I’ll be giving a presentation next week at Appsec USA on perceptual hashing and how it can be used as a component of anti-phishing systems. It will be more of a proof of concept and introduction to an interesting algorithms than it is about practical realities. Enough self promotion though.
While doing some research into the economics of phishing. I was floored by the numbers being thrown around and how much the business of information security and cybercrime has changed in the decade that I’ve been a part of it. I can only image how those with two times my experience feel.
The numbers, while likely quite exaggerated, are staggering. Phishing itself is estimated to cost ~6 billion annually, while cybercrime in general is pegged at being over 400 billion.
What surprises me the most about this is that phishing and email security is viewed as a largely “solved” problem. 6 Billion on the table, and yet this area of security hasn’t significantly advanced in years. Some would argue that there have been no real improvements since reputation based systems came on the scene in the mid 2000s. Phishing, and malicious messaging in general, is interesting in that their targets should often know better, and protecting the last few 0.01% of the population gets increasingly expensive. At the same time the value that an attacker can extract from that 0.01% is on the rise.
I have to wonder what level of fraud we’re all collectively “OK” with and if we’ve gotten there in the world of email security.