04:52 PM
Connect Directly

Phishing Doesn't Pay, Microsoft Finds

Lured by bad math and get-rich-quick pipe dreams into a life of cybercrime, those phishing for dollars confront a problem not unlike that faced by traditional anglers: too few fish in the sea.

Phishing doesn't pay very well and tends to attract low-skill hackers who themselves become victims.

So say two Microsoft researchers, Cormac Herley and Dinei Florencio, in their recently published paper, "A Profitless Endeavor: Phishing As Tragedy Of The Commons."

"Far from being an easy money proposition we claim that phishing is a low-skill, low-reward business, where the average phisher makes about as much as if he did something legal with his time," the paper says.

Part of the blame for this sorry state of affairs can be laid at the feet of exaggerated phishing loss estimates. "We estimate that recent public estimates overstate phishing losses by as much as a factor of 50," the paper explains.

Who might be to blame for such inflation? Try the media, which finds big dangers more compelling than little ones, and the security industry, which can't sell goods or services in the absence of a clear and present danger.

Lured by bad math and get-rich-quick pipe dreams into a life of cybercrime, those phishing for dollars confront a problem not unlike that faced by traditional anglers: too few fish in the sea. The result is what's known as the tragedy of the commons, wherein a limited resource becomes depleted when self-interest supersedes group interest.

"The easier phishing gets, the worse the economic picture for phishers," the paper says. "As phishers put more and more effort into the endeavor the total revenue falls rather than rises." Based on that finding, Herley and Florencio conclude that increased phishing volume indicates a decrease in total revenue, as phishers compete to capture the limited pool of phishing money.

Phishing appears to operate like every gold rush: The ones making money are the ones selling tools to starry-eyed prospectors, or servers to Web 2.0 startups.

As the paper's authors put it, "Indeed, one explanation of the thriving trade in phishing-related services ... is that phishers with more experience prey upon those with less. That is, those who have tried phishing and found it unprofitable or marginally profitable find it better to sell services to those who haven't reached that conclusion yet."

This supposition is supported by a paper presented last year at the Usenix Conference, "There Is No Free Phish: An Analysis Of 'Free' And Live Phishing Kits." It found that the big phishers -- the authors of phishing kits -- preyed on the little phishers who used their phishing kits.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
8 Ways Hackers Monetize Stolen Data
Steve Zurier, Freelance Writer,  4/17/2018
Securing Social Media: National Safety, Privacy Concerns
Kelly Sheridan, Staff Editor, Dark Reading,  4/19/2018
Firms More Likely to Tempt Security Pros With Big Salaries than Invest in Training
Sara Peters, Senior Editor at Dark Reading,  4/19/2018
Register for Dark Reading Newsletters
White Papers
Current Issue
How to Cope with the IT Security Skills Shortage
Most enterprises don't have all the in-house skills they need to meet the rising threat from online attackers. Here are some tips on ways to beat the shortage.
Flash Poll
[Strategic Security Report] Navigating the Threat Intelligence Maze
[Strategic Security Report] Navigating the Threat Intelligence Maze
Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.