Remember when spam was just a nuisance, and the deceptive email dubbed phishing was just a fad, or so we hoped? Now phishing is all grown up, operated on a large-scale by well-funded cybercriminals who use botnets to harvest personal data and sell it on the black market. And then there is the rapid evolution of spear-phishing, which is spear-heading an unprecedented wave of cybercrime, playing a leading role in attacks on Oak Ridge National Laboratory, RSA and about 50 companies, many of them Fortune 100, that are involved in research and development of chemical compounds, including defense-related products, such as advanced materials for military vehicles (as reported in the Symantec whitepaper, “The Nitro Attacks: Stealing Secrets from the Chemical Industry”).
What a difference eight years makes – that’s how long ago the Anti-Phishing Working Group was formed. Often referred to these days as simply APWG, the organization has grown from modest beginnings in 2003 to being a major player in the fight against cybercrime. Next week APWG is hosting a cybercrime conference in San Diego titled eCrime ’11. Topics on the agenda give you an idea of the state of play and level of specialization we currently see in the fight against phishing: Leveraging Consumer Behavior Better Than the Bad Guys; De-anonymizing the Bitcoin Network; Automated Classification of Malicious Smart Phone Applications via Machine Learning; Cybercrime Response Strategies, Technologies and Resources; A Model for Systematized eCrime Event Data Exchange for Industrial Cybercrime Interveners; Taming Zeus leveraging its own crypto internals; Phishing, Crime that Pays; High-Performance Content-Based Phishing Attack Detection.
Speakers run the gamut from academia to the enterprise, government agencies and law enforcement. I will report back from the conference in a future post, hopefully with some positive news about progress in the fight to lessen the effectiveness of phishing attacks. But, I doubt we will be seeing any silver bullets. This fight is a tough one because it involves psychology as well as technology: The lure of the deceptive email that some people just can’t resist opening, and the stealth of the malware that may be hidden somewhere in the message or an attachment to it.
Not that all phishing messages carry infection. Some cybercriminals still favor classic phishing emails, counting on the recipients handing over personal data in response to a fake request from a known institution. I never have to look far back in my junk email folder to find one of these classics. For example, I see one purportedly sent last month from “Chase Bank” titled “irregular activity.” Apart from the fact that Chase is unlikely to send out a message with irregular capitalization, this phish fails for me because I don’t have an account at Chase.
And that reminds me of the first phish I ever wrote about, back in 2003. The subject header was properly capitalized and it appeared to come from a bank where I did have an account. But the message itself was suspiciously ungrammatical: “Due to technical update we recommend you to reactivate your account.” What still worries me about such classic phish is the number of recipients who might not find that grammar suspicious, and the possibility that the next wave of phishing will be carefully copy-edited.