End to End Timeline of Phishing Attacks

3 min readMay 16, 2021

What is the current trend in phishing attacks?

As per Google Safe Browsing, phishing attacks are on the rise compared to malware hosting websites:

What are the events in the life cycle of a phishing website and how we can collect relevant data?

How does the victim traffic distribution change over the life cycle of phishing websites?

It takes around 9 hours after the first victims visit the website for phishing clearing houses to detect a phishing website
Even after they are detected as malicious, about 40% of total visits to the website happens after detection

How do browser based defenses work after phishing websites are detected by phishing clearing houses?

The above diagram shows the attack effectiveness even after they are marked as malicious
40% effectiveness after 2 hours
10% effectiveness after 8 hours
So, there is a large window for attackers reach more victims until browser based defenses are really effective

Is the number of victim traffic correlated to the number of reported URLs?

#reported phishing URLs are not always correlated to the victim traffic
Hence, when detecting phishing, one should not simply consider only the number of reported phishing URLs

Are there long lived phishing websites? What are their impact?

Some attacks persist from 9 to 6 months (why are they not taken down?)
Most of these high-impact phishing URLs are using deceptive subdomains or paths
Notice at the majority of domains are not registered by attackers (either compromised or free subdomains/domains)

Take Aways:

There is room before and after detection to improve phishing defenses
Before detection, use web traffic information to proactively detect phishing websites
After detection, improve the browser based defense latency

Reference:

Oest et. al., Sunrise to Sunset: Analyzing the End-to-end Life Cycle and Effectiveness of Phishing Attacks at Scale

Written by AI/Data Science Digest