End to End Timeline of Phishing Attacks

What is the current trend in phishing attacks?

As per Google Safe Browsing, phishing attacks are on the rise compared to malware hosting websites:

Phishing vs. Web-based malware trends

What are the events in the life cycle of a phishing website and how we can collect relevant data?

Life Cycle of (Paypal) Phishing Websites
  • When the website is configured, attackers visit it for testing purposes
  • Attack distribution is usually performed via emails
  • Attacks go offline due to take down or phishers’ own choice

How does the victim traffic distribution change over the life cycle of phishing websites?

Number of visits to Paypal phishing websites
  • It takes around 9 hours after the first victims visit the website for phishing clearing houses to detect a phishing website
  • Even after they are detected as malicious, about 40% of total visits to the website happens after detection

How do browser based defenses work after phishing websites are detected by phishing clearing houses?

Effectiveness of attacks after they detected
  • The above diagram shows the attack effectiveness even after they are marked as malicious
  • 40% effectiveness after 2 hours
  • 10% effectiveness after 8 hours
  • So, there is a large window for attackers reach more victims until browser based defenses are really effective

Is the number of victim traffic correlated to the number of reported URLs?

Reported phishing URLs vs. Victim Traffic
  • #reported phishing URLs are not always correlated to the victim traffic
  • Hence, when detecting phishing, one should not simply consider only the number of reported phishing URLs

Are there long lived phishing websites? What are their impact?

Long running campaigns
  • Some attacks persist from 9 to 6 months (why are they not taken down?)
  • Most of these high-impact phishing URLs are using deceptive subdomains or paths
  • Notice at the majority of domains are not registered by attackers (either compromised or free subdomains/domains)

Take Aways:

  • There is room before and after detection to improve phishing defenses
  • Before detection, use web traffic information to proactively detect phishing websites
  • After detection, improve the browser based defense latency


Oest et. al., Sunrise to Sunset: Analyzing the End-to-end Life Cycle and Effectiveness of Phishing Attacks at Scale

#probability #statistics #ML #DL #coding #security #building #digest