In his latest weekly column, Robert Cringely outlines a plan to make phishing, the practice of stealing personal information by sending fake emails, much less profitable. He suggests that people who notice phishing emails should go to the websites linked in the messages and enter false information, thereby increasing the signal-to-noise ratio of the data gathered by the criminals behind the emails, who are known as phishers (and not, alas, phishermen). If the phishers have to sift through dozens of pieces of false login information in order to find valid data, Cringely thinks, they will give up scamming people in favor of getting a real job.
The idea is not particularly innovative (the organization Artists Against 419 uses a similar technique - the repeated loading of images - to attack 419 fraud websites) nor effective. While Cringely's idea would work, if widely implemented, it plays to phishing's strengths, instead of its weaknesses. The reason phishing is both highly dangerous and successful is because the email messages spoof official account notification emails. While discerning users can tell the difference, many unsuspecting people fill in their information into these websites. While Cringely's idea might make it harder to phishers to organize their data, the fact remains that some of the information they collected would be valid. Considering that spamming remains a problem despite considerable technological obstacles, the introduction of a few false records into a phisher's information store would not be enough to dissuade them.
Many of the recent phishing messages that I have received have directed me to websites hosted on servers that I am fairly certain have been compromised by malicious hackers. The most recent message I received, claiming to be an account suspension notice from eBay (sent to my FAS email account, which is not and has never been associated with an eBay account) redirected to a page hosted on the same server as this South Korean middle school. Since the people who would enter false information into the phishing website are technically adept enough to realize that the phishing message was a scam, it would not be too much of a stretch for them to forward the message (with full headers, of course) to the bank or organization that the phisher claims to represent (eBay, for example, allows you to forward suspicious messages to them through their Security Center). This method removes the phishing website (thus cutting off the phisher's source of information and income far more permanently than entering false information) from the Internet, forcing the phisher to either find new webspace or give up. This is by no means a perfect solution, because there is no simple answer that will stop the practice of phishing. Educating users to recognize fraudulent email messages will help, as will applications like the Netcraft Toolbar.