In the classic 1973 heist movie The Sting, two con men—played by Robert Redford and Paul Newman—build a fictitious world in a Depression-era Chicago basement to defraud a corrupt banker. They make an offtrack-betting room, hire actors to ensure the scene is convincing, and even enlist pretend law enforcement to fake-bust their mark. The film is memorable because it is one of the finest movies in the genre, well written and funny, but also because the duo’s work is so meticulously detailed.
The con has changed since then, both short and long. In this age, the online equivalent of The Sting is a phishing site: a fake reality that lives online, set up to capture precious information such as logins and passwords, bank-account numbers, and the other functional secrets of modern life. You don’t get to see these spaces being built, but—like The Sting’s betting room—they can be perfect in every detail. Or they can be thrown together at the last minute like a clapboard set.
This might be the best way to think about phishing: a set built for you, to trick information out of you; built either by con men or, in the case of the recent spear-phishing attack caught and shut down by Microsoft, by spies and agents working for (or with) interfering governments, which seems a bit more sinister than Paul Newman with a jaunty smile and a straw hat.
But perhaps it should not seem so sinister, because phishing is profoundly easy to do. So easy, and comparatively cheap, that any country that isn’t using it as part of its espionage strategy should probably fire its intelligence agency.
Computer security often focuses on malware: software that attacks faults in your computer to take control of it and give that control to someone else. Malware is often sophisticated software that can quietly take over a computer without being detected—from there, it can do anything, from copying every keystroke you type, to watching every page you open, to turning your camera and microphone on and recording you, to encrypting your hard drive and ransoming your computer’s contents back to you. But novel malware is difficult to write, and can take many paid hours for some of the most talented programmers, in addition to finding or buying a security flaw that allows you to get your malware onto someone’s computer undetected. It’s painfully expensive, and often ends up leaving a trail back to the authors.
Phishing doesn’t attack computers. It attacks the people using computers.
Setting up a phishing website is something a summer intern can do in a couple of weeks, and it works. If you were to try to create a phishing version of this article, you could start by saving the complete webpage from your browser—that would get you the picture, text, and code that makes the page you’re reading now. If this article contained an account login, you could put it on a server you control, and maybe register another domain, something like http://tehatlantic.com. If you enticed someone to try to use their TheAtlantic.com username and password on tehatlantic.com, you would then have that information.
This kind of phishing started out mainly as a money-stealing scheme, delivered en masse. “Phishing has changed a lot. A decade or so ago it was a mass phenomenon of people looking for passwords to bank accounts, PayPal, eBay … anything they thought would be easily monetizable,” says Cormac Herley, a principal researcher at Microsoft Research. “I think that threat has largely been beaten back: Spam filters have become better at detecting it, browsers have warning mechanisms built in, banks have become good at detecting fraud.”
But that’s the untargeted stuff. Enticing someone to click on a phishing link, in an email or elsewhere, is where a targeted attack, also known as spear-phishing, comes in: learning about someone’s life and habits to know just what email would get them unthinkingly to click. A reality built for one person, or one cohort of people. The con is on, the set is built, and the actors are hired to make the sting, all from a web browser.
In early 2016 a phishing email requesting an urgent payment as part of what’s known as a “fake president” scam landed on the Austrian aviation-parts maker FACC’s email servers. The “fake president” is generally an urgent message from an authority figure that needs Accounts Payable to send money to a foreign account at once. In the case of FACC, a dubious wire transfer followed the email, and the company lost more than 40 million euros and fired its CEO.
John Podesta, the chairman of the Hillary Clinton campaign, was famously spear-phished in 2016 by an email saying someone in Ukraine was attempting to log into his Gmail account. When he clicked the link and entered his username and password (instead of using the Google domain passed along by his own help-desk person), his account was actually captured. His emails, along with Democratic National Committee emails harvested the same way, were later leaked online, creating chaos in the run-up to the 2016 election. Most recently, Microsoft found and shut down six domains it believed were created by a group known as the Main Intelligence Directorate of the Russian army, or GRU, targeting conservative think tanks (the International Republican Institute and the Hudson Institute) and the U.S. Senate. It’s not clear what exactly these phishing sites looked like, or how they worked. As far as Microsoft knows, no one was compromised by these sites, but they also don’t know how many more are out there, waiting for just the right spear-phishing email or bogus phone call to get someone to click the link.
“The phishing that persists as a real problem today is the spear-phishing for … credentials,” Herley says. He has studied the economics of phishing as well as the efficacy of security advice. “This is still a very successful vector in getting a toehold on enterprise networks. It’s low volume, so it’s much harder to detect.” In the case of political and industrial espionage, each potential victim is worth researching and getting to know—building just the right room for their own personal sting.
Phishing and malware aren’t exclusive options. Blending phishing with malware can be the most potent approach, usually in the form of a well-crafted email with an important, often urgent, document attached. But it’s not a document, or not just a document. It’s malware, and when you click on that attachment you’re telling your computer that you want to install the software, which you don’t know is software. The computer obeys you, and in doing so, invisibly hands itself over to the person who sent you the software. This approach uses you to get to your computer. It’s been used against journalists and activists all over the world, and probably a lot of other people, but it’s the journalists and activists we hear about.
More frightening is the fact that, most of the time, a decent fake website gets an attacker whatever they need without expensive and detectable malware. You just followed a link, put in your username and password, and maybe the page showed an error with a link that goes to the real site. Just one of those hiccups on the net that we see and forget moments later. This can be overwhelming to think about. Someone, you might reasonably say, should fix this, and by someone you mean tech companies.
The most Microsoft, Google, or any of the tech companies can do with their technology is try to detect malware and phishing sites, and stop them from talking to the internet—blocking up the door to the offtrack-betting basement. This is called “blackholing.” But because spinning up a hundred basements on the internet isn’t much harder than spinning up one, leaving it to tech companies won’t work. The victims are the weakest link in phishing, and the tech companies can’t put out reliable updates to change or prevent user behavior.
“We do invest a lot in technical fixes like better threat detection, better protection of networks, efforts like AccountGuard and Defending Democracy, and encouraging two-factor authentication for high-value accounts,” Herley says. “But there’s also an education component; we’d love protection to have zero asks of the user, but that’s not always possible.”
AccountGuard and Defending Democracy are offerings from Microsoft aimed at its most vulnerable (and political) clients, but even then, most of the offerings consist of recommendations, best practices, webinars, and notifications: attempts to patch the human.
Many security-professional and media recommendations exhort eternal vigilance, paying attention to every detail. This is terrible advice. I’m a professional with years of experience in this space and I don’t bother to inspect my emails or carefully read all my URLs: I have things to do. As a strategy for the constant level of attacks in modern email, this approach has failed, even in dealing with the amateurish mass-phishing attacks we’ve seen over the past 10 years.
Spear-phishing, especially political spear-phishing, is even harder to catch with vigilance. The inconsistency of security advice has contributed to the disaster with ideas that are hard to implement, don’t make sense, and don’t work, but that security and IT departments yell at people with all the fury of revivalist preachers. It’s exhausting.
Developing a few good habits based on how this computer you’re using works is relatively easy and more effective than paranoia. Turn on two-factor authentication where you can, where it’s available on sites you use. This includes things such as RSA tokens, Yubikeys, Google Authenticator, and SMS verification codes, which create something needed to log in beyond a password and a username so that if your username and password are stolen or leaked, attackers still can’t take over your accounts. Apply software updates. Or, better yet, Herley suggests letting your computer do it for you. “I’d say use automatic updates … We invest heavily in [fixes] as soon as we figure out things are wrong. You want all that goodness working for you.”
Set up regular backups that require minimal effort from you. “You don’t have to worry as much about ransomware [or theft, or disk crashes] … if you know you can always get your stuff back,” Herley says. Use long, complex, and unique passwords, but make it easy on yourself. “Write them down or use a password manager,” Herley says.
I’d strongly recommend the password manager, but not directly for security purposes. Password managers are easy and will autofill your password on sites you’ve used before—even less effort. There’s most likely one built into the browser or operating system you’re using now, but if you want to get fancy, you can use an online password-management system that syncs between devices. Don’t reuse passwords, and go ahead and change your password on the sites where you know you’ve reused passwords. This is an hour or two of pain, but only one time. You are not likely to leak your password onto the internet, but a site you use almost certainly will at some point. You can also sign up at Have I Been Pwned to find out which of your passwords have already leaked onto the internet.
Don’t follow links you get sent to sites on which you have an account—you have your own bookmarks and browser history, which already go to the right site for sure. If you get an email from your bank or, say, think-tank employer, log in on your web browser. You’re going to have to do that anyway, so you might as well follow your own link. One habit that would take some work to change but does the most to secure you from malware is not opening email attachments on your own computer. Have people put files in a file-locker site, something like Dropbox, and open documents in a remote service like Google Docs. Make it someone else’s IT department’s problem.
Don’t try to be perfect. Just try to be expensive for the con artist. Make them work hard enough, and you’re not worth the bother. Right now, most computer users, whether they are political consultants, CEOs, scientists, or researchers, aren’t very hard to con.
Understanding all of this, the news of phishing campaigns takes on a different tone. Rather than asking why there are groups linked to Russia phishing our politics, the question is: Why aren’t more governments phishing U.S. companies and agencies? Perhaps they are, and we just don’t notice. Whatever the reason, people need to talk about phishing, as much as they need to update their software. Because striving to understand complex phenomena is how humans are updated over time, and it’s how we make it as expensive and difficult to hack humans as it is to hack computers.