January 27, 2006
The Future of Effective Phishing
It happens every six months or so, I get an email, a piece of spam, or more accurately a phishing email. Well actually I get those everyday, usually purporting to be from eBay or Paypal (which of course are one the same as a corporate entity). What I get every six months is a phishing email that makes me stop and think, that I almost click on. The latest was a nearly flawless reproduction of an eBay request for more info on a bid item. If my last active auction was something a bit less than six months ago, I may well have clicked. Instead I started to wonder, how good will these things get?
The first phishing email I ever saw was pitiful, it claimed to be from Citibank, but was written in a language more akin to h4×0r with all the poetics stripped out. Of course the phishers quickly learned that Citibank uses a particular form highly proofread english adapted rather quickly. It was maybe six months later that I became aware that phishing might actually work. I logged into my Citibank account and noticed a message warning customers about phishing scams. What was striking about it was not the warning, but the casual tone that Citibank included the word "phishing" in its highly proofread english. The word was getting tossed around as if they assumed their customers knew what it meant, yet at the time I barely recognized it and I would hazard to guess I'm far more internet culture literate than a vast majority Citibank customers. Clearly phishing was something the bankers were talking about and talking about a lot. Right around this time they also changed their interaccount transfer feature, sealing up a particularly phishing friendly way to move money out of their system and it seems directing the phishers on towards eBay and beyond.
What happens when phishing meets social networks? The past four or five years or so have lead an entire generation, one that includes me, to leave a vast data trail across the internet. Information about who is friends with who, information on what you are interested in, what books you've read, even information on how you write and how you converse in text. Lets leave aside everything that the merchants and search engines have collected, cause that's a whole other story. Just the information that's public or semipublic is more than enough to weave a nasty phishing tale. For instance I just told the world where I bank, and this site is riddled with facts that occasionally come up in conversations with aquaintences. Facts that I find slightly startling they know, despite knowingly having published them myself.
If you get an email from a friend, in their writing style, containing accurate info about yourself, is that an email you can trust? I no longer trust any email claiming to come from any institution that has its fingers in my money somehow. I click on the legitimate ones with extreme caution, checking the links, viewing the source, often I don't click at all, I go to their front pages and log in manually. What happens when email is no longer trusted at all? Is effective phishing what it will take to finally have a popular secure email (call it smail or semail) format take off? Or can the phish be driven to extinction?
Posted by Abe at January 27, 2006 02:01 PM