Phishing Is the Internet’s Most Successful Con

wk1003mike/Shutterstock.com

Tricking people out of sensitive information online is far too easy.

In the classic 1973 heist movie The Sting, two con men—played by Robert Redford and Paul Newman—build a fictitious world in a Depression-era Chicago basement to defraud a corrupt banker. They make an offtrack-betting room, hire actors to ensure the scene is convincing, and even enlist pretend law enforcement to fake-bust their mark. The film is memorable because it is one of the finest movies in the genre, well written and funny, but also because the duo’s work is so meticulously detailed.

The con has changed since then, both short and long. In this age, the online equivalent of The Sting is a phishing site: a fake reality that lives online, set up to capture precious information such as logins and passwords, bank-account numbers, and the other functional secrets of modern life. You don’t get to see these spaces being built, but—like The Sting’s betting room—they can be perfect in every detail. Or they can be thrown together at the last minute like a clapboard set.

This might be the best way to think about phishing: a set built for you, to trick information out of you; built either by con men or, in the case of the recent spear-phishing attack caught and shut down by Microsoft, by spies and agents working for (or with) interfering governments, which seems a bit more sinister than Paul Newman with a jaunty smile and a straw hat.

But perhaps it should not seem so sinister, because phishing is profoundly easy to do. So easy, and comparatively cheap, that any country that isn’t using it as part of its espionage strategy should probably fire its intelligence agency.

Computer security often focuses on malware: software that attacks faults in your computer to take control of it and give that control to someone else. Malware is often sophisticated software that can quietly take over a computer without being detected—from there, it can do anything, from copying every keystroke you type, to watching every page you open, to turning your camera and microphone on and recording you, to encrypting your hard drive and ransoming your computer’s contents back to you. But novel malware is difficult to write, and can take many paid hours for some of the most talented programmers, in addition to finding or buying a security flaw that allows you to get your malware onto someone’s computer undetected. It’s painfully expensive, and often ends up leaving a trail back to the authors.

Phishing doesn’t attack computers. It attacks the people using computers.

Setting up a phishing website is something a summer intern can do in a couple of weeks, and it works. If you were to try to create a phishing version of this article, you could start by saving the complete webpage from your browser—that would get you the picture, text, and code that makes the page you’re reading now. If this article contained an account login, you could put it on a server you control, and maybe register another domain, something like http://tehatlantic.com. If you enticed someone to try to use their TheAtlantic.com username and password on tehatlantic.com, you would then have that information.

This kind of phishing started out mainly as a money-stealing scheme, delivered en masse. “Phishing has changed a lot. A decade or so ago it was a mass phenomenon of people looking for passwords to bank accounts, PayPal, eBay … anything they thought would be easily monetizable,” says Cormac Herley, a principal researcher at Microsoft Research. “I think that threat has largely been beaten back: Spam filters have become better at detecting it, browsers have warning mechanisms built in, banks have become good at detecting fraud.”

But that’s the untargeted stuff. Enticing someone to click on a phishing link, in an email or elsewhere, is where a targeted attack, also known as spear-phishing, comes in: learning about someone’s life and habits to know just what email would get them unthinkingly to click. A reality built for one person, or one cohort of people. The con is on, the set is built, and the actors are hired to make the sting, all from a web browser.

In early 2016 a phishing email requesting an urgent payment as part of what’s known as a “fake president” scam landed on the Austrian aviation-parts maker FACC’s email servers. The “fake president” is generally an urgent message from an authority figure that needs Accounts Payable to send money to a foreign account at once. In the case of FACC, a dubious wire transfer followed the email, and the company lost more than 40 million euros and fired its CEO.

John Podesta, the chairman of the Hillary Clinton campaign, was famously spear-phished in 2016 by an email saying someone in Ukraine was attempting to log into his Gmail account. When he clicked the link and entered his username and password (instead of using the Google domain passed along by his own help-desk person), his account was actually captured. His emails, along with Democratic National Committee emails harvested the same way, were later leaked online, creating chaos in the run-up to the 2016 election. Most recently, Microsoft found and shut down six domains it believed were created by a group known as the Main Intelligence Directorate of the Russian army, or GRU, targeting conservative think tanks (the International Republican Institute and the Hudson Institute) and the U.S. Senate. It’s not clear what exactly these phishing sites looked like, or how they worked. As far as Microsoft knows, no one was compromised by these sites, but they also don’t know how many more are out there, waiting for just the right spear-phishing email or bogus phone call to get someone to click the link.

“The phishing that persists as a real problem today is the spear-phishing for … credentials,” Herley says. He has studied the economics of phishing as well as the efficacy of security advice. “This is still a very successful vector in getting a toehold on enterprise networks. It’s low volume, so it’s much harder to detect.” In the case of political and industrial espionage, each potential victim is worth researching and getting to know—building just the right room for their own personal sting.

Phishing and malware aren’t exclusive options. Blending phishing with malware can be the most potent approach, usually in the form of a well-crafted email with an important, often urgent, document attached. But it’s not a document, or not just a document. It’s malware, and when you click on that attachment you’re telling your computer that you want to install the software, which you don’t know is software. The computer obeys you, and in doing so, invisibly hands itself over to the person who sent you the software. This approach uses you to get to your computer. It’s been used against journalists and activists all over the world, and probably a lot of other people, but it’s the journalists and activists we hear about.

More frightening is the fact that, most of the time, a decent fake website gets an attacker whatever they need without expensive and detectable malware. You just followed a link, put in your username and password, and maybe the page showed an error with a link that goes to the real site. Just one of those hiccups on the net that we see and forget moments later. This can be overwhelming to think about. Someone, you might reasonably say, should fix this, and by someone you mean tech companies.

The most Microsoft, Google, or any of the tech companies can do with their technology is try to detect malware and phishing sites, and stop them from talking to the internet—blocking up the door to the offtrack-betting basement. This is called “blackholing.” But because spinning up a hundred basements on the internet isn’t much harder than spinning up one, leaving it to tech companies won’t work. The victims are the weakest link in phishing, and the tech companies can’t put out reliable updates to change or prevent user behavior.

“We do invest a lot in technical fixes like better threat detection, better protection of networks, efforts like AccountGuard and Defending Democracy, and encouraging two-factor authentication for high-value accounts,” Herley says. “But there’s also an education component; we’d love protection to have zero asks of the user, but that’s not always possible.”

AccountGuard and Defending Democracy are offerings from Microsoft aimed at its most vulnerable (and political) clients, but even then, most of the offerings consist of recommendations, best practices, webinars, and notifications: attempts to patch the human.

Many security-professional and media recommendations exhort eternal vigilance, paying attention to every detail. This is terrible advice. I’m a professional with years of experience in this space and I don’t bother to inspect my emails or carefully read all my URLs: I have things to do. As a strategy for the constant level of attacks in modern email, this approach has failed, even in dealing with the amateurish mass-phishing attacks we’ve seen over the past 10 years.

Spear-phishing, especially political spear-phishing, is even harder to catch with vigilance. The inconsistency of security advice has contributed to the disaster with ideas that are hard to implement, don’t make sense, and don’t work, but that security and IT departments yell at people with all the fury of revivalist preachers. It’s exhausting.

Developing a few good habits based on how this computer you’re using works is relatively easy and more effective than paranoia. Turn on two-factor authentication where you can, where it’s available on sites you use. This includes things such as RSA tokens, Yubikeys, Google Authenticator, and SMS verification codes, which create something needed to log in beyond a password and a username so that if your username and password are stolen or leaked, attackers still can’t take over your accounts. Apply software updates. Or, better yet, Herley suggests letting your computer do it for you. “I’d say use automatic updates … We invest heavily in [fixes] as soon as we figure out things are wrong. You want all that goodness working for you.”

Set up regular backups that require minimal effort from you. “You don’t have to worry as much about ransomware [or theft, or disk crashes] … if you know you can always get your stuff back,” Herley says. Use long, complex, and unique passwords, but make it easy on yourself. “Write them down or use a password manager,” Herley says.

I’d strongly recommend the password manager, but not directly for security purposes. Password managers are easy and will autofill your password on sites you’ve used before—even less effort. There’s most likely one built into the browser or operating system you’re using now, but if you want to get fancy, you can use an online password-management system that syncs between devices. Don’t reuse passwords, and go ahead and change your password on the sites where you know you’ve reused passwords. This is an hour or two of pain, but only one time. You are not likely to leak your password onto the internet, but a site you use almost certainly will at some point. You can also sign up at Have I Been Pwned to find out which of your passwords have already leaked onto the internet.

Don’t follow links you get sent to sites on which you have an account—you have your own bookmarks and browser history, which already go to the right site for sure. If you get an email from your bank or, say, think-tank employer, log in on your web browser. You’re going to have to do that anyway, so you might as well follow your own link. One habit that would take some work to change but does the most to secure you from malware is not opening email attachments on your own computer. Have people put files in a file-locker site, something like Dropbox, and open documents in a remote service like Google Docs. Make it someone else’s IT department’s problem.

Don’t try to be perfect. Just try to be expensive for the con artist. Make them work hard enough, and you’re not worth the bother. Right now, most computer users, whether they are political consultants, CEOs, scientists, or researchers, aren’t very hard to con.

Understanding all of this, the news of phishing campaigns takes on a different tone. Rather than asking why there are groups linked to Russia phishing our politics, the question is: Why aren’t more governments phishing U.S. companies and agencies? Perhaps they are, and we just don’t notice. Whatever the reason, people need to talk about phishing, as much as they need to update their software. Because striving to understand complex phenomena is how humans are updated over time, and it’s how we make it as expensive and difficult to hack humans as it is to hack computers.

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.