A short follow-up to my late-2001 phishing post. The category continues to mature; the techniques are stabilising; the response is slowly forming.
What is changing
Three shifts in the early-2002 landscape.
Targeting is more refined. The campaigns I have been tracking now use combinations of demographic data — name, email, partial address, sometimes employment-sector information — to construct messages that look genuinely personalised. The recipients are more likely to be customers; the response rate is correspondingly higher.
The technical infrastructure has professionalised. Phishing pages are now hosted on professionally-managed infrastructure with quick rotation. A page goes up; thousands of emails point to it; within hours, the page is taken down by upstream pressure or by the phishing operator themselves; a new page goes up. The infrastructure operates as a service.
Cross-jurisdictional operation is mature. The campaigns I have analysed are typically: emails sent from one jurisdiction; pages hosted in a second; the captured data flowing to a third; the financial transactions in a fourth. The investigative complexity is substantial.
What is forming defensively
Four responses I have observed.
Industry coordination. The Anti-Phishing Working Group (formed late 2001/early 2002) is a coordinating body for phishing-related response. The organisation collects reports, shares takedown templates, and coordinates with hosting providers. The early operation is rough but is the foundation of better-coordinated response.
Browser-toolbar partnerships. Several banks are partnering with browser vendors to ship toolbars that visibly indicate the legitimate site. The user-experience is rough; the technique is in early stages.
Two-factor authentication, slowly. Some UK banks are starting to roll out token-based or one-time-code two-factor authentication for high-risk operations. The deployment is partial; the cost is non-trivial.
Customer education. All UK banks now have visible anti-phishing customer-education campaigns. The effectiveness is hard to measure; the volume of education is meaningful.
What this teaches
The phishing problem is structurally similar to spam but with higher stakes per incident. Defenders have to address it through a combination of technical, behavioural, and organisational responses. No single defence is sufficient.
The response is forming. The trajectory is positive but slow. Phishing volume is going to continue growing in absolute terms while the per-recipient effectiveness slowly decreases.
My calibration
From my 2002 predictions:
Major UK bank takes a serious public hit from phishing. Probability 70%, deadline end of 2002. Status: in progress. Several smaller incidents reported; no major public hit yet. Probably resolves H2.
Two-factor authentication ships at a major UK bank. Probability 45%, deadline end of 2002. Status: in progress. Limited deployments visible; mainstream rollout uncertain. Probably remains 45% probability.
More as the year develops.