Wild Kingdom: Life and Quick Death of a Phishing Site

What exactly is the lifecycle of a phishing attack?

With the number of unique phishing attacks jumping to over 1,400 in June—a 19 percent increase from May—security researchers are racing to answer that question.

Enter the Anti-Phishing Working Group (APWG), an industry association formed by Tumbleweed Communications. The group collects reports of phishing sites and attacks and releases trend data about how such attacks evolve, with the goal of eradicating them.

Among the interesting findings, according to the group’s latest “Phishing Attack Trends Report”: unique phishing attacks—the types of attacks, not the number of times each attack was used—increased by 19 percent from May to June, and the average lifespan of a phishing attack is just 2.25 days. Attackers are also increasingly using spam, and any given attack may employ different e-mail subject lines for different targets, making it harder to detect.

Phishing attacks have an appreciable success rate: 5 percent, estimates APWG. “The result of these scams is that consumers suffer credit card fraud, identity theft, and financial loss.”

Given the goal of many phishing attacks—to capture personal information, such as credit card and bank account numbers—perhaps it’s no surprise that financial services is the most-targeted industry. Citibank, in particular, has recently borne the brunt of phishing attacks, with 492 unique attacks targeting it in June alone. Attacks against U.S. Bank and Fleet also increased sharply. The retail sector, especially eBay, is a close second in terms of number of attacks.

Phishing e-mails rely upon a variety of means to entice users to believe in them. For example, APWG says 92 percent of e-mail “from” addresses used in attacks were forged.

After a phishing attack captures information, most of the time the data is simply stored on the Web server used in the attack, with attackers periodically retrieving it. About one-quarter of phishing sites are hosted on Web servers that have been hacked; hosts don’t know of the phishing site’s presence. In terms of country of origin, most phishing sites originate from United States Web sites, followed by South Korea, China, and Taiwan. Attackers likely use sites in the latter three countries because “language and time zone barriers make it more difficult for brand-owning companies to shut the sites down,” says APWG. The longer the phishing site remains active, the greater the chance of ensnaring someone.

The group also suspects many phishing attacks aren’t just the provenance of solo criminals. For example, in an analysis of one attack, APWG discovered the exact same attack—targeting a bank—was being used at the same time, but from a different Web server in another country, to target a different bank. Due to this level of coordination, the APWG suspects “the participation of at least one well-orchestrated, systematic criminal organization in the phishing world.” In addition, the group believes so-called zombie machines—machines hacked by Trojan software, without the owners’ knowledge, then held in reserve until needed by attackers—may have been running the server software used in the simultaneous attacks, making the attackers themselves difficult to trace.

Related Link:

Related Articles:

Heading off phishing attacks

Web Caller-ID Arrests Spoof Sites

About the Author

Mathew Schwartz is a Contributing Editor for Enterprise Systems and is its Security Strategies column, as well as being a long-time contributor to the company's print publications. Mr. Schwartz is also a security and technology freelance writer.