Internet users are unable to distinguish between genuine pop-up warnings messages and false ones, a study at North Carolina State University has found.

The study examined the responses of undergraduates to messages which popped up while they did other tasks on a PC.

Seeing the pop-ups as a mere annoyance the majority clicked ‘OK’.

Fake pop-ups are a well-known vehicle for cyber-criminals to install harmful software on PCs.

“This study demonstrates how easy it is to fool people on the web,” said co-author Michael Wogalter, professor of psychology at North Carolina State University.

“Be suspicious when things pop up. Don’t click OK – close the box instead,” said Dr Wogalter.”

Legitimate message

Participants were fooled by the fake messages 63% of the time, even when warned that some of what they would be seeing would be false.

It suggests that the wording on genuine messages needs to be rethought, said Dr Wogalter.

“I don’t know if you could develop a legitimate message that could not be duplicated and used illegitimately,” he said.

Tony Neate, managing director of the UK’s Get Safe Online campaign advised users to install a pop-up blocker.

“Browsers and most anti-virus software offers them. Pop-ups are either downloading something malicious or trying to sell me something so I just don’t want them there at all,” he said.

No responsibility can be taken for the content of external internet sites.

Source: BBC News Online

Yahoo Mail isn’t the only Web-based e-mail service that hackers could dupe into giving up user passwords, the tactic that was apparently used to break into the e-mail account of Alaska Gov. Sarah Palin, the Republican nominee for vice president.

Google Inc.’s Gmail and Microsoft Corp.’s Windows Live Hotmail also rely on automated password-reset mechanisms that can be abused by someone who knows the username associated with an account and an answer to a single security question, according to tests done by Computerworld.

Several reporters were able to access colleagues’ accounts on all three services and then quickly reset their passwords. None of the services required the new passwords to be sent to an alternate e-mail address, although all three offered that as an option.

Adam O’Donnell, director of emerging technologies at messaging security vendor Cloudmark Inc., said that automated password-reset is the rule in Web mail, whether the service is free or offered to users by ISPs as part of their subscriptions.

Personal information that provides answers to account security questions can often be found by searching social networks and other Web sites. The hacker who accessed Palin’s account — a person using the name “Rubico” — claimed in an online post that it took just 45 minutes to dig up the needed info.

David Kernell, the 20-year-old son of a Tennessee state representative, has been connected to the Rubico name in blog posts and online message boards. A federal grand jury in Chattanooga began hearing testimony about the hacking incident last week.

Meanwhile, the FBI served a search warrant at the Knoxville apartment of a college student, who was identified as David Kernell by a local television station. And a lawyer who is representing Kernell said in a statement that the student’s family “wants to do the right thing, and they want what is best for their son.”

Source: Computer World