August 03, 2005

The Phishing Borg - now absorbing IM, spam, viruses, lawyers, courts and you

Dramatic increase in threats to IM (instant messaging or chat) seen as the IMLogic Threat Center reports a 28 times increase over the last year.

Right on cue. Meanwhile, new tool to download for your browser shows that independent researchers at Stanford know where to put the protection: Spoofguard detects and warns against phishing, and PwdHash augments the password calculation to make each transmitted password site-dependent.

Good stuff guys! We need to induct you into the anti-fraud coffee room before you get swallowed up by the anti-borg of secret committees in smoke-filled rooms.

And in Korea is looking to legalise class-action suits in cases where small losses make it uneconomic for victims to punish negligent providers.

Much as I wonder if class action suits aren't a net loss to society and shouldn't be treated within the threat model rather than the security model, they do seem to be the only non-technical defence that suppliers will listen to. Such suits and others by regulators are filed against data providers (and losers), banks and Microsoft on various causes. Nobody has yet pinned one directly on phishing, but I give it a better than evens chance that it will be tried on the banks, and then on the software suppliers.

Although it is hard to decipher, a new report from IBM reports that spam is down from 83% of all email to 67% in June. That's the "good news." The bad news is that it's almost certainly because phishing and viruses have skyrocketed even this year, with IBM reporting that phishing has now reached around 20% and viruses around 4% of all email. The article is ridiculously muddled in its use of numbers, but I make that around a 91% garbage rate in email.

This to my mind confirms predictions made here that phishing is still the #1 threat to email (by value!), browsing and Internet commerce; viruses are now economically being driven by phishing; and email is dying under the one-two punch of spam and phishing.

Is phishing and related fraud becoming the #1 threat to the net, or is it already there?

Posted by iang at August 3, 2005 06:56 PM | TrackBack

Will digitally signed email become more popular due to various attacks executed via email?
I still think it's a usability issue, no more.

Posted by: Daniel A. Nagy at August 4, 2005 01:47 AM

Not really. The problem is that the use of signed email by itself doesn't help, you have to use the keys intelligently; they already tried this with yahoo or microsoft, I forget which, and the spammers were the only ones who bothered. As predicted.

The only way in which you can tell a spammer is if you use your own information to decide that a particular key is recognised or not. This leaves out people who you have never talked to before, so it is only a partial solution.

Also, trying to get email clients to actually use the crypto is well nigh impossible. All clients are currently locked in the "crypto RFC model" mode which means they do what the original designers thought was best, which is out of date but at least a decade (PGP), more like three decades (PKI). For x.509 it means PKI which is completely spam-friendly and anti-spam-detection.

S/MIME is unusable, and Kmail with GPG is only "slightly usable" because of the amount of use cases they have to work through and hack out. This is why there are so many startups trying to do encrypted email.

Posted by: Iang at August 4, 2005 03:17 AM

I totally agree that current solutions for signed email are only marginally usable at best. But signing emails seems to be the only way to whitelist friends.

Distinguishing between never-seen-before people and spam is theoretically impossible, so these emails need to be presented for inspection but marked as potential spam and deleted after a short time if not explicitly whitelisted after having them read.

Posted by: Daniel A. Nagy at August 4, 2005 03:16 PM
Post a comment

Remember personal info?

Hit preview to see your comment as it would be displayed.