Can you spot the fake?

[zephead]

10/10

I could tell by the address fields in a few of them, and I could tell the Amazon one just because I know what the real one looks like.

 

[Wild-Bill]

9/10

One of the Paypal ones got me.

 

[xparaparafreakx]

9/10

E-Mail question got me.

 

[sushi]

10/10, but guessed on the MySpace one since I don't use MySpace.

Thanks WildCowboy for the good exercise.

 

[Tumeg101]

10/10

 

[Nermal]

9/10 Missed the myspace one - and I since I don't use it, I'm not worried.

10/10 - The Myspace giveaway was the ridiculous URL in the address bar.

 

[Scarlet Fever]

we're all security elites here, aren't we

8/10

 

[hopejr]

I got 10/10 too.

 

[mathwhiz90601]

9/10

I got the very last question wrong about SSL...oops, at least now I know. There were some of them where the address bar link was shown and you just have to check to make sure it is https

and there were some that I used so I knew what they were supposed to look like (e.g., Amazon)

Hey, I missed only that one too!

 

[Anonymous Freak]

10/10. Had to enlarge a couple to check the URLs, which made them blindingly obvious. Most I could figure out without resorting to the URL. Some were laughably bad.

 

[Anonymous Freak]

I got the very last question wrong about SSL...oops, at least now I know.

Yeah, just because the connection between you and the site is secure, it doesn't mean that it's the site you think it is.

I have SSL/https available on one of my personal websites, and I could put a fake Bank of America site on there, and it would authenticate as just fine. It's not authenticating as BofA, it's just authenticating as URL matching a known certificate. The fact that it would appear as "https://www.bankofamerica.com.mypersonaldomain.us" just means you have to look beyond the first ".com". Plus, there is a vulnerability that lets you spoof a browser into displaying a 'cut off' address. (I think it's been patched in all current browsers, but if you're using an unpatched IE6, I could make it LOOK like you actually are on "https://www.bankofamerica.com", when you're actually on a different domain.)

Two big giveaways: Banks will *NEVER* ask you for your full credit card number, PLUS the three digit code on the back, PLUS your full SSN. (I was seriously worried once when one of my banks did ask for the full CC# plus verification code, though. I had to call them to make sure their site hadn't been hijacked, and promptly complained about the insecurity of asking for both of those bits of info at the same time.) And a bank will generally not put a link to a 'deep' page in an email, they will link to their home page, and tell you in the email to use standard login methods. (Although, again, some are still not as security-conscious as they should be.)

 

[EricNau]

10/10. (OK, technically 9/10 because I started checking the forged websites instead of the legitimate ones. I realized my mistake almost immediately, but it was too late for the Bank of America Question. That was the hardest question for me, which is probably why I got so confused).

I actually got several of these emails yesterday (and I hardly ever get spam!). "Wells Fargo" told me I needed to sign-in to their "new" website. The biggest red flag for me was the fact that they sent me the same email three times!

 

[Nermal]

The biggest red flag for me was the fact that they sent me the same email three times!

... from 3 different addresses?