Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Security IT

Half Of People Click Anything Sent To Them (arstechnica.com) 156

Want to know why phishing continues to be one of the most common security issue? Half of the people will click on anything without thinking twice ArsTechnica reports: A study by researchers at a university in Germany found that about half of the subjects in a recent experiment clicked on links from strangers in e-mails and Facebook messages -- even though most of them claimed to be aware of the risks. The researchers at the Friedrich-Alexander University (FAU) of Erlangen-Nuremberg, Germany, led by FAU Computer Science Department Chair Dr Zinaida Benenson, revealed the initial results of the study at this month's Black Hat security conference. Simulated "spear phishing" attacks were sent to 1,700 test subjects -- university students -- from fake accounts. The e-mail and Facebook accounts were set up with the ten most common names in the age group of the targets. The Facebook profiles had varying levels of publicly accessible profile and timeline data -- some with public photos and profile photos, and others with minimal data. The messages claimed the links were to photos taken at a New Year's Eve party held a week before the study. Two sets of messages were sent out: in the first, the targets were addressed by their first name; in the second, they were not addressed by name, but more general information about the event allegedly photographed was given. Links sent resolved to a webpage with the message "access denied," but the site logged the clicks by each student.
This discussion has been archived. No new comments can be posted.

Half Of People Click Anything Sent To Them

Comments Filter:
  • by Anonymous Coward

    If "clicking on something" is all that it takes to infect your computer, then that is a really shitty crappy browser.

  • This is what happens (Score:5, Interesting)

    by Anonymous Coward on Wednesday August 31, 2016 @06:39PM (#52805539)

    This is what happens when browser makers hide the status bar, hide the location url/protocol and generally dumb down the location parts of the UI.

    Removing those essential browsing elements are like removing streets signs because everyone has a GPS, bring back the status/url bars and educate people to know what their function is.

    • by amicusNYCL ( 1538833 ) on Wednesday August 31, 2016 @07:20PM (#52805743)

      Yeah you're exactly right, the half of the population who click on anything would totally not do that if only they could see the protocol. Because that's what was keeping everyone safe for so many years back in the halcyon days of innocence when everyone used IE6 and malware was non-existent.

      I don't think the URL field has been dumbed down at all, it hides things that you don't generally need to see (there's still an indicator if the page is secured or not, instead of expecting random people to know the difference between "http://" and "https://"), and it emphasizes things that are more important, like making the root domain stand out and writing the rest in a lighter shade. That actually helps people who got sent to facebook.com.pwned.net figure out which site they're actually on, it doesn't make anyone stupider. I can look at the URL and obviously tell that I'm on a subdomain of slashdot.org, because the root domain is written darker.

      And the status bar? Really, grandma? Can you name a single browser that does not show the URL of a link that you're pointing to when you point at it? Why have an area of the UI dedicated to showing that, which isn't being used if you're not hovering over a link? If you're thinking of some other purpose of the status bar that we've lost without a replacement, just what sage advice do you think it was dispensing that we need to bring back?

      • To be fair, some of us click the links within a VM just to see what kind of nastiness is hiding on the other end.

        As for the status bar simple javascript can keep it covered with something else... or do you not remember the scrolling ticker tape status bars on the pages of the late 90s and early 00s?

        • by Sigma 7 ( 266129 )

          do you not remember the scrolling ticker tape status bars on the pages of the late 90s and early 00s?

          That's dwarfed by other nasty Javascript effects, such as inhibiting right-clicks, move/shake the browser window, make popups, modal alert() loops that require restarting the browser, etc.

          In any case, Firefox finally added a checkbox somewhere in 1.x to prevent Javascript from doing the most common annoyances. A little on the late side, but at least it can get stopped.

      • Can you name a single browser that does not show the URL of a link that you're pointing to when you point at it?

        To be fair, most pages use Javascript to handle links, so even the damn Back button doesn't work anymore, let alone the status bar.

        Another innovation of modern "apps."

        • To be fair, most pages use Javascript to handle links, so even the damn Back button doesn't work anymore, let alone the status bar.

          I don't think that I've ever seen that, though I'll be looking for it in the future.

          "most sites"? Really? got any numbers to back that up? Or do you mean "most sites that I use" (checks : it's not an AC comment), which may be a very different thing.

      • by AmiMoJo ( 196126 )

        Browser makes need to take a much stronger position on removing/limiting stupid web technologies.

        Flash should have died years ago. Audio should default to off with a per-site permission required, and no audio from 3rd party sources. Javascript should have features like pop-up dialogues and on-click removed, or at least limited to trusted sites. Redirects should require confirmation from the user. Cookies should default to blocked. AdBlocking should be standard, and probably block most 3rd party content too.

        • Audio should default to off with a per-site permission required, and no audio from 3rd party sources. Javascript should have features like pop-up dialogues and on-click removed, or at least limited to trusted sites. Redirects should require confirmation from the user. Cookies should default to blocked.

          If all of those suggestions were implemented then the very first thing that people would want to do when they start a browser on a new computer is to go enable everything so that websites work again. The #1 search terms would all involve "how do I change my browser so websites work", and then we're right back to the start.

          I'm sorry if you're personally annoyed that web pages are able to play audio, but it was added in HTML 5 for a reason. I don't think that audio is an inherent security threat.

          Hardly any

      • Yeah you're exactly right, the half of the population who click on anything would totally not do that if only they could see the protocol. Because that's what was keeping everyone safe for so many years back in the halcyon days of innocence when everyone used IE6 and malware was non-existent.

        Even if you're dumb enough to click anything and everything, your brain is pretty good at pattern matching. Even the worst offenders when it comes to irresponsible computer usage generally at least subconsciously notice when a URL says something like somenefariousprotocol://Bank0fAmerica.com instead of https://bankofamerica.com./ [bankofamerica.com.] Speaking from some pretty extensive experience scamming people in EvE Online, I can tell you that even the slightest deviation from what's expected by the target (even if it's not

        • What "nefarious protocol" are you referring to? And, for that matter, why the hell are browser vendors adding support for things that are clearly nefarious?

          Scammers use HTTP/HTTPS, why do they need to even use another protocol?

          • What "nefarious protocol" are you referring to?

            I have no idea, you were talking about protocols so I thought you had something in mind. Replace it with whatever other slightly off looking malicious link you'd like if it makes more sense that way.

    • by Anonymous Coward

      Yeah, no. People will click regardless, I've seen people go through hoops to be able to access links sent to them that first the email client, then the antivirus, then the web browser all tried to stop them.

      People are stupid, it doesn't matter how much information you give them or don't give them, they will click.

    • This is what happens when browser makers hide the status bar, hide the location url/protocol and generally dumb down the location parts of the UI.

      Removing those essential browsing elements are like removing streets signs because everyone has a GPS, bring back the status/url bars and educate people to know what their function is.

      This also happens because companies use 3rd-party email providers, which cause email links for banks and credit card companies to point to some3rdparty.com instead of the bank itself.

      I regularly forward that crap back to the bank's spam/phishing prevention email address. I always start the email with something like "this looks like a phishing attempt."

      • This also happens because companies use 3rd-party email providers, which cause email links for banks and credit card companies to point to some3rdparty.com instead of the bank itself.

        You have a bank that conducts business my EMAIL ??? Who the hell are they, so I can avoid them?

        Personally, I much prefer to check out my bank's security by kicking the bottom of the door as I walk in, to check if it sounds rotten. I do log onto my bank account every month or three - in fact I'll need to do it on Monday night -

        • This also happens because companies use 3rd-party email providers, which cause email links for banks and credit card companies to point to some3rdparty.com instead of the bank itself.

          You have a bank that conducts business my EMAIL ??? Who the hell are they, so I can avoid them?

          Is it really that bad for a bank to send an email alert that a payment is due? Or that this month's electronic statement is available?

          I don't think so.

    • Comment removed based on user account deletion
    • This is what happens when browser makers hide the status bar, hide the location url/protocol and generally dumb down the location parts of the UI.

      Removing those essential browsing elements are like removing streets signs because everyone has a GPS, bring back the status/url bars and educate people to know what their function is.

      left-half right-half

      or

      top-half, bottom-half

      Half the people, ehh

    • by AK Marc ( 707885 )
      The problem is that there isn't GPS to cover. If every link you hovered over that "looked" like a URL, but had an underlying URL that didn't match were highlighted in red, that would be better. But because so many things have redirects, cross site ads and things, nobody wanted to let the unwashed masses know what a real mess the Internet is. So we get everything cleaned, hidden, and looking nice, even when everyone's doing worst practices all day long.
    • Both Firefox and Chrome pop up the link destination when you hover over a link. It's just like having the status bar, but it doesn't take up space when you don't need it.

  • by Feral Nerd ( 3929873 ) on Wednesday August 31, 2016 @06:41PM (#52805557)

    Half Of People Click Anything Sent To Them

    Actually 49.5% of people click anything sent to them, another 49.5% double click anything sent to them. The remaining 1% are nerds who know better.

  • by hackel ( 10452 ) on Wednesday August 31, 2016 @06:43PM (#52805565) Journal

    I actually get really frustrated because 99% of all email links cannot be clicked because of embedded tracking information. It makes pretty much any email newsletter/update/etc. completely useless. I spend far too much time going to a website and finding something I want to look at, all because I refuse to click on a link that contains tracking information. I can't believe so many people, especially students, are dumb enough to do this. And yet, I can believe it. It's just sad.

    • Usually just removing the final GET part with an ID gives you the same page, without reference tracking (e.g. the ad-story below about lenovo is "http://news.lenovo.com/news-releases/lenovo-reveals-yoga-book-2-in-1-tablet-for-productivity-and-creativity.htm?CID=ww:lenovosocial:r5kzwy", remove the CID part and no more tracking). Then use Ghostery to disable all necessary trackers
    • by Anonymous Coward

      Mailchimp. 99% of the time the person doing the tracking is the person who sent you the email, from the list that you signed up for, and the link usually points to their own site. The bulk mailer being used automatically does the link replacement.

      Curious, do you use google.com? Note the cloaked tracking on every link in their search results. Don't like that? (I don't) Use duckduckgo.com (and let the Russians have the info instead).

      So, um, yeah.

    • by Anonymous Coward

      So you've willingly given your email address X to a website and expressed an interest in subject Y in doing so (thus linking X and Y), yet you won't click a convenient link that pretty much only re-affirms that initial X-Y link because...?

    • I actually get really frustrated because 99% of all email links cannot be clicked because of embedded tracking information.

      Hmmm, An option that might be useful could be mapping (some control key+ CLICK) to "present URL in editable window and then follow link after editing".

      I regularly chop of all that tracking shit when forwarding links to people. It does get tedious after a time.

      • by hackel ( 10452 )

        Clean Links (https://addons.mozilla.org/en-US/firefox/addon/clean-links/) is a great help for that, but it's not perfect. So many email links aren't in a form that you can manually clean, they just reference their tracking IDs, which have to be redirected server-side.

        • Oh, links you RECEIVE in email. I don't think I've seen that as a problem in either Yahoo or Gmail. Hotmail is a terminal mail service for me - mail in, nothing out by mail, but no I don't see that problem there either. Plenty of spam, but not that problem. I get a mail from my electronics supplier, and I open a new tab, type in the suppliers home page, and then log in. No problems that I see.
  • I can't click anything! I read my e-mail with elm.

  • Did they test for people who did "due diligence" before going to the site then, seeing no known threat, click anyway?

    Did they test for people who went back and re-visited the sites with the "bad" links on them using a testbed/honeypot environment then "clicked through" to the "bad" site?

    • by Anonymous Coward

      No. No they didn't. Because, whom the fuck would do that??!!!

      • by Dunbal ( 464142 ) *
        No one, but there's always a smart-ass who says he would have, if he had actually bothered to visit the site.
      • No. No they didn't. Because, whom the fuck would do that??!!!

        Who would do that. Whom told you to write it like that?

    • by rtb61 ( 674572 )

      The average IQ is 100, which means half the population has a lower IQ than 100. Learning and retaining computer security is not easy, in fact logically all those below, say 120, struggle with it. Want secure systems, take out the flexibility and ensure they can only do what they were designed to do in the manner they were designed to do it. For most people, the need computers to be like other fixed electrical appliances, that is just the way it is.

      • So they need Chromebooks, something dumbed down that can do everything 80% of our customers want to do, surf and read email. Self updating is nice also.
  • by penguinoid ( 724646 ) on Wednesday August 31, 2016 @06:47PM (#52805605) Homepage Journal

    Imagine the stupidity of the average person -- then realize that half of them are dumber than that.

    • Imagine the stupidity of the average person -- then realize that half of them are dumber than that.

      Some of them are even dumb enough to think that "average" and "median" are the same thing.

      • Some of them are even dumb enough to think that "average" and "median" are the same thing.

        And some are even too dumb to know that in a normal distribution, they are.

        • And some are even too dumb to know that in a normal distribution, they are.

          IQ is normalized (by definition), but we are talking about stupidity, with is the reciprocal of intelligence. The inverse of a normalized function is not another normalized function. You can see this in practice: There are a lot more really stupid people than really intelligent people. The distribution is skewed.

           

      • by Pfhorrest ( 545131 ) on Wednesday August 31, 2016 @10:09PM (#52806249) Homepage Journal

        Some are even dumb enough to think that "average" only means "mean", and that a median isn't a kind of average...

        • by K10W ( 1705114 )

          Some are even dumb enough to think that "average" only means "mean", and that a median isn't a kind of average...

          oh if only I had mod points, never when I neeed them most. Please upvote this if you have some, getting tired of people thinking just that. From assumed majority science/IT educated community it worries me

    • dumb != uneducated
    • by hondo77 ( 324058 )
      Imagine citing George Carlin [youtube.com] for that quote.
    • by hambone142 ( 2551854 ) on Wednesday August 31, 2016 @10:14PM (#52806265)

      The majority of people believe in an invisible friend in the sky.

      • The majority of people believe in an invisible friend in the sky.

        And is that being stupid? I mean, they're wrong, but the vast majority of people are wrong about all kinds of things, particularly as displayed in optimism and overconfidence. (In fact, religion is a subset of optimism and overconfidence.) And yet, though many studies show cynical depressed people tend to be more accurate than happy optimists, I wouldn't call them smarter.

        People are irrational, but smart irrational people can deal with their irrationality (often by using irrational means).

      • by AmiMoJo ( 196126 )

        Sanity is defined by the norm, not by what is rational. Few people believe in leprechauns and green men from Mars, so people who genuinely do are considered outside the norm and probably mentally ill. On the other hand, lots of people believe in some kind of omnipotent, invisible, magical being(s) so despite there being about an equal amount of evidence as there is for the leprechauns it's considered perfectly normal, good even.

      • Actually, no. The majority of people believe in God*, but God is not normally envisioned as invisible or in the sky.

        *A slight majority of humanity is Christian or Muslim, and there are some other monotheistic beliefs.

      • Only in some countries with remarkably stupid populations.
    • by mwvdlee ( 775178 )

      I don't have to imagine; I'm seeing it right here.

    • Mr. Carlin? Is that you?
  • by Dunbal ( 464142 ) * on Wednesday August 31, 2016 @06:53PM (#52805635)
    Those are the people we put on the "B" Ark.
  • The other half are liars, right?

  • Goatse cured me of that habit.

  • Half of all web browsers CLICK YOU.

  • Slashdotters never RTFA, so we're good.

  • Click? (Score:5, Insightful)

    by darkain ( 749283 ) on Wednesday August 31, 2016 @08:07PM (#52805913) Homepage

    If by "click", you mean having an automated tool running inside of a VM scan URLs inside of emails to determine their contents before allowing the email to pass through to my inbox? Then sure!

    In other words, their definition of a "click" is honestly far too loose.

    Also, of the percent that "didn't click", how many of those messages were properly caught by spam filtration systems?

    Really, this isn't a study about click through rates at all, more like someone having a predetermined subject they want to publish, and build a "test" around it to make it look a certain way.

  • 100% of us clicked on this story's comment section. Suckers.

  • how come my employer gets 90% of their people from the dumber half of the populace?

  • by aussersterne ( 212916 ) on Wednesday August 31, 2016 @09:36PM (#52806173) Homepage

    beneath the "access denied" and watch a few of them try for 10 minutes straight to load it by clicking again and again, then leave it open and tap it once or twice a day for two weeks before giving up.

    I know a couple people like this. You ask, "But what if the link is malware?" and they respond with "But what if it's something great?"

    On a similar note, I once sent a bad link by accident to a person who was in college at the time. I then sent a follow up email saying, "Sorry, bad link. Try this one."

    They then called me an hour later to say that they kept trying the first link I'd sent, but couldn't get it to load, and asked if there was anything I could do to help. I said, "But I thought I mentioned—that was a broken link, it doesn't work. I sent the right one!" And they responded with a variation on the above—"I know, but you never know, maybe I'd like it! I'd at least like to see it!"

  • by ruir ( 2709173 )
    Half of people click on this rubbish articles too. Is this the slashdot I used to know?
    • by Jeremi ( 14640 )

      Half of people click on this rubbish articles too. Is this the slashdot I used to know?

      Yes: it was always like this.

  • Half of "people" don't - according to the summary, half of "university students" click anything. There's a fair difference if you ask me. The irony of a clickbait article about impulse clicking...
  • At least my main email client is a text-only client, and I can follow the link with something that is definitely not going to get triggered by a drive-by. And that's to check out strange links that I may get in email, even from people I have previously been in contact with. I definitely don't follow links. Still, on the phone, I may be exposed to vulnerabilities in the non-standard email client I use.
  • by kenh ( 9056 )

    I do click - I right-click on most everything that arrives in my inbox, just to see where it leads.

    But I believe it - here in America, nearly half of all Americans vote for [Democrats|Republicans] without giving it a second thought...

  • MileyAndTayTayDoingIt.exe

    Hmmmmmm...if it is true, worth it!

  • Come on, how come any publication could be considered as interesting or serious when it uses exclusively students as a sample?

To thine own self be true. (If not that, at least make some money.)

Working...