The amount of work it takes to carry out successful phishing attacks and then sell the data on the black market is not worth the payout, according to a report issued recently by two Microsoft researchers.
Security researchers Cormac Herley and Dinei Florencio found that there are far too many people attempting to make money phishing for passwords, account numbers and other sensitive data. The overabundance of cybercriminals has made phishing a less lucrative job.
"Far from being a path to riches, phishing appears to be a low-skill, low-reward business," the two researchers said in their report: A Profitless Endeavor: Phishing as Tragedy of the Commons. "The enormous amount of phishing activity is evidence of its failure to deliver riches rather than its success, as phishers send more and more email hoping for their share of the bounty that eludes them."
The researchers estimate the total annual losses associated with phishing at $61 million. Much less than the $3.2 billion estimated by Gartner Inc. and several other research firms. Most of the phishing data measures activity rather than dollars, making it seem like the activity is lucrative.
The paper was presented in September at the New Security Paradigms Workshop. In an interview with SearchSecurity.com, Herley said that phishing was still a serious problem to Internet commerce and a stumbling block for businesses trying to communicate with customers. The rise of automated tools made phishing widely available to less technically savvy people, which caused spam messages to continue to rise, plaguing messaging systems and often clogging corporate networks. It ultimately results in less consumer trust, a problem that is more significant than lost dollars, Herley said.
"Some people probably try it for a while, don't make much, and then wander off to try something else," Herley wrote in an email exchange. "Breathless stories about 'easy money' probably ensures enough new entrants to keep the phenomenon going."
Since all that is needed is an Internet connection and a little startup cost for an automated tool, more and more people attempt to make money using phishing techniques. That has flooded the Internet with phishers, driving down available sources to phish. FaceTime malware research director Chris Boyd tried to stop a do-it-yourself automated phishing tool last year. Boyd and his team found a hacking website where fraudsters can create phishing emails using automatically generated text. The messages are used to steal log-in details for popular Web mail and social networking sites.
The researchers also suggest that many phishers have strong emotional ties to the phishing attack methods. Many persist hoping they will one day hit the jackpot.
"As it gets easier, more people with lower skills try it out and the yields go down and down," Herley said.
Security researchers Billy Rios and Nitesh Dhanjani, who infiltrated the underground phishing market, said they agreed with the main points of the paper. Rios and Dhanjani presented their work in July at the Black Hat briefings. Over the course of a year, the researchers got friendly with a few phishers and discovered how they operate. Most phishers have to do a lot of hard work proving their legitimacy to the community. Phisher-on-phisher crime has resulted in some phishers giving up traditional phishing tactics, Dhanjani said.
"While the phishers basically have zero barrier to entry from a technical perspective, we did see phishers struggling to monetize," Dhanjani said. "We saw many phishers resorting to marketing tactics such as offering free identities and banking information as incentive to do 'business' with a particular individual and as a way to differentiate themselves from the masses."
Dhanjani praised the phishing study, saying its methodology gives more confidence in their conclusions. But he urged caution about focusing completely on the quantifiable aspects of phishing. Many organizations are helpless to defend against phishing attacks that abuse their brand, he said.
"Even if a business loses no real money, there can still be a loss of customer confidence as many customers seem to blame the affected organization for phishing attacks," Dhanjani said.