What is the current trend in phishing attacks?
As per Google Safe Browsing, phishing attacks are on the rise compared to malware hosting websites:
What are the events in the life cycle of a phishing website and how we can collect relevant data?
- When the website is configured, attackers visit it for testing purposes
- Attack distribution is usually performed via emails
- Attacks go offline due to take down or phishers’ own choice
How does the victim traffic distribution change over the life cycle of phishing websites?
- It takes around 9 hours after the first victims visit the website for phishing clearing houses to detect a phishing website
- Even after they are detected as malicious, about 40% of total visits to the website happens after detection
How do browser based defenses work after phishing websites are detected by phishing clearing houses?
- The above diagram shows the attack effectiveness even after they are marked as malicious
- 40% effectiveness after 2 hours
- 10% effectiveness after 8 hours
- So, there is a large window for attackers reach more victims until browser based defenses are really effective
Is the number of victim traffic correlated to the number of reported URLs?
- #reported phishing URLs are not always correlated to the victim traffic
- Hence, when detecting phishing, one should not simply consider only the number of reported phishing URLs
Are there long lived phishing websites? What are their impact?
- Some attacks persist from 9 to 6 months (why are they not taken down?)
- Most of these high-impact phishing URLs are using deceptive subdomains or paths
- Notice at the majority of domains are not registered by attackers (either compromised or free subdomains/domains)
- There is room before and after detection to improve phishing defenses
- Before detection, use web traffic information to proactively detect phishing websites
- After detection, improve the browser based defense latency
Oest et. al., Sunrise to Sunset: Analyzing the End-to-end Life Cycle and Effectiveness of Phishing Attacks at Scale