Study Shows AI Can Enable Information-Stealing (Phishing) Campaigns

Scott BuchananLeave a comment

As a computer user, I make a modest effort to stay informed regarding the latest maneuvers by the bad guys to steal information and money. I am on a mailing list for the Malwarebytes blog, which publishes maybe three or four stories a week in this arena.

Here are three stories from the latest Malwarebytes email:

 ( 1 )   AI-supported spear phishing fools more than 50% of targets A controlled study reveals that 54% of users were tricked by AI-supported spear phishing emails, compared to just 12% who were targeted by traditional, human-crafted ones. ( 2 )  Dental group lied through teeth about data breach, fined $350,000 Westend Dental denied a 2020 ransomware attack and associated data breach, telling its customers that their data was lost due to an “accidentally formatted hard drive”. The company agreed to pay $350,000 to settle HIPAA violations ( 3 ) “Can you try a game I made?” Fake game sites lead to information stealers Victims lured to a fake game website where they were met with an information stealer instead of the promised game.

The first item here fits with our interest in the promise and perils of AI, so I will paste a couple of self-explanatory excerpts in italics:

One of the first things everyone predicted when artificial intelligence (AI) became more commonplace was that it would assist cybercriminals in making their phishing campaigns more effective.

Now, researchers have conducted a scientific study into the effectiveness of AI supported spear phishing, and the results line up with everyone’s expectations: AI is making it easier to do crimes.

The study, titled Evaluating Large Language Models’ Capability to Launch Fully Automated Spear Phishing Campaigns: Validated on Human Subjects, evaluates the capability of large language models (LLMs) to conduct personalized phishing attacks and compares their performance with human experts and AI models from last year.

To this end the researchers developed and tested an AI-powered tool to automate spear phishing campaigns. They used AI agents based on GPT-4o and Claude 3.5 Sonnet to search the web for available information on a target and use this for highly personalized phishing messages.

With these tools, the researchers achieved a click-through rate (CTR) that marketing departments can only dream of, at 54%. The control group received arbitrary phishing emails and achieved a CTR of 12% (roughly 1 in 8 people clicked the link).

Another group was tested against an email generated by human experts which proved to be just as effective as the fully AI automated emails and got a 54% CTR. But the human experts did this at 30 times the cost of the AI automated tools.

…The key to the success of a phishing email is the level of personalization that can be achieved by the AI assisted method and the base for that personalization can be provided by an AI web-browsing agent that crawls publicly available information.

Based on information found online about the target, they are invited to participate in a project that aligns with their interest and presented with a link to a site where they can find more details.

~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

But there is good news as well. We can use AI to fight AI: … LLMs are also getting better at recognizing phishing emails. Claude 3.5 Sonnet scored well above 90% with only a few false alarms and detected several emails that passed human detection. Although it struggles with some phishing emails that are clearly suspicious to most humans.

In addition, the blog article cited some hard evidence for year-over-year progress in AI capabilities: a year ago, unassisted AI was unable to match the phishing performance of human-generated phishing messages. But now, AI can match and even slightly exceed the effectiveness of human phishing. This is….progress, I guess.

P.S. I’d feel remiss if I did not remind us all yet again, it’s safest to never click on a link embedded in an email message, if you can avoid it. If the email purports to be from a company, it’s safest to go directly to the company’s website and do your business there.

Is there a fiduciary obligation to be extorted?

mdmakowskyLeave a comment

All the big companies are suddenly finding themselves compelled to donate to Trump’s inauguration. That a bunch of large businesses with significant regulatory exposure would want to lobby the President isn’t terribly surprising. Such things are endemic, if not inherent, to any democracy. Perhaps heightened by the media, but I can’t help but think that the prospect of targeted tariffs, elimination of key visa programs, and the general animus projected towards seemingly anyone and everyone by the administration have changed the tone of this particular round of contributions. In short, it feels less like traditional lobbying and more like extortion.

“Nice business you have there. It’d be a shame if something undermined its market integrity. You know, for a few million dollars we could help you out. Pennies, really, when you think about the billions of dollars at stake.”

Which brings me to my absolutely genuine, I actually don’t the answer, question. Does a company have a fiduciary obligation to its shareholders to be a rent seeker? Is there a fiduciary obligation to give in to political extortion?

There is legal precedent that a company does not have an obligation to give in to ransom or criminal extortion. Common law duty of care (Meinhard v. Salmon, 164 N.E. 545 [N.Y. 1928]) does not extend to unlawful acts. 18 U.S.C. § 873 prohibits the receipt of funds in response to extortion. 18 U.S.C. § 1201 imposes criminal penalties for aiding or abetting kidnappers. 18 U.S.C. § 2339B may indirectly criminalize paying ransoms to terrorists. The Foreign Corrupt Practices Act (FCPA) dictates that paying bribes or ransoms may violate anti-corruption statutes.

But what if the extortion isn’t explicitly illegal? As some have suggested, certain activities are not in fact illegal if the President does it, a sentiment that has only gained legal standing. Which brings up the next point: could shareholders sue Amazon, Google, or Meta if they in fact chose not to donate to the inauguration? What if they released a joint statement that they had been approached by the administration but refused to donate? Could a civil case be launched against them on behalf of shareholders? I don’t think so, but we’re in a wild enough world where such a action could be profitable if only as a threat.

Maybe this is just another case where politicians are increasingly willing to “say the quiet part out loud”. Yes, it’s extortion, but it’s also always been extortion; the new administration is simply more willing to make political extortion more explicit. It’s just rent seeking as usual, only louder. Which, fine, it’s business as usual, but the volume does matter. Explicitness is a signal of voraciousness and intensity, that they are unlikely to be constrained by shame or the costs of overplaying a hand in the repeated game of lobbying and favorable policy outcomes that is replayed between industries and political parties across decades.

These things can and do come to a head eventually. These businesses are smart, they know how to discount repeated costs and figure out when it’s time to say no. A million here and milllion there, pretty soon you’re talking about real money. Everyone’s always asking when someone is going to stand up to a bully. The answer is straightforward, if easier said than done: when the benefits outweigh the costs. Eventually the administration is going to make promises that yield big donations. Either those donations will serve to stabilize policy, at least in the interest of the donors (which will hopefully extend to vast swaths of the US marketplace), or they will renege on those promises and then things get…interesting. The word will get out and then it will all cascade down in a hilarious carnival of vicious public statements and political threats. The collateral damage could be minimized as an administration finds its impact limited and hands tied. Or the collateral damage is maximized as influence is sought to be reestablished through chaotic political writhings of a cornered animal.

I guess we have to root for stability? I’m not excited about it, but maybe the best thing for the US is for politicla extortion to be significantly remunerative that the administrative decides the most profitable choice is to in fact release the hostage that is the US economy.

I guess I’m just hoping the lessons of Speed have been rightly lost to time.

No Tech Workers or No Tech Jobs?

Joy Buchanan1 Comment

Several recent tweets(xeets) about tech talent re-ignited the conversation about native-born STEM workers and American policy. For the Very Online, Christmas 2024 was about the H-1B Elon tweets.

Elon Musk implies that “elite” engineering talent cannot be found among Americans. Do Americans need to import talent?

What would it take to home grow elite engineering talent? Some people interpreted this Vivek tweet to mean that American kids need to be shut away into cram schools.

The reason top tech companies often hire foreign-born & first-generation engineers over “native” Americans isn’t because of an innate American IQ deficit (a lazy & wrong explanation). A key part of it comes down to the c-word: culture. Tough questions demand tough answers & if we’re really serious about fixing the problem, we have to confront the TRUTH:

Our American culture has venerated mediocrity over excellence for way too long (at least since the 90s and likely longer). That doesn’t start in college, it starts YOUNG. A culture that celebrates the prom queen over the math olympiad champ, or the jock over the valedictorian, will not produce the best engineers.

– Vivek tweet on Dec. 26, 2024

My (Joy’s) opinion is that American culture could change on the margin to grow better talent (and specifically tech talent) resulting in a more competitive adult labor force. This need not come at the expense of all leisure. College students should spend 10 more hours a week studying, which would still leave time for socializing. Elementary school kids could spend 7 more hours a week reading and still have time for TV or sports.

I’ve said in several places that younger kids should read complex books before the age of 9 instead of placing a heavy focus on STEM skills. Narratives like The Hobbit are perfect for this. Short fables are great for younger kids.  

The flip side of this, which creates the puzzle, is: Why does it feel difficult to get a job in tech? Why do we see headlines like “Laid-off techies face ‘sense of impending doom’ with job cuts at highest since dot-com crash” (2024)

Which is it? Is there a glut of engineering talent in America? Are young men who trained for tech frustrated that employers bring in foreign talent to undercut wages? Is there no talent here? Are H-1B’s a national security necessity to make up the deficit of quantity?

Previously, I wrote an experimental paper called “Willingness to be Paid: Who Trains for Tech Jobs?” to explore what might push college students toward computer programming. To the extent I found evidence that preferences matter, culture could indeed have some impact on the seemingly more impersonal forces of supply and demand.

For a more updated perspective, I asked two friends with domain-specific knowledge in American tech hiring for comments. I appreciate their rapid responses. My slowness, not theirs, explains this post coming out weeks after the discourse has moved on. Note that there are differences between the “engineers” whom Elon has in mind in the tweet below versus the broader software engineering world.

Software Engineer John Vandivier responds:

Continue reading

Keeping Receipts

Zachary Bartsch1 Comment

Online shopping is convenient and even the norm for many items. Going to the store sounds like a time-consuming labor or an exceptional outing. My family, for example, lives in a suburban location that doesn’t have well-priced grocery home delivery. Shipping only works for some non-perishables. So, for many items we order online and do ‘drive-up pick-up’. We don’t even need to go into the store for many items. And reordering the same items repeatedly is a breeze.

We are also accustomed to the ability to return things. If your blender breaks on your first smoothie, then no worries – you can return it. If the chocolate cookies don’t taste like chocolate? Return it – satisfaction guaranteed. You can buy three pairs of shoes in different sizes and then keep the ones you want at the original sale price. Return the others.

For me, besides the time saved and convenience, a major factor in my decision to make purchases online is the documentation. I don’t need to save the receipt in a shoe box, Ziploc, or file drawer – the online retailer keeps an archive of all my purchases. Often this includes the date, amount, and shipping details including delivery date. There’s a super convenient digital paper trail.

If I need to contact a seller in order to exercise a warranty, then I have their contact information. I don’t need to retain the product packaging or investigate the brand at a future inopportune time. For example, I recently bought a Little Tykes water table for my kids. As I was assembling it on Christmas Eve I realized that I was missing a small part. I was able to work around it. But I was also able to immediately contact the manufacturer with a copy of my invoice. I emailed the date of purchase, the product model number, and the instruction manual had conveniently included part numbers. They were able to ship me the parts after a single email. Online shopping, and the resulting trail of evidence, makes the process much more practical than keeping paper records in a likely unorganized fashion.

There are other benefits to the paper trail. Back before widespread online shopping, retailers would often offer rebates as a sales strategy. In the year 2004, I bought a computer hard drive for $120 before a $40 mail-in rebate. The retailer (or manufacturer, I can’t remember) was hoping that people saw the post-rebate price and then failed to redeem it. And that often happened.  You needed to fill out a rebate form on an index card, cut the UPC bar code of the product packaging, and then mail them with your receipt to the company rebate department in a stamped envelope. If you dragged your feet, then you’d probably lose an important piece of the crucial combination and lose out on your $40 rebate. If the items were lost in the mail, then you were shucks-out-of-luck. Now, rebates have gone the way of the dodo since receipts are automatically retained and retrievable.

Continue reading

New Website

James Bailey1 Comment

Don’t worry, EWED is in the same place as always, but my personal website is moving.

Temple University has generously hosted my site long after my 2014 graduation. But next week they are moving to a more typical policy where alumni lose access to online university resources like web-hosting, email, and library datasets starting one year after graduation.

My new personal website is at jamesbaileyecon.com. Unless you just trying to learn more about me or my research, I think the big draws are the pages where I share cleaned-up datasets and ideas for research papers.

Housing Quality Has Improved Dramatically Since the 1980s — For the Poorest Households

Jeremy HorpedahlLeave a comment

A few weeks ago I wrote a post comparing housing costs in 1971 to today. I noted that while houses had gotten bigger, the major quality improvement for the median new home was the presence of air conditioning: a semi-luxury in 1971 (about 1/3 of new homes), to a standard feature in 2023. Even accounting for the presence of central air-conditioning and more square footage, I concluded that housing was about 17 percent more expensive in 2023 than 1971 (relative to wages).

However, if we consider the housing quality of the poorest Americans, the improvements go beyond air-conditioning and more square feet. A recent paper in the Journal of Public Economics titled “A Rising Tide Lifts All Homes? Housing Consumption Trends for Low-Income Households Since the 1980s” has important details on these improvements (ungated WP version). In addition to larger homes, there was “a marked improvement in housing quality, such as fewer sagging roofs, broken appliances, rodents, and peeling paint. The housing quality for low-income households improved across all 35 indicators we can measure.”

Overall, the number of poor American households living in “poor quality” housing was roughly cut in half from 1985 to 2021, from 39% to 16% among social safety net recipients, or from 30% to 12% for the bottom quintile. The 12-16% of poor households that still have poor quality housing is much more than we would like, but these are dramatic improvements over a period when many claim there was stagnation in the standard of living for poor Americans.

This figure from the paper shows the improvements for the different features:

For example, the number of households with no hot water was just 20% of what it was in the late 1980s. Some of the other major improvements are also related to plumbing and water, such as the number having no kitchen sink or no private bathtub/shower, but there was also a big decline in the presence of rodents in the house. All of the 35 indicators they looked at showed improvements, on average a 50% reduction in the number of households with these poor-quality components. This paper only uses data back to 1985, but almost certainly there would be even larger improvements if we used 1971 as the starting point.

While the median new home in 1971 had complete indoor plumbing, this was clearly not true for many poor households even through the 1980s. When we talk about the increasing cost of housing for the poorest Americans, much of that improvement does represent essential quality improvements — and not merely more square feet and air conditioning (though they did get these improvements too).

Beware the Impactful Gastro-Intestinal “Norovirus”

Scott BuchananLeave a comment

This is about something unpleasant which I never heard of before this month, but I am sharing in case readers may benefit from a bit of intel here.

In a family I know with two kids under five, it started with the youngest child after he was likely exposed to unclean water. He vomited once, and then was apparently fine. I may be a bit fuzzy on the timeline, but I think it was the next day that the father came down with symptoms. Besides violent emptying of the GI tract from both ends, he was flat in bed for over 24 hours, hardly able to move. This was initially blamed on food poisoning from a restaurant seafood meal, but by the following day, the mom was feeling weak and shortly succumbed, with similar effects.

A woman went over to help this family. She wore a N-95 type mask and washed her hands diligently. Within a few days, the full symptoms suddenly overtook her, as well.  But her husband never got it.  The older child in the original family seemed to have escaped, but a couple of days later he came down with similar symptoms, which lasted off and on for several days.

Most likely the culprit here was the “norovirus”. The virus is named after the city of Norwalk, Ohio, where an outbreak occurred in 1968. It bears the charming nickname, “the winter vomiting disease.” Although the effects of the virus are very unpleasant, fortunately they usually last only a couple of days, with full recovery being the norm.  The sufferer should acquire immunity to that strain of the virus for six months to two years. Some people may escape becoming symptomatic, based on the bacterial populations in their gut biome.

Since this is an economics blog, here are some quick stats. In the U.S. the norovirus is estimated to cause about 20 million illnesses a year and about half of all foodborne disease outbreaks. Norovirus causes some 900 deaths and 100,000 hospitalizations annually, mostly among adults aged 65 and older. It also leads to nearly 500,000 emergency department visits, mostly involving young children.

 A model of the worldwide economic burden of the disease found:

Globally, norovirus resulted in a total of $4.2 billion (95% UI: $3.2–5.7 billion) in direct health system costs and $60.3 billion (95% UI: $44.4–83.4 billion) in societal costs per year. Disease amongst children <5 years cost society $39.8 billion, compared to $20.4 billion for all other age groups combined. Costs per norovirus illness varied by both region and age and was highest among adults ≥55 years. Productivity losses represented 84–99% of total costs varying by region. While low and middle income countries and high income countries had similar disease incidence (10,148 vs. 9,935 illness per 100,000 persons), high income countries generated 62% of global health system costs.

Once it shows up in a family, it is hard to avoid. A reason is that you can be sickened by exposure to as few as ten viral particles, compared to billions that are expelled in a bodily fluid incidents. A doctor reported:

She once acquired a norovirus infection by simply using the same bathroom that had been used earlier in the day by a visiting in-law who was recovering from a recent bout with the stomach bug.  That’s because “people who have norovirus can shed the virus for up to two weeks after their symptoms are gone.”

In another case, a diner in a restaurant vomited on the floor. The mess was quickly cleaned up by staff, and other diners continued eating. In the next few days, 90% of the people at the same table as the sick person fell ill, along with 70% of the diners at an adjacent table, and 25% of the folks at a table across the room.

OK, that’s the bad news. How can we fight back? Lengthy handwashing with soap should help, along with quarantining as much as possible. It turns out that alcohol is not very good at killing this bug, so the usual hand sanitizers may be ineffective.  Better results can be had cleaning surfaces with a bleach-water solution.

The main care needed is hydration. From what I have read, most Gatorade-type sports drinks do provide needed electrolytes (e.g., sodium and potassium), but probably have more sugar that is optimal for this situation. Gatorade Zero has sucralose in place of sugar, if you are OK with that. Pedialyte is designed for rehydration after diarrhea, and has less sugar and more electrolytes than Gatorade. Avoid “Gatorade Water” – it is just water, with the tiniest “infusion” of sodium and potassium.

If you find yourself stricken, it is reportedly wise to have a wastebasket or other receptable at hand in the bathroom, in case you face urgent activity from both ends at once (trying to word this delicately).

Fun fact I learned researching this topic: if the GI tract has been emptied, best avoid dairy for 48 hours after symptoms stop. That allows lactose in the gut to build back up again.

I have never gone on an extended cruise, partly because I don’t think I could resist the frequent offerings of desserts and snacks. But reading of norovirus outbreaks on cruise ships has given me another reason to stay on terra firma.

A requested regression

mdmakowskyLeave a comment

Please accept this as an admission of overcommittment, rather than laziness, but I posted something on bluesky and realized immediately afterwards that this can probably be easily tested.

If someone wants to take it upon themselves to regress wins over player-games lost to injury, I’d be most gracious. If they further wanted to interact that variable with total payroll expenditures (player payroll only, please), that would go further towards really testing the hypothesis. While I don’t tend to think there is much to be intuited from correlation coefficients, I would be curious to know how much the R-squared increases when you run a regression strictly over payroll and the lagged wins and then subsequently add player-games lost to injury to the independently variables. The delta on R-squared could be charted over time. There are other metrics that could be applied to try to control for overall talent, but real question is how accurately could you predict the final standings in a sports league if all you knew was player expenditures and injury luck, and if this has changed over time.

I’ll happily sit on a masters or undergraduate thesis committee for anyone who pursues this!

(Not sure there is enough meat on the bones for a PhD thesis, but happy to be proven wrong)

A Wartime Natural Experiment About Copyright

Joy Buchanan2 Comments

One of the hardest questions in copyright policy is: “What would have happened otherwise?” When Disney lobbies for longer copyright terms or academic publishers defend high subscription fees, we struggle to evaluate their claims because we can’t observe the counterfactual. What would happen to creativity and innovation if we shortened copyright terms or lowered prices?

This is what makes Biasi and Moser’s 2021 study in the American Economic Journal: Microeconomics valuable. They examine a rare “natural experiment” from World War II – the Book Republication Program (BRP) – which provides insights into how copyright affects the spread and use of knowledge.

In 1942, the U.S. government allowed American publishers to reprint German scientific books without seeking permission from German copyright holders (though royalties were still paid to the U.S. government). This created a test case: German books suddenly became cheaper, while similar Swiss scientific books (Switzerland being neutral in the war) maintained their original copyright protection and prices.

This setup lets us answer the counterfactual question. What happens when you maintain basic royalty payments but prevent monopoly pricing? The researchers compared the same book before and after the policy change, German books versus Swiss books, areas near libraries with these books versus those without, and usage by English-speaking scientists versus others. Such comprehensive comparison groups are rarely available in copyright research.

The authors report that when book prices fell by 10%, new research citing these books increased by 40%. The benefits spread beyond elite institutions, with new research clusters emerging wherever scientists gained access to these books. This does not appear to just be shifting citations from one source to another – there was genuine new knowledge creation, evidenced by increased patents and PhD production.

Such clean natural experiments in copyright policy are rare (there are a few laboratory experiments). Most changes come from lobbying (like the “Mickey Mouse Protection Act”) or technological disruption (like music streaming), making it hard to isolate the effects of copyright itself. The BRP provides uniquely clear evidence that moderate copyright protection – rather than maximum protection – might better serve innovation.

As we debate copyright terms and academic paywalls today, this historical accident of war gives us something valuable: empirical evidence about what happens when you find a middle ground between total copyright protection and unrestricted access.

Biasi, Barbara and Petra Moser. 2021. “Effects of Copyrights on Science: Evidence from the WWII Book Republication Program.” American Economic Journal: Microeconomics, 13 (4): 218–60.

¡Hedonic Frijoles! …And Televisions!

Zachary Bartsch1 Comment

You may have seen on your social media recently that the price of TVs has fallen 98% since 2020. That’s certainly what the data from the BLS says. This would seem to imply that a one-thousand dollar TV in the year 2000 would now be priced at $20. While we have seen amazing things in the market for TVs, we’re not seeing $20 TVs.  One take away might be that the data is just wrong. But that data is always wrong. The question is how the data is wrong and whether it’s a problem.

The reason for the disagreement between the data and the price on the shelves is due to something called ‘Hedonic Adjustment’. The idea is that some goods have quality features that change over time, even if the price doesn’t change so much. In the case of TVs, we might see higher resolution, flatter screens, larger screen sizes, smart features, etc. TVs are not a stable set of qualities. They are a bundle of characteristics, and those characteristics have some wiggle room while still satisfying some sensible criteria for being a TV. In theory, every single good is a bundle of services that we value. The reason that the some CPI categories have fallen so much is not only because the price has fallen necessarily. Rather, the amount of services that we get from a TV has increased so that each dollar that we spend can purchase more of those TV features.

Continue reading for the gif.

Continue reading