Phishing: a murky evolution

By Mark Sunner, Chief Security Analyst, MessageLabs

The term ‘phishing’ is so well entrenched in today’s computer jargon that it has become a verb. So you might think it’s been around for a while? Yet phishing, in relative terms is a surprisingly recent phenomenon.

How was the term ‘phishing’ inspired? Fraudulent websites are left dangling throughout the internet much like a fisherman dangle bait in anticipation of a catch. Potential victims unwittingly key in their personal details and their identities are caught hook, line and sinker. Phishing actually started to appear towards the end of 2001; at that time, internet users were just beginning to come to terms with a rapid escalation of spam volumes, so when spoof emails purporting to come from various banks started to appear, they were not seen as anything new and went unnoticed against the background noise of all that spam.

Reality soon hit home, however, when it emerged that a number of US and UK banks were experiencing an increase in fraudulent withdrawals, specifically via online banking – itself a relatively fledgling endeavour. By late 2002 the media had put the pieces together. While the banks were still largely unwilling to talk, the victims of cyber crime were now coming forward and the true picture started to emerge.

In 2003, a rash of press coverage and technical debate emerged over the issue, which helped drive security awareness into the mainstream media. Banks also strengthened their security portals with many adding additional steps or techniques to strengthen the authentication process. As phishing messages grew in sophistication, one thing remained constant: email. A professional looking email was always the delivery mechanism that would contain a hyperlink to the fraudulent site.

Certainly email is the delivery mechanism, and the biggest weapon in the kit bag of a phisher was to simply send more of it. Interestingly this is in contrast to the phishing volumes we see today. Today, on average we see one phishing email to every 228 normal messages.
What is striking about this figure is that the ratio is falling from what it was four years ago (approximately one in 200). We are seeing fewer phishing messages today than in the past. Why? Before we answer that, there is another more complex question lingering here. How is it that as less spam is being sent, more people are still being affected?

The answer to both conundrums is that phishing messages today are much more targeted than they were in the past. We see that phishers have becoming quite discerning about the targets they select. This has been made possible by the glut of spyware that now exists on well over half of all the home computers connected to the internet. Phishers no longer need to use the splatter gun approach, blasting out as many messages as possible – they can achieve a greater return though smaller volumes with the use of targeting.

The vast majority of phishers use what are called ‘Phishing Kits.’ Installing a phishing kit is much like installing any regular program, often with a wizard type install routine as a guide. The entire process is dumbed down and our fledgling fraudster can be up and running in no time at all. Phishing is an economic crime not a technical one. It works because there remains an absence of security within the fabric of the internet itself. Detection of fraudulent web activity needs to happen at the internet layer before it can hit either a corporate boundary or a home user’s computer – and the logical entity to perform this task is the ISP.
Only when we see ISPs taking greater responsibility for filtering the traffic they are carrying will we be able to curtail phishing and many of the other threats that exist to blight an otherwise positive internet experience.

Mark Sunner joined MessageLabs in 1999 as head of product development and innovation. The services Sunner and his team initially created went on to establish several ground breaking milestones within the Anti-virus and Anti-spam arenas. In 2003 Sunner helped establish MessageLabs North American business and became the company’s primary spokesperson.