Phishing Doesn't Pay, Microsoft Finds

Phishing doesn't pay very well and tends to attract low-skill hackers who themselves become victims.

So say two Microsoft researchers, Cormac Herley and Dinei Florencio, in their recently published paper, "A Profitless Endeavor: Phishing As Tragedy Of The Commons."

"Far from being an easy money proposition we claim that phishing is a low-skill, low-reward business, where the average phisher makes about as much as if he did something legal with his time," the paper says.

Part of the blame for this sorry state of affairs can be laid at the feet of exaggerated phishing loss estimates. "We estimate that recent public estimates overstate phishing losses by as much as a factor of 50," the paper explains.

Who might be to blame for such inflation? Try the media, which finds big dangers more compelling than little ones, and the security industry, which can't sell goods or services in the absence of a clear and present danger.

Lured by bad math and get-rich-quick pipe dreams into a life of cybercrime, those phishing for dollars confront a problem not unlike that faced by traditional anglers: too few fish in the sea. The result is what's known as the tragedy of the commons, wherein a limited resource becomes depleted when self-interest supersedes group interest.

"The easier phishing gets, the worse the economic picture for phishers," the paper says. "As phishers put more and more effort into the endeavor the total revenue falls rather than rises." Based on that finding, Herley and Florencio conclude that increased phishing volume indicates a decrease in total revenue, as phishers compete to capture the limited pool of phishing money.

Phishing appears to operate like every gold rush: The ones making money are the ones selling tools to starry-eyed prospectors, or servers to Web 2.0 startups.

As the paper's authors put it, "Indeed, one explanation of the thriving trade in phishing-related services ... is that phishers with more experience prey upon those with less. That is, those who have tried phishing and found it unprofitable or marginally profitable find it better to sell services to those who haven't reached that conclusion yet."

This supposition is supported by a paper presented last year at the Usenix Conference, "There Is No Free Phish: An Analysis Of 'Free' And Live Phishing Kits." It found that the big phishers -- the authors of phishing kits -- preyed on the little phishers who used their phishing kits.