Cormac Herley and Dinei Florencio published a mildly controversial paper entitled A Profitless Endeavor: Phishing As Tragedy Of The Commons. In the article abstract, the authors say "Phishing is a classic example of tragedy of the commons, where there is open access to a resource that has limited ability to regenerate. Since each phisher independently seeks to maximize his return, the resource is over-grazed and yields far less than it is capable of"; that "common sense dictates that low-skill jobs pay like low-skill jobs, whether the activity is legal or not"; and later that "the resource yields far less when exploited by independent actors than if it were managed by a single decision maker."
These seem to be obvious conclusions. Can't the same conclusions can be reached when analyzing any "street" versus organized crime? The street is open access and the number of individuals who use illegal substances is limited. The average independent corner drug dealer over-grazes his corner. He's unskilled and he isn't raking in millions a year. This is not new. The folks who are making millions harness the resources of large numbers of dealers under a single umbrella or family. This, too, is not new.
Phishing indeed has "single decision makers" today and these are the heads of e-criminal organizations. These real world criminal organizations or families replicate behavior of crime families in the virtual world. The are hierarchically organized. The top of the tree earns the most through the aggregation of rewards from the subordinate branches. The lowest branches of the tree earn the least. And while the lowest branches in this tree may be unskilled, the branches representing the bot and CC software developers are not. Srizbi and conficker illustrate exactly how clever these guys are. Scoff if you want, but anyone who can harness and oversee several hundred thousand networked computers is no slouch. Don't admire them, don't discount them or view them as any less formidable because they are criminals.
I don't think the notion that phishing is largely an independent activity is a valid one. "Phishing" is the collective effort of many phishers, funded and coordinated in the same strong-armed manner as real world criminal endeavors. Clearly an enterprising, independent phisher will have nominal resources and his impact will be less than the collective impact of an organization.
The authors review open access fishing grounds and apply their model to phishing. I think an alternative analogy from the physical world in the pre-Internet decades is dumpster diving. Individual divers earned very little (for many, the cost of a fix). By engaging hundreds of divers in a common criminal purpose, the collective rewards from dumpster diving were not chump change for a crime family.
The authors also claim that the high volume of phishing activity demonstrates its lack of success. This seems to ignore the concept of countermeasures entirely. Phish volume increases because the percent of the population that is phishable for a given variant of a phish diminishes as countermeasures are adopted and that phish becomes ineffective.
The study presents an interesting analysis and they present some startlingly different measures of the impact of phishing but I don't think it mirrors the phishing reality very well. I rather doubt it will convince a lot of would-be phishers that they need to find a new day job; instead, some people will read the article title, skim the article, and let their guards down. To the authors' credit, they do acknowledge that the analysis focuses on the ecomonics of phishing and that "even if the dollar losses are smaller than often believed, we believe that phishing is a major problem. There are many types of crime where the dollars gained by the criminal are small relative to the damage they inflict" and "If the dollar losses were zero the erosion of trust among web users, and destruction of email as a means of communicating would still be a major problem".
N.B. I admit to nearly falling out of my chair, unable to contain the laughter, when I read "It is interesting to wonder why the Gartner estimates are repeated without scrutiny when they appear noisy at best."