Attacks/Breaches
1/23/2009
04:52 PM
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Phishing Doesn't Pay, Microsoft Finds

Lured by bad math and get-rich-quick pipe dreams into a life of cybercrime, those phishing for dollars confront a problem not unlike that faced by traditional anglers: too few fish in the sea.

Phishing doesn't pay very well and tends to attract low-skill hackers who themselves become victims.

So say two Microsoft researchers, Cormac Herley and Dinei Florencio, in their recently published paper, "A Profitless Endeavor: Phishing As Tragedy Of The Commons."

"Far from being an easy money proposition we claim that phishing is a low-skill, low-reward business, where the average phisher makes about as much as if he did something legal with his time," the paper says.

Part of the blame for this sorry state of affairs can be laid at the feet of exaggerated phishing loss estimates. "We estimate that recent public estimates overstate phishing losses by as much as a factor of 50," the paper explains.

Who might be to blame for such inflation? Try the media, which finds big dangers more compelling than little ones, and the security industry, which can't sell goods or services in the absence of a clear and present danger.

Lured by bad math and get-rich-quick pipe dreams into a life of cybercrime, those phishing for dollars confront a problem not unlike that faced by traditional anglers: too few fish in the sea. The result is what's known as the tragedy of the commons, wherein a limited resource becomes depleted when self-interest supersedes group interest.

"The easier phishing gets, the worse the economic picture for phishers," the paper says. "As phishers put more and more effort into the endeavor the total revenue falls rather than rises." Based on that finding, Herley and Florencio conclude that increased phishing volume indicates a decrease in total revenue, as phishers compete to capture the limited pool of phishing money.

Phishing appears to operate like every gold rush: The ones making money are the ones selling tools to starry-eyed prospectors, or servers to Web 2.0 startups.

As the paper's authors put it, "Indeed, one explanation of the thriving trade in phishing-related services ... is that phishers with more experience prey upon those with less. That is, those who have tried phishing and found it unprofitable or marginally profitable find it better to sell services to those who haven't reached that conclusion yet."

This supposition is supported by a paper presented last year at the Usenix Conference, "There Is No Free Phish: An Analysis Of 'Free' And Live Phishing Kits." It found that the big phishers -- the authors of phishing kits -- preyed on the little phishers who used their phishing kits.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, January 2015
To find and fix exploits aimed directly at your business, stop waiting for alerts and become a proactive hunter.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7402
Published: 2014-12-17
Multiple unspecified vulnerabilities in request.c in c-icap 0.2.x allow remote attackers to cause a denial of service (crash) via a crafted ICAP request.

CVE-2014-5437
Published: 2014-12-17
Multiple cross-site request forgery (CSRF) vulnerabilities in ARRIS Touchstone TG862G/CT Telephony Gateway with firmware 7.6.59S.CT and earlier allow remote attackers to hijack the authentication of administrators for requests that (1) enable remote management via a request to remote_management.php,...

CVE-2014-5438
Published: 2014-12-17
Cross-site scripting (XSS) vulnerability in ARRIS Touchstone TG862G/CT Telephony Gateway with firmware 7.6.59S.CT and earlier allows remote authenticated users to inject arbitrary web script or HTML via the computer_name parameter to connected_devices_computers_edit.php.

CVE-2014-7170
Published: 2014-12-17
Race condition in Puppet Server 0.2.0 allows local users to obtain sensitive information by accessing it in between package installation or upgrade and the start of the service.

CVE-2014-7285
Published: 2014-12-17
The management console on the Symantec Web Gateway (SWG) appliance before 5.2.2 allows remote authenticated users to execute arbitrary OS commands by injecting command strings into unspecified PHP scripts.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.