Humans are the big vulnerability for organizations of any kind. We imagine hackers like they are in movies, people who go to war with a keyboard and modem, finding their way through the hidden code of websites.
These days, though, hackers get in through the digital front door, by tricking people into handing over credentials. “Phishing is how a lot of these compromises happen,” Allison Miller says on The Deception Chronicles podcast.
Phishing is the practice of enticing web uses to visit a fake website and enter in sensitive information by sending an enticing email or text message.
Miller works on the Safe Browsing team at Google (GOOGL), a part of the company that uses machine learning to scan the web for sites that want to take advantage of people online. Bad guys trick people by making sites that look legitimate so that people will attempt to log-in. That trickery is one form that “social engineering” takes in hacker circles.
Among the places she worked before Google, she fought financial fraud at Paypal. In finance, there’s a long history at looking at finding numbers on spreadsheets that looks like fraud (fun fact: on any set of data, if 30 percent of all the numbers don’t begin with the numeral “1,” the data set has probably been doctored).
“Understanding that number driven approach to detection was really interesting to me,” she said. Now Google uses machine learning to find malicious behavior across the internet.
The team she’s on runs code that spots 50,000 scam sites per week, and then it feeds those bad addresses out to every Google product that might possibly be used to bounce people out to a bad site. For Chrome users, their work will be most familiar as that page that pops up saying that you may be approaching a dangerous site, and prominently offers that “Return to safety” link at the bottom.
(Those of us who use the web constantly may have also had moments when Google’s had a false positive but won’t let us past anyway.)
So her team works to model the latest scams and then go look for more. “I take fraud against my users, my customers, I take it personally,” she said. “In that way I feel a very competitive relationship with the bad guys, if you will.”
But the scams keep changing. “I still feel the way I felt earlier in my career, that we are making things up as we go along,” Miller confessed, “but I hope we are getting better.”