Weinschenk: Is phishing declining, holding steady or getting worse?
Kalish: It's getting worse. It's getting worse because it's getting more sophisticated. In the beginning when phishing started, it was unsophisticated. You would have an e-mail with grammatical mistakes, with a link to a Web site that was essentially a bitmap. It was obviously a fraudulent Web site. Today, creators are much more sophisticated. You can't really tell a phishing Web site unless you know what to look for. Also, they've developed spear phishing. Spear phishing is a much more virulent form of phishing, much more effective. Phishing e-mail response is typically 3 to 5 percent. With spear phishing, the return is 19 percent. Spear phishers use any number of tools such as remote access tools and rootkits.
Weinschenk: How big a trend is spear phishing?
Kalish: It's a huge trend. As people become more sophisticated, as technology improves, it's a race. We have phishing. People get hip to phishing, so phishing technology improves. [Spear phishing is] a combination of technological deception and social engineering. In order for spear phishing to be effective, the phishing e-mail needs to be sent to a person who has an affiliation with the Web site that is being spoofed. They put spyware on your computer. It could be a keylogger, it could be any number of techniques. It is something on your computer monitoring your searches. If you are doing business with ABC Credit Union, they could deliver a phishing e-mail pretending to be from that organization. The [security] technologies that have been used in the past have been reactive technologies. When somebody gets phished, the Anti Phishing Working Group [helps take] them down. But that's a reactive technology. Somebody must be phished in order for them to discover it.
Weinschenk: It doesn't seem like a pretty picture. Is progress being made?
Kalish: We're making progress fighting it. The way we are making progress is with the use of heuristics. Heuristics is essentially a mathematical rules engine. What we do is when you go to a particular Web site, we subject the URL to a consecutive series of criteria. Bottom line, if it looks like a phishing site and smells like a phishing site, it probably is a phishing site - for example, if you go to a site that has certain characteristics, such as not having HTTPS, or if the URL is a number, which doesn't conform to the naming convention. When the heuristic program gets a particular percentage, we deliver an alert, a warning that says the site is known to be or is potentially malicious.