In their recent paper “A Profitless Endeavor – Phishing as Tragedy of the Commons” Cormac Herley and Dinei Florencio hypothesize that the Phishing industry is subject to the economic forces common to fisheries and public grazing lands, commonly described in a classic economic construct known as “The Tragedy of the Commons”.
This model, they argue, (and the paper’s title dramatically proclaims) indicates that contrary to conventional wisdom, Phishing is a “low reward activity”, that the explosion in activity is proof that each attack is unprofitable, and that the payoff is so poor that the Phisher might do nearly as well doing something legal with their time. However, these key conclusions suffer from three distinct sets of problems, two factual, one methodological. Their conclusions are drawn into serious question by all of the following:
1. Direct Evidence to the Contrary: First and most importantly, the paper lacks the simplest test for these hypotheses, i.e. asking the banks losing the money how much an attack pays the “Phisher”.
2. They Undercut Their Own Findings: The authors estimate the profit from a typical victim is likely to be roughly $539. Even if this were true, and each attack captured only a single victim, this would weaken their own argument about total losses from Phishing given the documented number of phishing attacks per day.
3. Incorrect Construct: There are a number of flaws in applying the “Tragedy of the Commons” construct to the Phishing industry. The industry’s dynamics actually bear very little resemblance to finite-resource systems like fisheries or public grazing lands. Dramatic structural differences make a fishery a very poor analogy on which to model the Phishing industry.
For an in-depth look at each one of these points please go to http://www.cyveillance.com/web/forms/request.asp?getFile=114 to download the detailed paper.
For the sake of both banks and consumers everywhere, one would wish very much that Herley and Florencio’s conclusions were true. Unfortunately, Cyveillance believes that, when examined in light of the actual dynamics in today’s Phishing industry and when real dollars actually stolen from the banks are tallied, it remains just that – a wish.
In reality, Phishing does pay, it pays handsomely (if not unimaginably) well on a per-hour-of-effort basis, and the very low likelihood of prosecution provides a risk-reward ratio that ensures it will be with us far into the foreseeable future.