Phishing scams for money? Don't bet on it

By Robert Westervelt, News Editor 08 Jan 2009 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

The amount of work it takes to carry out successful phishing attacks and then sell the data on the black market is not worth the payout, according to a report issued recently by two Microsoft researchers.

SearchSecurity.com: To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.

Security researchers Cormac Herley and Dinei Florencio found that there are far too many people attempting to make money phishing for passwords, account numbers and other sensitive data. The overabundance of cybercriminals has made phishing a less lucrative job.

"Far from being a path to riches, phishing appears to be a low-skill, low-reward business," the two researchers said in their report: A Profitless Endeavor: Phishing as Tragedy of the Commons. "The enormous amount of phishing activity is evidence of its failure to deliver riches rather than its success, as phishers send more and more email hoping for their share of the bounty that eludes them."

Phishing scams: Phishing, malware laden USB sticks stoke holiday attacks: IBM's ISS division said consumers and businesses face increased security risk as cybercriminals take advantage of the holiday season with phishing and malware laden USB sticks. Phishing, identity theft keeps law enforcement, researchers occupied: An expert on cybercrime and online scams, Derek Manky, is one of the members of the Fortiguard research team. Researcher warns of new do-it-yourself phishing program: FaceTime malware research director Chris Boyd says his team has been trying with mixed results to take down a new do-it-yourself phishing program they found online. New phishing, Zeus Trojan technique spreads crimeware: Researchers are tracking new phishing methods that steal a victim's information and spread a Trojan designed to pilfer even more data.

The researchers estimate the total annual losses associated with phishing at $61 million. Much less than the $3.2 billion estimated by Gartner Inc. and several other research firms. Most of the phishing data measures activity rather than dollars, making it seem like the activity is lucrative.

The paper was presented in September at the New Security Paradigms Workshop. In an interview with SearchSecurity.com, Herley said that phishing was still a serious problem to Internet commerce and a stumbling block for businesses trying to communicate with customers. The rise of automated tools made phishing widely available to less technically savvy people, which caused spam messages to continue to rise, plaguing messaging systems and often clogging corporate networks. It ultimately results in less consumer trust, a problem that is more significant than lost dollars, Herley said.

"Some people probably try it for a while, don't make much, and then wander off to try something else," Herley wrote in an email exchange. "Breathless stories about 'easy money' probably ensures enough new entrants to keep the phenomenon going."

Since all that is needed is an Internet connection and a little startup cost for an automated tool, more and more people attempt to make money using phishing techniques. That has flooded the Internet with phishers, driving down available sources to phish. FaceTime malware research director Chris Boyd tried to stop a do-it-yourself automated phishing tool last year. Boyd and his team found a hacking website where fraudsters can create phishing emails using automatically generated text. The messages are used to steal log-in details for popular Web mail and social networking sites.

The researchers also suggest that many phishers have strong emotional ties to the phishing attack methods. Many persist hoping they will one day hit the jackpot.

"As it gets easier, more people with lower skills try it out and the yields go down and down," Herley said.

Security researchers Billy Rios and Nitesh Dhanjani, who infiltrated the underground phishing market, said they agreed with the main points of the paper. Rios and Dhanjani presented their work in July at the Black Hat briefings. Over the course of a year, the researchers got friendly with a few phishers and discovered how they operate. Most phishers have to do a lot of hard work proving their legitimacy to the community. Phisher-on-phisher crime has resulted in some phishers giving up traditional phishing tactics, Dhanjani said.

SearchSecurity.com radio:

"While the phishers basically have zero barrier to entry from a technical perspective, we did see phishers struggling to monetize," Dhanjani said. "We saw many phishers resorting to marketing tactics such as offering free identities and banking information as incentive to do 'business' with a particular individual and as a way to differentiate themselves from the masses."

Dhanjani praised the phishing study, saying its methodology gives more confidence in their conclusions. But he urged caution about focusing completely on the quantifiable aspects of phishing. Many organizations are helpless to defend against phishing attacks that abuse their brand, he said.

"Even if a business loses no real money, there can still be a loss of customer confidence as many customers seem to blame the affected organization for phishing attacks," Dhanjani said.

Tags: Identity Theft and Data Security Breaches,  Malware, Viruses, Trojans and Spyware,  Application Attacks (Buffer Overflows, Cross-Site Scripting),  Email and Messaging Threats (spam, phishing, instant messaging),  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Identity Theft and Data Security Breaches Man pleads guilty in online banking hacking scam White House cybersecurity czar faces major hurdles Heartland breach cost $12.6 million, CEO says An inside look at security log management forensics investigations LexisNexis investigates breach, notifies thousands Senators hear call for federal cybersecurity restructuring Former Federal Reserve Bank employee arrested Attackers cash in on fundamental data handling mistakes, Verizon finds Courts turn aside data breach suits Data security best practices for PCI DSS compliance Malware, Viruses, Trojans and Spyware When BIOS updates become malware attacks Antispyware buying guide for Indian enterprises PCI compliance requirement 5: Antivirus Hacker attack techniques and tactics: Understanding hacking strategies Rootkit Hunter demo: Detect and remove Linux rootkits Botnet threats and countermeasures Conficker worm much smaller than feared New Conficker variant has ties to Storm botnet Conficker leaves security industry looking clueless Conficker updates with no problems reported Application Attacks (Buffer Overflows, Cross-Site Scripting) Month of Twitter Bugs project to document Twitter flaws Adobe issues first quarterly patch release fixing 13 flaws Balancing security and performance: Protecting layer 7 on the network Adobe issues Reader update fixing zero-day flaw The Pipe Dream of No More Free Bugs Security Squad: Federal cybersecurity defenses Oracle issues 43 updates, fixes serious database flaws Attackers target new Microsoft PowerPoint zero-day flaw How to detect input validation errors and vulnerabilities Vulnerability test methods for application security assessments Application Attacks (Buffer Overflows, Cross-Site Scripting) Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary bot worm  (SearchSecurity.com) CISP-PCI  (SearchFinancialSecurity.com) cookie poisoning  (SearchSecurity.com) drive-by pharming  (SearchSecurity.com) extrusion prevention  (SearchSecurity.com) identity theft  (SearchSecurity.com) parameter tampering  (SearchSecurity.com) pretexting  (SearchCIO.com) Rock Phish  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary