Your independent source for Harvard news since 1898

Phishing for Trust Online

September-October 2009

Tyler Moore, left, with Allan Friedman, a postdoctoral fellow at the Center for Research on Computation and Society

Tyler Moore, left, with Allan Friedman, a postdoctoral fellow at the Center for Research on Computation and Society

Photograph by Jim Harrison

There is one kind of privacy attack that neither complexity of encryption nor any locked door can defeat. When people visit a webpage they recognize and trust, they give away their keys. “Phishing” involves duping people into entering their personal banking or other financial login credentials on a fake webpage, usually one to which they have been directed by an official-looking spam e-mail with an embedded link. Tyler Moore, a postdoctoral fellow at Harvard’s Center for Research on Computation and Society, studies this kind of Internet crime. Recently he has been analyzing the workings of an organized criminal group called the Rock Phish gang. The group disappeared nine months ago, but until then had been responsible for about half the spam sent as “phishing” attacks worldwide. (Worldwide losses to phishing are estimated at just under half a billion dollars per year.) Once usernames and passwords are captured and forwarded, usually to a Web-based e-mail account, criminals access the login information and transfer money from the victim’s account.

To set up a phishing scam, explains Moore, an attacker often uses an Internet search to identify websites running vulnerable server software. (Lots of software has these weaknesses, he says; chat sites are a favorite target.) Then the attacker uploads a phishing webpage—mimicking a page from the Bank of America, for example—onto the compromised site and sends out spam with a link to the fake page. 

Four or five years ago, e-mail spam used to be sent out by spammers themselves on their own computers. Almost no spam is sent that way anymore because Internet service providers (ISPs such as Comcast, AOL, and AT&T) realized they could just start blocking the computers that were sending out the spam. Today, almost all spam is sent by “botnets,” loose networks of computers whose systems have been taken over without their owners’ knowledge. At any given moment, says Moore, the number of computers secretly recruited into botnets is estimated in the millions to low tens of millions. This makes it very difficult for ISPs to block the spam, because the spammers can send e-mail from any one of hundreds of thousands of computers. Nor do the ISPs have strong incentives to identify and control such abuse. Moore was recently asked by ENISA, the European Union’s network and information security agency, about the economic challenges to improving network security. One of his team’s key points was that the people in the best position to clean up the Internet don’t have the right incentives to do so. They are not the victims of these scams; it is the banks and individuals who are vulnerable.

Criminals soon realized that botnets could be used for all kinds of purposes besides sending spam. One type uses previously compromised computers solely to test every address on the Internet, seeking more computers to compromise. Attackers thus build on existing botnets by finding computers running outdated versions of software with known vulnerabilities, such as the first version of Windows XP. Such a machine will on average be discovered and exploited in less than four minutes, with its owner likely none the wiser. The rapidity of such takeovers is one measure of how much computing power criminals already have at their disposal. But Moore says botnets have given criminals something at least as valuable: anonymity.

The Rock Phish gang used a “fast-flux” attack to preserve their anonymity. The group would register a domain name from which the phishing page would be served:, for example. But every time a visitor loaded the page, the domain-name server (which is supposed to give the IP address of the computer where the webpage is hosted) would return the IP address of a different computer in the gang’s botnet through which the real page was being routed—hence the name “fast-flux.” This “hall of mirrors” strategy makes finding the true source of the page, in order to shut it down or remove it, extremely difficult.

Once an attacker has login credentials in hand, he uses them to transfer funds to an account owned by a so-called “money mule.” The mules often end up the real victims of these scams. Frequently recruited by advertisements touting the opportunity to work at home, money mules agree to allow fund transfers into their own bank accounts in exchange for a 10 percent cut. They then send the bulk of the cash on to the attackers via Western Union, a non-revocable transaction. When the initial victims of the scam and the banks discover what has happened, fraud laws typically protect them and the owner of the account that has been phished—but the money mules remain liable for the full amount of the loss.

Financial institutions have responded by hiring “takedown companies” whose sole job is to identify and remove phishing pages. Though such companies typically can remove a phishing page in 24 hours once they learn about it, says Moore, many phishing pages are never discovered. Recently, he and some colleagues persuaded two of the larger takedown companies, each with about 50 to 100 banks as clients, to share their lists of known phishing pages with him. “Between these two companies’ view of all phishing webpages, there were very large gaps in coverage,” he says. “More than a third of all pages impersonating banks are not known by the takedown company that has the contract [to protect those banks].”

Moore has tried unsuccessfully to persuade takedown companies to share information, just as antivirus companies do. The cost of non-cooperation is high, he and his colleagues have found. Analysis of Web statistics for phishing pages indicates that each site typically fools 20 victims per day until the website is removed. “The fact that there are phishing sites that the takedown company doesn’t know about significantly extends” the lifetimes of those sites, he says. “If we add it all up, it essentially accounts for more than half of all the time phishing sites are around.” If there were global cooperation, Moore says the aggregate lifetimes of phishing websites would be cut in half, and about half as many bank accounts would be compromised.

Ironically, the attackers are much better at cooperating than the defenders, Moore reports: “This whole process of compromising websites, loading phishing pages, sending out spam to advertise it, and hiring mules to transfer the money out is often separated and carried out by different groups. You have criminals who specialize in sending spam, others who specialize in compromising websites, people who distribute ready-made phishing kits with pages that can be loaded onto a site, and people who hire the money mules, called cashiers. So you have this underground economy which has proliferated with specialization and all kinds of transactions throughout the process.”

As people have learned not to trust e-mail, phishing scams have migrated to places where levels of trust remain high: social networks such as Facebook. A common scam involves phishing a person’s Facebook login credentials, and then using them to send a distress e-mail to friends, urgently asking for money. Often the appeal says the person is traveling abroad and needs help to get home. The impersonator sometimes even holds an online conversation with friends. “It is quite lucrative for the bad guys, these social-engineering kinds of cons,” says Moore. “Even my mom knows about spam. But suppose my mother joined Facebook. She won’t necessarily understand that a message coming from my brother may not actually come from my brother. We are much more inclined to pay attention to things purporting to come from people whom we trust, so I expect to see a lot more attention focused in this area.”

The loss of trust online, Moore emphasizes, may in the long run be more important than direct losses to phishing scams. “I think if we don’t have trust and are second-guessing every transaction we do, this is definitely going to inhibit online commerce; it is going to inhibit the productive use of the Internet by society,” he says. “From both an economic and policy perspective, I think it is quite important that we get a grip on Internet security.”