Security Watch

Keeping Track of patches and hacks in the IT security world.

Phishing Officially Commoditized

As if it should be at all surprising, word from Gartner - phishing is ubiquitous, to the extent that attackers are aiming their campaigns at stealing smaller amounts of money from more people, a sure sign that competition in the field, and legitimate organizations' response efforts to such fraud are

As if it should be at all surprising, word from Gartner - phishing is ubiquitous, to the extent that attackers are aiming their campaigns at stealing smaller amounts of money from more people, a sure sign that competition in the field, and legitimate organizations' response efforts to such fraud are increasingly shaping the makeup of the schemes.

According to a new survey published by the influential analyst house, over 5 million U.S. consumers lost some amount of money to phishing in the twelve month period ending with Sept. 2008. The figure represents a whopping 40 percent gain over the sheer number of people victimized by phishing during 2007, the company said.

However, at the same time that phishing squirmed its way into so many more Americans' lives, the average consumer loss per phishing incident in '08 was $351, an even larger 60 percent decrease from the year before.

So what does this tell us?

Just like malware, phishing has become so saturated, and there is so much effort being employed to stop it, attackers are being forced to work harder to make the same amount of money off of the scams. Like any legitimate business, one can reasonably assume that this is causing increased consolidation in the field, and giving the advantage to those phishers that can use automation to create the largest batches of threats.

Maybe that's not the case, maybe more amateur phishers are using widely available toolkits to make a little money. Maybe there's just way more phishing in general.

Either way, the most applicable term and assessment would appear to be that the phishing industry has become totally commoditized.

"Commoditized" is a tricky word. I always thought it was misapplied to the AV industry in a lot of cases, though even those people running endpoint security vendors today will tell you that AV engines are indeed very comparable in a lot of ways (while arguing that the other security applications integrated with them typically are not).

But to me, much like the non-targeted, mass market malware threats that are out there in ever-growing numbers - but easier for researchers to identify, this evidence of greater volumes of low-brow phishing means that it's just become less innovative, and more productized.

Of course, much like targeted malware, highly customized spear phishing attacks are probably running wild and we just don't know as much about it. Like the cyber bank robberies that go down beyond the reach of the public eye, kept secret by the banks themselves for obvious reasons, I'd bet that there are a lot of people being compromised via phishing campaigns that are so targeted they're nearly impossible to detect.

High end, low end... it's a truly businesslike dichotomy.

And this watering down of the phishing we know about only seems to prove that phishing has just become another big business.

According to Gartner, consumers recovered an average of 56 percent of their phishing losses, which the analysts said means that overall fraud costs are being passed along mostly to banks and other financial service providers, including online payment processors like PayPal.

Gartner's overall assessment is related more closely to the fact that defensive measures don't appear to be slowing phishing.

"The survey findings underline the fact that the war against phishing is far from over," Avivah Litan, a Gartner expert said in a report summary. "Despite the rollout of a wide range of security measures designed to stem phishing, the truth is that many of them are not yet adopted widely enough to reverse this tide and, in many cases, their effectiveness is only partial."

I'd agree in the sense that I bet a wider number of attacks are being sent out, and as a result more unknowing consumers are falling for them.

But to me, the notion that attackers are being forced to use larger numbers of attacks that seek smaller amounts of money also says that defenses are having an effect. If attackers could steal more money from fewer targets, you'd have to think that'd make their lives simpler, or they'd just try to steal more money from everyone.

By shooting for less, attackers are almost certainly trying harder not to get noticed in the first place, much as we've seen with the malware crowd. With all the different technologies and services out there looking for phishing, the bad guys are probably sensitive to the filters that are being deployed, like applications that look for unusual behavior to detect ongoing card fraud or bank account theft, and adjusting their tactics as a result.

Gartner is pushing enterprises to "deploy and improve security solutions that protect accounts and customers against attacks." Companies sitting on financial data should use larger doses of site authentication to address the issue as well, and employ proactive anti-phishing services that watch out for misuse of their brands, the report contends.

The analysts recognize that there no stopping phishing anytime soon, regardless of IT security or fraud industry trends.

"None of the solutions are foolproof, however, and determined crooks will manage to get around them, so a layered security approach, involving all parties, will yield the best results," said Litan said. "This strategy must include continuous fraud detection, stronger user authentication, and out-of-band transaction verification for registered users."

Matt Hines has been following the IT industry for over a decade as a reporter and blogger, and has been specifically focused on the security space since 2003, including a previous stint writing for eWeek and contributing to the Security Watch blog. Hines is currently employed as marketing communications manager at Core Security Technologies, a Boston-based maker of security testing software. The views expressed herein do not necessarily represent the views of Core Security, and neither the company, nor its products and services will be actively discussed in the blog. Please send news, research or tips to [email protected].