Tricking people out of sensitive information online is far too easy.
In the classic 1973 heist movie The Sting, two con men—played by Robert Redford and Paul Newman—build a fictitious world in a Depression-era Chicago basement to defraud a corrupt banker. They make an offtrack-betting room, hire actors to ensure the scene is convincing, and even enlist pretend law enforcement to fake-bust their mark. The film is memorable because it is one of the finest movies in the genre, well written and funny, but also because the duo’s work is so meticulously detailed.
The con has changed since then, both short and long. In this age, the online equivalent of The Sting is a phishing site: a fake reality that lives online, set up to capture precious information such as logins and passwords, bank-account numbers, and the other functional secrets of modern life. You don’t get to see these spaces being built, but—like The Sting’s betting room—they can be perfect in every detail. Or they can be thrown together at the last minute like a clapboard set.
This might be the best way to think about phishing: a set built for you, to trick information out of you; built either by con men or, in the case of the recent spear-phishing attack caught and shut down by Microsoft, by spies and agents working for (or with) interfering governments, which seems a bit more sinister than Paul Newman with a jaunty smile and a straw hat.
But perhaps it should not seem so sinister, because phishing is profoundly easy to do. So easy, and comparatively cheap, that any country that isn’t using it as part of its espionage strategy should probably fire its intelligence agency.
Computer security often focuses on malware: software that attacks faults in your computer to take control of it and give that control to someone else. Malware is often sophisticated software that can quietly take over a computer without being detected—from there, it can do anything, from copying every keystroke you type, to watching every page you open, to turning your camera and microphone on and recording you, to encrypting your hard drive and ransoming your computer’s contents back to you.
But novel malware is difficult to write, and can take many paid hours for some of the most talented programmers, in addition to finding or buying a security flaw that allows you to get your malware onto someone’s computer undetected. It’s painfully expensive, and often ends up leaving a trail back to the authors.
Phishing doesn’t attack computers. It attacks the people using computers.
Setting up a phishing website is something a summer intern can do in a couple of weeks, and it works. If you were to try to create a phishing version of this article, you could start by saving the complete webpage from your browser—that would get you the picture, text, and code that makes the page you’re reading now. If this article contained an account login, you could put it on a server you control, and maybe register another domain, something like http://tehatlantic.com. If you enticed someone to try to use their TheAtlantic.com username and password on tehatlantic.com, you would then have that information.
This kind of phishing started out mainly as a money-stealing scheme, delivered en masse. “Phishing has changed a lot. A decade or so ago it was a mass phenomenon of people looking for passwords to bank accounts, PayPal, eBay … anything they thought would be easily monetizable,” says Cormac Herley, a principal researcher at Microsoft Research. “I think that threat has largely been beaten back: Spam filters have become better at detecting it, browsers have warning mechanisms built in, banks have become good at detecting fraud.”
But that’s the untargeted stuff. Enticing someone to click on a phishing link, in an email or elsewhere, is where a targeted attack, also known as spear-phishing, comes in: learning about someone’s life and habits to know just what email would get them unthinkingly to click. A reality built for one person, or one cohort of people. The con is on, the set is built, and the actors are hired to make the sting, all from a web browser.