« Book Review: Internet Down, A Modern American Western | Main | The New Face of IP Address Scanning »

Monday, 18 February 2013

Research & Victim Phishing Reports Tell Same Sad Story

Sadstory
Photo by ~Aphrodite
The AntiPhishing Working Group has released a study of phishing attacks detected in the first half of 2012, and a second study of reports by phishing victims over a period of nearly two years. The Global Phishing Survey 1H2012: Trends and Domain Name Use uses a large sampling of confirmed phishing URLs. The Web Vulnerabilities Survey September 2012 uses reports submitted by organizations whose websites were compromised and subsequently used to host phishing attacks. 

 

While the studies use entirely different data sets, they share several of the same findings. In both reports, researchers found that the average phishing uptime (how long it takes for a phishing website, once detected, to remain up) is less than a day. The Global Phishing Survey also reports a median uptime of five hours and 45 minutes.

While investigators note that both average and median times are record lows, they also call attention to the same, sobering realities of phishing attacks:

"The longer a phishing attack remains active, the more money the victims and target institutions lose."

The organization that has its website compromised, and the company or brand that is phished, are victims."

The conclusion: early detection, notification, and prompt response by website operators is doubly important.

The Global Phishing Survey historical data, collected since 2008, provides what is a self-evident context for phishing attack victims: Phishers tend to use compromised web servers more frequently than servers they host and name using domain names they register directly. The reason, according to the study, is because "reputation services block domains and subdomains quickly and registrars and registries are more responsive to malicious registrations and have increased their fraud controls."

The lesson? Every legitimate website is a potential target, and so site operators need to consider and implement some form of web application firewall, server hardening, server grade host intrusion detection, and network monitoring.

One of the more difficult findings to corroborate in the Web Vulnerabilities Survey is how the attackers were able to hack into websites. (See Logging: A Vanishing Art Form and Elements of an Effective Logging Game Plan.)

Sadstory2
Image by opk
Read independently from the Global Phishing Survey, victim reports don’t paint a clear picture. However, if we correlate certain observations from the two studies, we can draw some interesting conclusions.

 

From the Global Phishing Survey, we see that:

  • Phishers have automated scripts and services that find and exploit large numbers of web servers using known vulnerabilities;
  • There are more exploitable web services, particularly applications like WordPress or Joomla.

In the Web Vulnerability Survey findings, we learn that:

  • LAMP (Linux, Apache, MySQL, PHP) is the most popular web operating environment
  • PHP is used by 78 percent of compromised websites
  • Joomla or Wordpress are used by over fifty percent for site management.

Taken together, we can conclude that web applications and site management are preferred attack vectors. For organizations, that means security teams should consider the secure deployment strategy mentioned in the Web Vulnerability Survey, which includes web application vulnerability scanning, secure application development, patch currency maintenance, and best-practices for secure application configuration (for Wordpress sites, see How to Protect Your Wordpress Site from Hackers and Use These Wordpress Plugins to Help Secure Your Site).

These are only highlights of a large and diverse set of findings and recommendations you and your partners will find in the APWG reports. The Global Phishing Survey studies are repeated biannually, so they can be particularly valuable as a means to monitor the constantly changing phishing attack surface.

This an updated version of an article published November 2012 at The Champion Community.

Posted at 07:50 AM in Anti-Malware and Anti-phishing |

Comments

Feed You can follow this conversation by subscribing to the comment feed for this post.

The comments to this entry are closed.

Find me on Mastodon and Facebook

Spotlight Posts

  • FTC's proposed Trade Regulation Rule on Impersonation of Government and Businesses is important for #infosec
    M3AAWG comments on the FTC's proposed rule Trade Regulation Rule on Impersonation of Government and Businesses is available. I was one of the contributors to the comment. In the comment, M3AAWG "suggests additional regulatory solutions and best practices to complement the goals of this rule, such as clarifying the scope of the rule to include the use of domain names in impersonation schemes and the use of technologies that enable impersonation" and the important role that Whois plays in investigating impersonation and fraud. Several reports that my Interisle colleagues and I published are cited in the comment, along with the...
  • Cybercrime Information Center reports sharp increases in phishing attacks, unique domains reported in August-October 2022 time period
    A recent ebb in domain names reported for phishing created some euphoria in the domain industry. With phishing activity, as with tides, ebbs are invariably followed by flows. In their August- October 2022 Quarterly Phishing Activity, the Cybercrime Information Center observed a 40% increase in phishing attacks and a nearly 20% increase in unique domain names reported for phishing.
  • Cybercrime Information Center's YouTube Channel
    My colleagues and I at Interisle have created a YouTube channel to complement the quarterly reporting and studies of cybercrime we host at the Cybercrime Information Center. Our goal is to share, in a few minutes, the findings and insights from our research in a format that's easily accessible and shareable, informative, and entertaining. The inaugural videos provide 2-5 minute summaries of our annual Phishing and Malware Landscape studies. We'll continue to produce videos of our annual studies. If you like what you see, leave us a comment.
  • Malware Landscape 2022: unabated malware growth, continued exploitation of IoT devices
    My colleagues at Interisle and I have published a study, Malware Landscape 2022: A Study of the Scope and Distribution of Malware. The study, which analyzed 2.5 million records of distinct malware events from May 2021 to April 2022 collected by the Cybercrime Information Center, explains what malware was most prevalent, where malware was served from, and what resources criminals used to pursue their attacks.
  • New TLDs are coming #Dangerclose.
    A Domain Name Wire post, Time to pay attention to the next round of new TLDs, begins with an ominous: They’re coming. Eventually. While not as dramatic or enduring as Arnold Schwarzenegger's "I'll be back", the reporter cites policy activity at ICANN as evidence that new TLDs are coming. Eventually. In a September 2019 post, and in response to the ICANN memorandum, Readiness to Support Future Rounds of New gTLDs, I asked, Has enough been done to study and rectify the concentration of security threats in the new TLD space? In that post, I quoted correspondence from ICANN's security advisory...

Search

My Photo

Categories