Casey Newton* speaks to Google’s Mark Risher about how the methods used by spammers have evolved significantly over time and are now achieving much better results.
Photo: NeONBRAND
Google’s Mark Risher worries about the expanding number of threats faced by platforms like Gmail as they work to protect users from phishing attacks and spammers.
Conventional wisdom about choosing longer, more complicated passwords is getting less effective over time.
Meanwhile, the people behind phishing attacks are getting much better.
Risher is a director of product management at Google, where he oversees Google’s identity, account security, and counter-abuse teams.
A big part of Risher’s job over the years has been to fight unwanted email, and he says the methods used by spammers have evolved significantly over that time.
Some attackers are getting much better results than they used to just by doing some research on their clients, he said.
“What works is taking your name out of a hat wherever I find it, going to your LinkedIn page, and finding a few facts about you,” Risher said.
“Maybe doing a little search and getting some other information, and then saying ‘Dear Casey, you may remember that we met a few weeks ago at Vox Media, and at the time you had promised to tell me your Social Security number and then it just slipped your mind. Can you please remind me?’”
It sounds ridiculous, but it works, Risher said.
“I take it to the absurd, but you can imagine how you could do something that’s much closer, like ‘Hey, I’m going to meet up with you. Remind me your mother’s maiden name?’”
“These social engineering attacks that they spend a few more minutes personalising can then yield much much more outsized rewards.”
Risher has worked at Google since 2014, when his security startup, Impermium, was acquired by the company.
Before that, he worked at Yahoo, where he once held the title of “spam czar” for Yahoo mail.
You can read a partial, lightly edited transcript with Risher below, and you’ll find the full episode above. You can listen to it here or anywhere else you find podcasts, like Apple Podcasts, Pocket Casts, Google Play Music, Spotify, our RSS feed, and wherever fine podcasts are sold.
I asked Risher what is the next frontier?
Are there areas where he feels spammers or state actors are ahead and tech platforms are still kind of struggling to keep up?
And is there anything he is seeing out there that’s keeping him up at night?
“The thing that end users should worry about, and that I worry about, is these much more bespoke, targeted attacks that are going after an individual,” Risher said.
“And we see this in a lot of different places in the communications space, that I wouldn’t classify strictly as spam.”
“It’s a more targeted attack.”
“When I mention phishing, what people often think of is ‘Dear Sir or Madam, I am an oil minister with $35 million that I would like you to help me unload.’”
“And that doesn’t work.”
He says what does work is the type of approach mentioned at the start of this article.
He also believes business email compromise is particularly scary.
“This is a problem where recipients get a message that maybe pretends to be from an executive at their company or from the finance team saying, ‘Send me those tax forms’, and it’s a near duplicate.”
“In Gmail, we’ve built a bunch of features, in both our web client and in our iOS and Android apps, that identify when you’re getting messages from a doppelgänger, something that looks close but isn’t.”
“But that’s just one of the many dimensions where we’ve been quite concerned about this impersonation of pretending to be someone else and asking for sensitive information, which is much, much more rewarding.”
“If I send out 10 million offers for generic Viagra, I might get 10 people that respond,” Risher says.
“And I can sell them and make a profit of a very small amount that basically covers my time.”
“If instead I send out 10 messages, each one asking for a wire transfer of five or six figures, that’s much more worth my time.”
* Casey Newton is an Editor at The Verge in San Francisco. He tweets at @CaseyNewton and his website is cnewton.org.
This article first appeared at www.theverge.com.
