re: (Score:2)
Clean Links (https://addons.mozilla.org/en-US/firefox/addon/clean-links/) is a great help for that, but it's not perfect. So many email links aren't in a form that you can manually clean, they just reference their tracking IDs, which have to be redirected server-side.
Re: (Score:2)
Re: (Score:3)
Re:Sheep are among us (Score:4, Informative)
High school students are told that Pavlov taught dogs how to drool with a bell, because it sounds nice. In reality Pavlov drilled holes into dogs' stomachs and stuck a catheter in there through their abdominal walls, and measured the pH and enzyme content of gastric secretions when he rang the bell. Needless to say the dogs died after the experiment.
It can be exhilarating to know that common knowledge is wrong, and you know the truth, but in thin case, you are the one who is wrong. Pavlov did research on the digestive system, which used catheters as you described. However, when it came to his conditioning research, drooling was the quantitative result that was recorded. And he did use a bell, as well as other stimuli.
You insensititve clod! (Score:2)
I can't click anything! I read my e-mail with elm.
Re: (Score:2)
I can't click anything! I read my e-mail with elm.
Pine is not elm.
Not a completely accurate check (Score:1)
Did they test for people who did "due diligence" before going to the site then, seeing no known threat, click anyway?
Did they test for people who went back and re-visited the sites with the "bad" links on them using a testbed/honeypot environment then "clicked through" to the "bad" site?
Re: (Score:1)
No. No they didn't. Because, whom the fuck would do that??!!!
Re: (Score:2)
Re: (Score:2)
No. No they didn't. Because, whom the fuck would do that??!!!
Who would do that. Whom told you to write it like that?
Re: (Score:2)
The average IQ is 100, which means half the population has a lower IQ than 100. Learning and retaining computer security is not easy, in fact logically all those below, say 120, struggle with it. Want secure systems, take out the flexibility and ensure they can only do what they were designed to do in the manner they were designed to do it. For most people, the need computers to be like other fixed electrical appliances, that is just the way it is.
Re: (Score:2)
Re: (Score:2)
You aren't aware that most of experimental psychology is the psychology of Western college freshmen taking psychology courses? (Yes, this is a big problem.)
Imagine the stupidity of the average person (Score:5, Funny)
Imagine the stupidity of the average person -- then realize that half of them are dumber than that.
Re: (Score:1)
Imagine the stupidity of the average person -- then realize that half of them are dumber than that.
Some of them are even dumb enough to think that "average" and "median" are the same thing.
Re: (Score:2)
Some of them are even dumb enough to think that "average" and "median" are the same thing.
And some are even too dumb to know that in a normal distribution, they are.
Re: (Score:2)
And some are even too dumb to know that in a normal distribution, they are.
IQ is normalized (by definition), but we are talking about stupidity, with is the reciprocal of intelligence. The inverse of a normalized function is not another normalized function. You can see this in practice: There are a lot more really stupid people than really intelligent people. The distribution is skewed.
Re:Imagine the stupidity of the average person (Score:5, Insightful)
Some are even dumb enough to think that "average" only means "mean", and that a median isn't a kind of average...
Re: (Score:1)
Some are even dumb enough to think that "average" only means "mean", and that a median isn't a kind of average...
oh if only I had mod points, never when I neeed them most. Please upvote this if you have some, getting tired of people thinking just that. From assumed majority science/IT educated community it worries me
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re:Imagine the stupidity of the average person (Score:5, Insightful)
The majority of people believe in an invisible friend in the sky.
Re: (Score:3)
The majority of people believe in an invisible friend in the sky.
And is that being stupid? I mean, they're wrong, but the vast majority of people are wrong about all kinds of things, particularly as displayed in optimism and overconfidence. (In fact, religion is a subset of optimism and overconfidence.) And yet, though many studies show cynical depressed people tend to be more accurate than happy optimists, I wouldn't call them smarter.
People are irrational, but smart irrational people can deal with their irrationality (often by using irrational means).
Re: (Score:3)
The majority of people believe in an invisible friend in the sky.
And is that being stupid?
Yes.
Re: (Score:3)
Sanity is defined by the norm, not by what is rational. Few people believe in leprechauns and green men from Mars, so people who genuinely do are considered outside the norm and probably mentally ill. On the other hand, lots of people believe in some kind of omnipotent, invisible, magical being(s) so despite there being about an equal amount of evidence as there is for the leprechauns it's considered perfectly normal, good even.
Re: (Score:2)
Actually, no. The majority of people believe in God*, but God is not normally envisioned as invisible or in the sky.
*A slight majority of humanity is Christian or Muslim, and there are some other monotheistic beliefs.
Re: (Score:2)
Re: (Score:2)
I don't have to imagine; I'm seeing it right here.
Re: (Score:2)
About half, eh? (Score:5, Funny)
I think we know the punchline (Score:1)
The other half are liars, right?
Solution (Score:2)
Goatse cured me of that habit.
In Soviet Russia (Score:2)
Half of all web browsers CLICK YOU.
We're okay! (Score:2)
Slashdotters never RTFA, so we're good.
Click? (Score:5, Insightful)
If by "click", you mean having an automated tool running inside of a VM scan URLs inside of emails to determine their contents before allowing the email to pass through to my inbox? Then sure!
In other words, their definition of a "click" is honestly far too loose.
Also, of the percent that "didn't click", how many of those messages were properly caught by spam filtration systems?
Really, this isn't a study about click through rates at all, more like someone having a predetermined subject they want to publish, and build a "test" around it to make it look a certain way.
But (Score:2)
100% of us clicked on this story's comment section. Suckers.
how come (Score:2)
how come my employer gets 90% of their people from the dumber half of the populace?
For even more fun, put a "Try Again" button (Score:3)
beneath the "access denied" and watch a few of them try for 10 minutes straight to load it by clicking again and again, then leave it open and tap it once or twice a day for two weeks before giving up.
I know a couple people like this. You ask, "But what if the link is malware?" and they respond with "But what if it's something great?"
On a similar note, I once sent a bad link by accident to a person who was in college at the time. I then sent a follow up email saying, "Sorry, bad link. Try this one."
They then called me an hour later to say that they kept trying the first link I'd sent, but couldn't get it to load, and asked if there was anything I could do to help. I said, "But I thought I mentioned—that was a broken link, it doesn't work. I sent the right one!" And they responded with a variation on the above—"I know, but you never know, maybe I'd like it! I'd at least like to see it!"
Well (Score:2)
Re: (Score:2)
Half of people click on this rubbish articles too. Is this the slashdot I used to know?
Yes: it was always like this.
Clickbait and switch (Score:2)
Re: (Score:2)
I came here to say exactly this! 1700 college students does not a representative population make...
Re: (Score:2)
Text browsers? (Score:2)
I do.. (Score:2)
I do click - I right-click on most everything that arrives in my inbox, just to see where it leads.
But I believe it - here in America, nearly half of all Americans vote for [Democrats|Republicans] without giving it a second thought...
0.00001% chance of imagined success (Score:2)
MileyAndTayTayDoingIt.exe
Hmmmmmm...if it is true, worth it!
Sample bias (Score:2)
Re: (Score:1, Troll)
Its true. [goatse.cx]
Re: (Score:2)
Re: (Score:2)
(the only people likely to click your link either don't know goatse, or want to have another look at it!)
Both will be disappointed. The joke *depends* on slashdot showing the domain.
The goatse.cx website has been shut down long ago. Go see for yourself. I dare you :-) Look at the reflection in a polished shield like Perseus, if you don't trust an random internet stranger.
Re: (Score:2)
Re: (Score:2)
Re: (Score:1)
make the link look like a cute kitty cat curled up with a computer mouse with a caption: "click me"
I tried your "click me", but it doesn't seem to be working.
Do I need to upgrade to Windows 10 to see the kitty?