Phishing Is the Internet’s Most Successful Con
In the classic 1973 heist movie The Sting, two con men—played by Robert Redford and Paul Newman—build a fictitious world in a Depression-era Chicago basement to defraud a corrupt banker. They make an offtrack-betting room, hire actors to ensure the scene is convincing, and even enlist pretend law enforcement to fake-bust their mark. The film is memorable because it is one of the finest movies in the genre, well written and funny, but also because the duo’s work is so meticulously detailed.
The con has changed since then, both short and long. In this age, the online equivalent of The Sting is a phishing site: a fake reality that lives online, set up to capture precious information such as logins and passwords, bank-account numbers, and the other functional secrets of modern life. You don’t get to see these spaces being built, but—like The Sting’s betting room—they can be perfect in every detail. Or they can be thrown together at the last minute like a clapboard set.
This might be the best way to think about phishing: a set built for you, to trick information out of you; built either by con men or, in the case of the recent spear-phishing attack caught and shut down by Microsoft, by spies and agents working for (or with) interfering governments, which seems a bit more sinister than Paul Newman with a jaunty smile and a straw hat.
But perhaps it should not seem so sinister, because phishing is profoundly easy to do. So easy, and comparatively cheap, that any country that isn’t using it as part of its espionage strategy should probably fire its intelligence agency.
Computer security often focuses on malware: software that attacks faults in your computer to take control of it and give that control to someone else. Malware is often sophisticated software that can quietly take over a computer without being detected—from there, it can do anything, from copying every keystroke you type, to watching every page you open, to turning your camera and microphone on and recording you, to encrypting your hard drive and ransoming your computer’s contents back to you. But novel malware is difficult to write, and can take many paid hours for some of the most talented programmers, in addition to finding or buying a security flaw that allows you to get your malware onto someone’s computer undetected. It’s painfully expensive, and often ends up leaving a trail back to the authors.
Phishing doesn’t attack computers. It attacks the people using computers.
Setting up a phishing website is something a summer intern can do in a couple of weeks, and it works. If you were to try to create a phishing version of this article, you could start by saving the complete webpage from your browser—that would get you the picture, text, and code that makes the page you’re reading now. If this article contained an account login, you could put it on a server you control, and maybe register another domain, something like http://tehatlantic.com. If you enticed someone to try to use their TheAtlantic.com username and password on tehatlantic.com, you would then have that information….
John Podesta, the chairman of the Hillary Clinton campaign, was famously spear-phished in 2016 by an email saying someone in Ukraine was attempting to log into his Gmail account. When he clicked the link and entered his username and password (instead of using the Google domain passed along by his own help-desk person), his account was actually captured. His emails, along with Democratic National Committee emails harvested the same way, were later leaked online,
This article is well-written and worth the time it takes to read it in its entirety. The more you know the less likely you’ll be become a victim. Please take a few minutes to read this entire article from “The Atlantic”. You’ll really be glad you did.