Microsoft study debunks phishing profitability

Microsoft study debunks phishing profitability

Summary: Do phishers actually make money, or is phishing an unprofitable business, scammers lose time and resources into? Taking the economic approach of generalizing how much money phishers make, a recently released study by Microsoft researchers Cormac Herley and Dinei Florencio (A Profitless Endeavor: Phishing as Tragedy of the Commons), states that phishing isn't as profitable as originally thought.

TOPICS: Security

Phishing PagesDo phishers actually make money, or is phishing an unprofitable business, scammers lose time and resources into? Taking the economic approach of generalizing how much money phishers make, a recently released study by Microsoft researchers Cormac Herley and Dinei Florencio (A Profitless Endeavor: Phishing as Tragedy of the Commons), states that phishing isn't as profitable as originally thought.

Citing a 1968 published article "Tragedy of the Commons" the researchers argue that due to the fact that so many phishers operate on the same scam-scene, they earn less than the could possibly do. Moreover, according to the research the enormous volume of phishing emails is in fact an indication of the failure of phishing. Naturally, they are many more factors to consider, in particular, are phishers in fact profit-maximization machines or are they willing to sacrifice potential profit for the sake of their own security? Is it all about making big money, or about breaking-even in general?

"However, as we will show, the economics of phishing are far far worse than this. Rather than sharing a fixed pool of dollars phishing is subject to the tragedy of the commons ; i.e. the pool of dollars shrinks as a result of the efforts of the phishers. A community (all phishers) share a finite resource (the pool of phishable dollars) that has limited ability to regenerate (dollars once phished are not available to other phishers). The tragedy of the commons is that the rational course of action for each individual (phisher) leads to over-exploitation and degradation of the resource (the phishable dollars)."

Using the Tragedy of the Commons analogy in this case makes it sound as every phished person's disposable income to which phishers would eventually have access to is universally the same. Logically, that's not the case, since a single phished person could prove to be a more profitable catch for a phisher than a hundred phished people, and the number of potentially phishable people is always increasing with more people going online.

Moreover, perhaps not so economic models minded phishers are constantly looking for ways to achieve better efficiency, lower costs, and ways to eat other phishers lunch - by scamming their fellow colleagues. For instance, a related research published in August, 2008, found evidence that phishers are in fact backdooring phishing pages and then distributing them for free so that they can have other phishers do the scam for them. The same backdooring process, even though no properly analyzed in a study, continues to take place at a more advanced and far more profitable level - backdooring web malware exploitation kits and botnet command and control interfaces. Therefore, of the hundred actively participating phishers, eighty could be easily phishing for the other twenty.

There are even more variables to consider. Take internal competition among different phishers. Just because a phisher has just sent a million phishing emails pretending to be from a leading German bank to a million Chinese users, perhaps not knowing that the spamming database he's using belongs to Chinese citizens, doesn't mean that the outcome of his campaign would be similar to a fellow phisher that's taken basic localization and targeting steps into account. With localization of cybecrime taking place as of early 2008, outsourcing the translation process of a particular phishing campaign/email is opening up an entire new space for phishers to more effectively target potential victims. The bottom line here is that the second phisher has a higher chance for success even though they're attempting to phish the same Chinese users, since he'd be impersonating a local bank and his phishing creatives would be speaking native language.

This is where efficiency and scalability comes into play, a situation pretty similar to that of spam. As long as even a small number of people out of a million phishing emails sent become victims, the phishers would break-even and thus, continue expanding the number of emails sent. This shouldn't be taken as a failure of phishing in general, instead, it should be considered as a campaign optimization practice attempting to achieve better results by targeting a larger population.

DIY Phishing KitQuality assurance is yet another differentiation factor distinguishing the sophisticated phisher from the novice one, who will never get close to the potential market share the sophisticated one is aiming at. Just because all phishers have access to the same quality fakes of legitimate banks, and DIY phishing tools assisting them in redirecting accounting data to a single domain, doesn't mean that all of them will make the same impact. The experienced ones would achieve a higher average online time for their phishing domains, and would apply better targeting and localization tactics due to the fact that spammers, phishers and malware authors are consolidating and vertically integrating to cut costs and achieve scalability. Phishing may be described as a low-skill, low-reward job in the study, but just like every cybercrime practice the "knowledge workers" in the phishing ecosystem are those getting most of financial rewards, with the rest basically generating noise and in fact often getting busted due to their inexperience, acting as a human shield for the sophisticated phishers.

There's another issue to consider and that is how much money is a phisher actually looking to make out of his phishing campaigns, and is there in fact a maximum or a minimum to his ambitions? Even though access to someone's account is obtained, is the phisher actually able to withdraw the money from the account, or is he in fact going to be making money from selling access to the phished account to someone who can do it, thus, monetizing the accounting data instead of using it? Evidence gathered on this practice clearly indicates that novice phishers may in fact never obtain any of the money that they have access it, but again make money out of selling the access to a particular account to those who can.

Phishers may not be making the money that they used to a couple of years ago, but then again phishing has long stopped being an exclusive cybercrime practice - it's turned into a cybercrime practice "in between" with the phishers breaking-even given the lowering costs and entry barriers into the phishing space in general. And as long as they break-even, millions of phishing emails would continue circulating, again "in between" the rest of their malicious activities.

Topic: Security

Dancho Danchev

About Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Two points

    1. Phishing may or may not be profitable, but the victim loses nonetheless.

    2. One of the functions of organized crime is to reduce/eliminate competition in illegal enterprises in order to maximize profit.

    Ergo, if there is too much competition now, then it's only a matter of time before someone with the organization and firepower comes in and tries to impose order.
    John L. Ries
  • This seems more like damage control by microsoft

    to squash the widely held opinion that their OSs are full of holes, allowing phishers easy access to Microsoft's customers PCs.

    As for the phishing...
    Maybe their swamps are drying up. Who can say for certain?

    It's not costing spammers and phishers much, compared to sticking postage stamps on real mail, then having to go down the street to post it. Zero inconvenience.
    • Ummm...

      Phishing exploits the [b]user[/b] not an OS or any software, it is independent of the platform the user has.

      The whole paper is about economics not security or even related to windows. In fact Windows only appears once under "5.2.1 Password Re-Use Study [10]" as "...Windows Live Toolbar."
    • Damage Control?

      Microsoft does a lot of "general" research. Why do they have to do any damage control? Phishing doesn't exploit anything having to do with the platform or software.

      If someone replies to an email asking for their bank account information, it doesn't really matter if they're on Windows, Mac, or Linux.
    • is it really eluding you that scammers use blended attacks?,1000000189,39181466,00.htm

      It may be an old story but it's still relevant today.

      Which OS allows most of these exploits to succeed?
      How many online banking website insist on IE?
      • So an article from 2004 is relevant to a 2008 white paper on economics? NT

        • An irrelevant white paper that cannot be verified conclusively (nt)

    • Irrelevant and misinformed commentary.

      Phishing, as you obviously do not understand, is a socially engineered attack, making the OS involved usually irrelevant. Its a tactic of breaking security at the end user point making the interface a non issue when it works.

      Secondly, the article seems to be doing a dance around the point that the MS research is asserting. The MS article is making a point something akin to pointing out that investing your time and money into purchasing lottery tickets is not a very good way to go about earning a living, and similarly phishing is an all to similar effort. And that is correct.

      The lottery analogy has some good comparisons to look at. Many top lotteries today have an almost limitless number of tickets that can be sold and conversely there are only a limited number of winning numbers that will be drawn and hence; the more tickets sold, the less potential there is to win. Likewise with email phishing.

      Sure, as with lotteries phishing will have its winners, they do exist no doubt. On the other hand, what the MS research appears to be indicating is that the phishers are generally living in dreamland like many lottery players are, particularly those lottery players who put a disproportionate amount of money and time into trying to win.

      So let go of the Microsoft/damage control theory. It does not apply and it seems to me that the research is largely correct.
  • It's probably more like mini-lotteries.

    Taken on average, it may be valid, however, nothing ever works that way with some phishers making a killing on the "lottery", keeping the entire crop hoping for the big one.

  • Tell all this to the scam victims

    After all attempts to counter phishing, it is only natural for MS to try to downplay the impact of phishing.
    Whatever economic analysis any professor conjures up - it will not stop the thousands of phishers outthere. And even without the success analysis by Davchev, thousands upon thousands of newbie phishers will pour funds into phishing scams with limited success.

    At the end of the day, the scam victims will never be consoled by the fact that their friendly scammer lost money on the entire scam.

    Spirovski Bozidar
    • Where did Microsoft downplay?

      Maybe if you read the paper, it is about profitability of phishing nothing about it says phishing is not a serious problem.
  • It depends how good you are

    I give little credence to reports like this as they are often wildly inaccurate. There are people who are going to be very good at it and those who are not otherwise it would disappear as a problem as it would be uneconomical for criminals and they would move on to the next scam. Car theft isn't particularly profitable if you can't sell the car or keep getting caught but some people make serious money.

    It's called phishing for a very good reason, it's just like fishing (my hobby). Two guys can be sat on a river bank and one gets a trawler load and the other gets squat, it depends on your casting spot, patience and bait ;)
    Alan Smithie
  • Who cares if they make money...

    The question is not them not making money. That would be a question to ask if we wanted to invest on them.

    The real question is how many people are loosing money to phishing scams.

    That the scammers are not making money is Fat consolation for the scammed.

    What's next? a study asking if the phishers eat bread?
  • RE: Microsoft study debunks phishing profitability

    "they earn less than the could possibly do."

    WTF does this even mean? Speakee Engrish?
  • RE: Microsoft study debunks phishing profitability

    [oops duplicate]
  • RE: Microsoft study debunks phishing profitability

    I think the research is a good referrence and teaching tool. The more we can understand who's behind phishing scams, The less they are a "Boogey-man" to our users. This would be a great help when educating user's so that they don't become victims. After all, The fewer victims there are the less phshing we'll see.

    Besides Microsoft cares about your money. They hate all this competition!
    Ben Step
  • RE: Microsoft study debunks phishing profitability

    'Tragedy of the Commons' is an Economics 101 concept, and makes for a great teaching tool for economics, history, and sociology students.

    But, using this as an 'economic model' for the phishing 'industry' doesn't make sense, except insofar as it makes for a fun intellectual exercise in microeconomic theory.

    A better model to analyze the phishing industry's potential profitability would be to compare it with the televangelism industry. Although the 'charismatic' personalities are missing, the pool of dollars (potential revenue) from gullible suckers (oops, 'customers) seems to be endless. PT Barnum said it best, "There's a sucker born every minute", and obviously people are still falling for the scams.
  • RE: Microsoft study debunks phishing profitability

    This Nonsense make me angry! They did a study saying spam was way down (the can spam act was a success) and that the internet was porn free (well less than 1%). What NONSENSE! What planet do these people live on?
  • RE: Microsoft study debunks phishing profitability

    Great!!! thanks for sharing this information to us !
    <a href="">seslisohbet</a> <a href="">seslichat</a>
  • RE: Microsoft study debunks phishing profitability

    ewet dedim ama neyse
    dogru deme
    tamam dedim