(Update, April 2: The answer's yes, says one hoster who has pretty much weaned himself off of that money.)
It's like shooting phishers in a barrel: Michael Sutton, security evangelist for SPI Dynamics, spent several hours trolling the waters surrounding free Web hosting services and had no trouble dragging up enough phishing sites to sink a small trawler.'You can see the haul for yourself on his blog.Sutton is an experienced phisherman, having bagged Yahoo last month' with a bellyful of small phry that were actually using Yahoo's Geocities service to con personally indentifiable information from - guess who? - why, Yahoo users.This topic of fighting or not fighting phishers - who's doing what and is it all enough? - has been an ongoing one here at Buzzblog'. Sutton's latest contribution to the discussion is interesting not only because he demonstrates how easy it is to find these sites or because he crowns "by far the worst offender" among hosting companies - Angelfire. No, what's most notable here is that Sutton comes right out and accuses the hosters of doing what others generally have only hinted at: Turning a blind eye to the phishers because the phishers fatten up their revenue, in this case, ad revenue.From Sutton's post:
This time around, I decided to see which hosting providers are aiding phishers by maintaining their Web sites - for free. To do this, I spent a couple of hours sifting through various publicly available resources including search engines, phishing archives, the Google Blacklist and the Google Hashed/Encoded Blacklist. Sadly, I found that most free hosting providers are contributing to the problem of phishing. Given that I was able to find dozens of sites with minimal effort and no special resources, it is clear to me that the hosting providers are making no effort whatsoever to combat this problem. Why? Do they lack the resources? Is the challenge too difficult? I have a different theory. I believe that they benefit from the ad revenue that these Web pages provide. They choose not to combat the problem because they are profiting from it.
And Sutton also has a suggestion as to who might light a fire under the hosting services and what they might use for matches.
Companies such as HSBC, MySpace, Microsoft (Hotmail) and eBay were among the targets of the phishing sites that I investigated. It is their clients that are paying the price for this and it is therefore time that such companies took action. MySpace has repeatedly removed content when facing legal action for copyright infringement. I suspect that the free hosting providers would try a little harder if they likewise faced legal action for their negligence when combating phishing.
Since Sutton specifically called out Angelfire as the host with the most, I have dropped a couple of questions on its PR department. Will let you know if/when I hear back.
As for Sutton's contention that the hosting providers are being willfully ineffectual in addressing the phishing problem? Well, maybe. I'd like to think I take a back seat to no one on the cynicism train, but I'm not completely sold on the idea that business execs at these companies are sitting around boardroom tables saying, "Heck, yes, we could stop all this nonsense ... but think of what it'll cost us." I mean they have to know that it's society's most vulnerable (and, OK, gullible) people who are being taken to the cleaners by phishers.
Sutton sees the calculation in a different light. In an e-mail to me, he writes:
'I don't feel that deviousness is required for the behavior that we're seeing. Business is driven by profit. If X makes more money than Y, X is the chosen path. Currently, allowing any and all content to be hosted makes money and there isn't a cost to allowing it to be there. We need to change that. That cost can come in many forms. Perhaps it's the negative publicity that the practice generates; perhaps it's a fine or legal repercussions. I'd prefer to see the industry regulate itself and that's why I choose to blog about the issue and raise awareness. We need to raise the costs of ignoring the problem.
In my mind, turning a blind eye for the sake of a few pieces of silver wouldn't be business people being business people, nor would it be just wrong or unethical - it would be downright immoral (a word I use rarely).
I'm not naïve; I know the chances of willful neglect fall somewhere between possible and likely, at least in some cases. But can it really explain an industry-wide inability to weed out the vermin?
Your thoughts welcome.
If you'd like to receive Buzzblog via e-mail newsletter, here's where to sign up.