Over the last few years we have all experienced the constant barrage of Phishing attacks. These are not only a pain for all of us as end users, as we carefully pick through our email trying to figure out what’s real and what isn’t, but also an unending headache for those trying to run the commercial web sites we link to.  So let’s take a step back for a moment  to look at how these attacks are possible, after all we’re smart people we shouldn’t be fooled that easily ….

There are three distinct steps to any Phishing attack for the sake of making this simple let’s just call them Casting the Bait, Reeling in the Catch and Stealing the Prize.  

Casting the Bait – since the initial goal of the phisher is to get you to go to their web site the first thing to do is to deliver you a URL in an email message. This email has to convince you that not only is it from a real company but that you should take the additional action of clicking on the link it contains. We’ve all seen the “there has been a change in your account details and we need you to verify them” email, complete with nice graphics and company logo’s from a familiar company. The first few times we see these we naively  click on the link and off we go to who knows where to try and verify our account details. Of course given the amount of spam we all receive it’s not surprising that at times it’s hard for us to tell the good mail from the bad. In recent years many efforts have been made to reduce the amount of spam and as the junk mail filters have become more sophisticated we are weeding out a lot more than we used to, but there is still more work to be done.

Reeling in the Catch – have you ever thought about how easy it is to fake a web site, think about that for a moment if I go up to any webtsite today I bet I can copy half their logo’s and art work straight off of their home page. In no time at all a half decent web designer could mock up a site that is close enough to the real thing to fool 90% of the people who saw it. In fact that’s what Researchers at Harvard University and UC Berkeley did in order to do some research on Phishing. Now compare that with how hard it is to fake a real brick and mortar business, say a bank or a book store. One of the reasons so many people get phished is because it is very hard for most users to tell the difference between a fake site and the real site. In fact many users today have no idea what any of the so called security measure’s we have in place today even mean. Ask some of your non-technical friends to explain what an SSL certificate is and how they can tell when a site has one. Now ask them how they know that’s a real cert and not one that was issued to a spurious company in Nigeria. On the whole we as an industry have come up pretty short in terms of protecting our users from going to sites that they can’t identify.

Stealing the Prize – in many cases the prize is your username and password. Firstly this is because the Phisher can now get access to the site that they faked, secondly the chances are you also use that username and password other places, and they are going to go after those too. But wait I hear you cry, I have several password that I use on different sites depending on the value associated with an account. So imagine this, you get tricked into going to a fake site, it asks you for your username and password, you type them in and “User Authentication Failed, please try again”. So you think to yourself maybe I used one of my other username and password pairs, so you try again, failed. Eventually you think maybe I just typed the password wrong the first time! So you re-enter it and the site lets you in (and redirects you to the real site), now the Phishing site not only has the username and password for the site they faked, but chances are they also stole the other 4 combinations you use. And yes this happened to someone I know, oops. So username and passwords aren’t solving the problem today of how we get users to authenticate to our sites. And we need to keep it simple enough that all users from the technically savvy to novice users can just as easily and securely authenticate, without the need for username and password.

So as you can see the method of attack is pretty straight forward and if wasn’t for the fact that we prefer to operate on the right side of the law, I’m sure we could all make a pretty decent living doing it. One of the big challenges for us as an industry is that it covers multiple technologies email clients, browsers, SSL certificates and user authentication systems, all of which may be provided by different vendors, any one of which doesn’t feel like they can solve the problem. Over the next few weeks I’m going to cover each of these topics and explain the work that we are doing here at Microsoft to address  these issues and in addition other industry wide efforts I come across. I’m not saying that we can stop these attacks completely but by changing the rules a little we can at least start to fight back. Lets face it we are dealing with some pretty sophisticated criminals intent on stealing from all of us if they can, we just have to make it a lot harder for them to do their job.