Survey: People Know Online Risks But Often Ignore Them

Surveys are a great window into people’s minds, especially when they can illuminate contrasting, and even contradictory, behaviors in the same group. Results from the Symantec Online Internet Safety Survey have done just that. The most compelling finding—that respondents frequently proceed with online transactions they know might be insecure—inspired me to ask not just, “What are they thinking?” but “What are they thinking?!?”

The survey’s focus must be on many people’s minds, as we’ve had an extraordinary response: 301 people in just a few days! My initial impressions of the results are below. Feel free to share your comments and questions on the original edition of this post.
 

Findings

Risky behavior remains common despite respondents knowing better

What struck me the most was that in many cases respondents continued online transactions even when those transactions lacked security cues respondents knew should be there. For example, 80 percent of respondents knew to look for the padlock icon signifying Secure Sockets Layer (SSL) encryption, but only 55 percent said they would abort a transaction if they didn’t see it. Similarly, 81 percent knew to look for secure Internet connections (HTTPS) but only 56 percent got spooked by secure URLs not matching certificate domains (not an exact correlation, I know, but related). These are differences of nearly 30 points! What is driving this reckless behavior?  

An equally notable figure is that 15 percent don’t use secure connections for social media activities even though they know improved security is available. Come on, people!    

People know to bail out of online transactions they suspect aren’t secure

Exactly three out of four (75 percent) of respondents have abandoned online transactions because they felt the website wasn’t secure. This figure affirms respondents’ understanding of security cues and isn’t surprising given respondents’ high sensitivity to data loss. In fact, I’m wondering why the figure isn’t higher, closer to the high 90s like in Questions 1 and 2 (see below). Why would a quarter of respondents not cancel such transactions? Do they only go to websites they trust? And how do they know that trust is warranted without those security cues?

Many people are still learning about new browser security cues developed to counter evolving threats

The majority (55%) of the respondents knew to look for a green address bar—the sign of a website having an Extended Validation Secure Sockets Layer (EV SSL) certificate. More than half of respondents (54 percent) knew a green address bar means a website is secure and only one percent said it didn’t make them feel safe. In contrast, nearly half (46 percent) either didn’t remember seeing the bar or didn’t feel either way about it. These figures indicate that popular understanding of the value of the green address bar is growing, but this new security feature is still not top of mind for many users. Perhaps businesses can help educate their users about their use of the green bar, where applicable. If you need help with that, there are great resources available at the VeriSign Authentication Services site

Moreover, 42 percent knew to look for a third-party trust mark or seal. In fact, one in three (35 percent) respondents said lack of a seal worried them enough to end an online transaction. These figures may indicate most people don’t yet understand how seals represent an important security guarantee. Think about that for a moment. There is a potential for online businesses to be having a third of their businesses not transacting simply because the site lacks a recognizable trust mark to encourage users the site is safe.

At the same time, more than four out of five respondents knew to look for the padlock icon and/or the “s” in the HTTPS in the URL address of a website (80 percent and 81 percent, respectively) which is not too surprising, since users have been conditioned over the years to look for these traditional cues. A vast majority of respondents know the value of secure connections (HTTPS) and how to use them—77 percent set their social media security tools to use secure connections whenever browsing or logging in.

Nearly everyone has armed themselves with knowledge about security, but room for improvement still exists

Nearly all respondents (97 percent) considered themselves either somewhat or extremely knowledgeable about keeping their confidential data safe when shopping or banking online. The breakdown here was much more even, with 54 percent saying they were extremely knowledgeable and 43 percent somewhat knowledgeable.  

Keeping confidential data safe when shopping or banking online is a universal concern:

Ninety-eight percent of respondents were either somewhat or extremely concerned. What’s telling is that 82 percent were extremely concerned and only 17 percent somewhat concerned. That means more than four out of five respondents see protecting their data as a top priority.

This data ties into other findings that phishing attacks are widespread but not always recognized as a threat. More than one out of seven respondents (16 percent) said they had been phished, highlighting how endemic cybercrime is today. Five percent of respondents, though, had no idea what phishing attacks are—a dangerous blind spot. Think you know what a phishing site looks like? Play our Phish or No Phish game to see if you can tell the difference.

That wraps up my first take on the data. Thanks again to everyone taking part in the survey.

Spear Phishing in Google’s Pond

Francis deSouza - Group President, Enterprise Products and Services, Symantec

Earlier this week, Google posted a blog stating that the personal Gmail accounts of numerous users, including senior US government officials, Chinese political activists, officials in several Asian countries (predominantly South Korea), military personnel, and journalists had been attacked. Google said a campaign to obtain passwords appears to have originated in Jinan, China and was aimed at monitoring the contents of these users' emails, with the perpetrators apparently using stolen passwords to change people's forwarding and delegation settings. Google confirmed that it detected and disrupted this campaign and has notified victims and secured their accounts. They have also notified the relevant government authorities.

These attacks appear to be an example of “spear phishing.” Spear phishing is an email that appears to be from an individual or business that a user knows, but it isn’t. It’s from the same criminal hackers who want your credit card and bank account numbers, passwords, and the financial information on users’ PCs. At its heart, spear phishing is simply a targeted attack.

Symantec has noted a continuous increase in targeted attacks, including spear phishing. In fact, the April 2011 MessageLabs Intelligence Report, published by Symantec, revealed that the number of targeted attacks intercepted by Symantec.cloud each day rose to 85—the highest since March 2009, when the figure was 107 in the run-up to the G20 Summit held in London that year. While some high-profile targeted attacks in 2010 attempted to steal intellectual property or cause physical damage, many of these targeted attacks preyed on individuals for their personal information.

Spear-phishing attacks can target anyone, and while the high-profile targeted attacks that received a high degree of media attention (such as Stuxnet and Hydraq) attempted to steal intellectual property or cause physical damage, many of these attacks simply prey on individuals for their personal information. Such was the case with the recent events surrounding Google’s Gmail.

The spear phisher thrives on familiarity. They know their target’s name, email address, and at least a little about them personally. The salutation on the email message is likely be personalized: “Hi Bob” instead of “Dear Sir.” It may make reference to a “mutual friend” or to a recent online purchase you’ve made. Because the email seems to come from someone the target knows, they may be less vigilant and give them the information they ask for. And when it’s a company they know asking for urgent action, they may be tempted to act before thinking.

How do people become targets of a spear phisher? The answer is simple: from the information users put on the Internet from their computers and smartphones. For example, they might scan social networking sites, find a user’s page, their email address, their friend list, a recent post by them telling friends about the cool new camera they just picked up from an online store, or a page about someone giving a presentation on a new ground breaking technology. Using that information, a spear phisher could pose as a friend, send the target an email, and ask them for a password to the user’s photo page. If the user responds with the password, they’ll try that password and variations to try to access their account on the online shopping site they bought the camera from. If they find the right one, they’ll use it to run up a nice tab for you. Or the spear phisher might use the same information to pose as the online shopping site and ask the user to reset their password, or re-verify their credit card number. If they do, the spear phisher will then do them financial harm.

At the end of the day, these kinds of attacks are often highly targeted and prey on the susceptibility of individuals. Symantec recommends the following best practices for protection against targeted phishing attacks:
 
Do
•    Unsubscribe from legitimate mailings that you no longer want to receive. When signing up to receive mail, verify what additional items you are opting into at the same time. De-select items you do not want to receive.
•    Be selective about the websites where you register your email address.
•    Avoid publishing your email address on the Internet. Consider alternate options; for example, use a separate address when signing up for mailing lists, get multiple addresses for multiple purposes, or look into disposable address services.
•    Use strong passwords or two-factor authentication, such as Symantec’s VeriSign Identity Protection, that requires something you know and something you have.
•    Only enter personal and financial details on a website that is protected with an SSL certificate. Look out for the padlock, https, or the green address bar. Using directions provided by your mail administrators, report missed spam if you have an option to do so.
•    Delete all spam.
•    Avoid clicking on suspicious links in email or IM messages because these may be links to spoofed websites. We suggest typing Web addresses directly in to the browser rather than relying upon links within your messages.
•    Always be sure that your operating system is up to date with the latest updates, and employ a comprehensive security suite.
 
Do Not
•    Open unknown email attachments. These attachments could infect your computer.
•    Reply to spam. Typically the sender’s email address is forged, and replying may only result in more spam.
•    Fill out forms in messages that ask for personal or financial information or passwords. A reputable company is unlikely to ask for your personal details via email. When in doubt, contact the company in question via an independent, trusted mechanism, such as a verified telephone number or a known Internet address that you type into a new browser window (do not click or cut and paste from a link in the message). Only enter personal information when you initiate the session.
•    Buy products or services from spam messages.
•    Use the same login and password across multiple websites.
•    Open spam messages.
•    Forward any virus warnings that you receive through email. These are often hoaxes.
 

Too Many Hoaxes

At first, I was just plain annoyed. Someone forwarded a hoax email to me twice in the same week. I am often asked about hoax email: “Kevin, you work at Symantec, is this true?” That’s fine; that’s not what annoyed me. What set me off was that both emails had been forwarded to warn me. The forwarder wasn’t even questioning the content of the email. They had accepted clearly bogus warnings about the “world’s worst virus” as fact.
 
Then I started thinking about the Twitter discussion I recently had about education. Some security professionals are turned off by education because they don’t believe it works. The rest feel it’s important, but never done right. (I fall into the latter category.) And, I decided that my previous approach to educating people about these hoaxes was not working. Just giving people a link to a Web page that disputes the hoax is not enough. Rather than give a man a fish, I needed to teach them how to fish.
 
So, I sat down and wrote an email explaining how to spot a virus hoax. It took a little longer than just forwarding a link, but I think it will be more effective. Plus, I can now just cut and paste this email as a response the next time someone forwards a hoax email to me.
 
If you want to give what I’ve done a try, I turned my email into a template that you can use. (See below.) The next time someone forwards a hoax email to you, just cut and paste this into a reply. I’m optimistic that we can educate people—we just need to adjust and adapt when things don’t work.

-----

Dear [fill in friend’s name],
 
As you know, I work at [Company Name] in the group that covers computer security. I see my fair share of viruses. I also see quite a bit of hoax email. The email you forwarded is a hoax.
 
It is true that miscreants are sending email with attachments and making posts to people’s Facebook pages with links that lead to malware. They use high profile events or interesting sounding videos to get you to click on the attachment or link. The goal is always the same, to get you to click and become infected. It is only the come-on that changes.
 
But, the thing is, any warning that comes in via email is almost always a hoax. They are never about real malware. Sometimes they tell you to do things that could actually damage your computer. (Hoaxers have a strange sense of humor.)
 
There are five easy ways to tell if the email you’ve received is a hoax:
 
1.    Snopes verified it.
 
The email you forwarded to me is confirmed by Snopes as a hoax. The hoaxers only tell you Snopes has verified it as true so you will not check for yourself.
 
2.    It’s the worst virus Symantec has ever seen.
 
Even if it truly existed, it would not be the worst virus ever seen. Trust me. Unless it will force cylinders used for uranium enrichment to spin out of control, it is not the worse virus ever seen.
 
3.    It does irreversible harm to your computer.
 
People who write malware are crooks, not vandals. They try to steal your information. They need your machine to stay functioning to do that.
 
4.    A reliable person forwarded the email.
 
Being reliable and being a good judge of hoaxes are two completely different skills.
 
5.   You are to forward the email to everyone you know.
 
Good-hearted people try to warn others of impending disasters. Hoaxers tell people to forward an email to everyone they know. Thanks for being so concerned—it speaks well of you as a person. But, next time, please just delete the email.
 
Regards,
 
[Your name here]