Economics and Phishing
Posted by Chris Dixon on January 10, 2006 02:11 PM
It is somewhat surprising to us how little talk there is in the Web security world about economics.
Why does economics matter? A basic principle in the design of any security model is first to understand the mindset of the attacker. And the fastest growing Web security threats are, by and large, economically motivated. The purveyors of spyware, spam and phishing attacks are making significant money from their efforts. They are businesses, and understanding their strengths and their weaknesses and how they will evolve over time requires understanding the forces that motivate them.
But talk to people in the security world and they still often talk as if all the bad stuff on the Web is coming from teenage vandals who make rogue software and Web sites out of some perverse sense of adventure. This may have been true 10 or 20 years ago, but with the advent of Internet business models -- commerce and advertising -- the times have changed.
There are some notable exceptions to this lack of understanding about what motivates today’s online security threats. Spyware researchers like Suzi Turner, Eric Howes, and Ben Edelman (who serves on our Board of Advisors) come to mind. Bruce Schneier is another really interesting writer who certainly understands the underlying economic drivers in play.
The reality is that much of what average Internet users call "spam" is actually perfectly legal, CAN-SPAM compliant bulk e-mail, where in some technical sense the user "agreed" to receive the e-mail. We put the word “agreed" in quotes deliberately. Do you think the person who signed up at the totemmail.com Web site (SiteAdvisor analysis: totemmail.com) really “agreed" to receive 797 e-mails per week? Sites like this, what most people would think of as "spammers," aren't doing it to be annoying (although they certainly are). They are savvy businesses that make significant profits from their activities.
Likewise, most of what typical Internet users think of as "spyware" is actually created by sizable companies in major, Western nations. Their motivation is purely economic: they charge advertisers for targeted messages that pop up on users' computers. We’ve already discussed how understanding the business of adware, and in particular how they distribute their bundles through affiliates, can lead to effective ways to track and defend against their activities. In the coming months, we’ll be discussing the economics of these businesses in much greater detail.
Analyzing spyware affiliates according to their link structure is a special case of the more general strategy of designing defenses with the attacker's range of motion in mind. A good chess player will always try to move such that he has more, and his opponent has fewer, degrees of freedom. Likewise, a good security defense will focus on the capabilities where the attacker is most constrained and try to use those constraints against him.
The Case of Phishing
A good illustration of how this principle plays out in practice is phishing.
Let’s imagine for a moment that you are a phisher.
First, to make your site convincing, you need a domain name. That costs a few dollars, and presumably as a phisher you have fake credit card numbers at your disposal, so it is probably effectively even cheaper.
As to your e-mail header information, the predominant e-mail protocol allows you to just completely fake it.
Next, you need lots of IP addresses that aren’t blacklisted by anti-spam systems. There are well organized networks of hijacked proxy servers or home PCs you can rent these from. This ends up being really cheap. Hardcore spammers do the same thing all the time.
So what can’t the phisher do?
Well, for one, you need to transmit the stolen user data back to servers under your control, so in general you can’t have the data sent back to the real paypal.com or whatever site you are mimicking. (Ok, we suppose you could actually hack paypal.com, but in that case you don’t really need to go phishing to get credit card numbers). You also need to ensure that the content of your e-mails and Web site resemble those of the company you are mimicking.
Pretty much everything else you can fake - cheaply and easily.
So how has the security world responded to this threat? Mostly by creating what they call "blacklists" – lists of Web sites they have detected that are being used by phishers. Thus, the security world is basically focusing their detection on a resource that phishers can easily recreate. The end result? Phishers move around a lot, and blacklists are filled mostly with defunct Web sites.
This is what a basic economic model would predict in theory. But does it reflect reality? We had the opportunity to verify this prediction by looking at some of the most prominent anti-phishing blacklists. They were, in fact, almost completely filled with defunct Web sites. If someone can show us a (meaningfully sized) anti-phishing blacklist where the vast majority of sites aren’t defunct, we’ll be very surprised and will happily give it proper credit.
A New Approach
It is probably obvious by now what we think the right way to attack phishing is. Focus on the phisher's two biggest constraints: the need to have the content of his Web site look real, and the need to have the stolen data sent back to servers which the phisher controls.
In other words, why run around chasing every fake Paypal Web site when, instead, you can just make a list of the handful of real Paypal Web sites? When you see something that looks a lot like a real Paypal Web site but isn’t a real Paypal site, that’s phishing. This is what is known by security technologists as a combined heuristics and whitelist approach. People have used heuristics before. But, to our knowledge, they haven't combined them with whitelists. It seems strange to us, but no anti-phishing system we’ve ever looked at actually bothers to note that Paypal.com is the real Paypal.
At SiteAdvisor, we’ve taken just such a combined heuristics and whitelist approach. To date, we've crawled and analyzed over 1 million of the most popular Web sites, covering over 90% of the Web sites users visit (and we will crawl many, many more over the coming months). We think it’s the best way to detect and prevent phishing. We've implemented it in the Preview Version of our Internet Explorer plug-in (we will add it to our Firefox extension soon as well). Feel free to try it out yourself.
As always, we welcome your feedback. And don't forget to look for the green button in your browser. That means you're sending your feedback to the real SiteAdvisor Web site.
Comments
Hi gents and ladies,
After hearing about your project from Ben I have been following it with much anticipation and find it very useful. It assists our researchers in some toss-up situations and a real boon.
(We primarily study IM attacks and use honeypots to trap Spim and worms often laden with malware, rootkits and the kitchen sink.)
I do have one point to quibble about. On some sites you list emails as 'spammy', what do you mean by this? A legitimate opt-in list is surely going to make offers and pitches and as long as the user has opted-in I don't see how that gets classified as "spammy". Perhaps you might rephrase that as emails containing commercial content, or solicitations to buy merchandise or products?
"Spammy" seems vague and not objective. In my experience many users define "spam" as e-mail they don't particularly want at that moment or e-mail received because a youngster signed up for a contest, co-reg, etc. Even IF they signed up for it in the first place. We maintain a large in-house list and make commercial offers and our attrition rate is extremely low.
All in all I love your work but I think the coinage "spammy" is a bit vague.
Keep up the good work on your excellent project. I look forward to its continued development.
regards,
Wayne
Posted by: Wayne Porter | January 11, 2006 04:25 AM
Wayne –
Thanks for the response – and the encouragement. It’s nice to hear that people are able to use SiteAdvisor data to help tackle other problems out there. Particularly, people like you who are fighting the good fight.
Let me try to explain our spammy classification a bit better. The overarching goal of our email ratings is to provide users with the information they need to help them make informed decisions as to whether they should sign up at a website or not – and to do it in a language that the average person will understand. And, as you say, people have different definitions of “spam?. And, by some (including some legal) definitions of “spam?, the same piece of email might qualify as spam for some people, but not for others.
The way we measure "spamminess" right now is by feeding all the email we receive into SpamAssassin and looking at the "spam score" it assigns. You may have already read this but we describe our method in more detail in an earlier blog post and also in our FAQ.
If part of your question relates specifically to spywareguide.com, then I would agree that our "spaminess" metric is too aggressive here. We’re in the process of adding information that we have about how many different senders send emails because of a given sign-up – giving a bonus to sites that send email from one place and a penalty to sign-ups that result in emails from many different places – to help measure whether or not your personal information has been shared with others. Since the email that comes from spywareguide.com comes from only 2 domains, one of which is spywareguide.com itself, I expect this to lower the "spamminess" rating of spywareguide.com and make it rated "green" in our system.
Finally, we know that no matter how much we improve our technology, there is never any replacement for the judgments of experts. That is why we allow for users to comment on our site ratings. We are in the process of building a "reputation system" so user comments can directly affect our verdicts. We expect that experienced users will be able to have a very strong impact on our ratings when they see things they disagree with.
Thanks again for your feedback and please feel free to send more,
Chris
Posted by: Chris Dixon | January 12, 2006 10:58 AM
Inspector Brown uses a white list.
Posted by: R BRown | January 15, 2006 12:00 AM