« Book Review: Internet Down, A Modern American Western | Main | The New Face of IP Address Scanning »

Monday, 18 February 2013

Research & Victim Phishing Reports Tell Same Sad Story

Sadstory
Photo by ~Aphrodite
The AntiPhishing Working Group has released a study of phishing attacks detected in the first half of 2012, and a second study of reports by phishing victims over a period of nearly two years. The Global Phishing Survey 1H2012: Trends and Domain Name Use uses a large sampling of confirmed phishing URLs. The Web Vulnerabilities Survey September 2012 uses reports submitted by organizations whose websites were compromised and subsequently used to host phishing attacks. 

 

While the studies use entirely different data sets, they share several of the same findings. In both reports, researchers found that the average phishing uptime (how long it takes for a phishing website, once detected, to remain up) is less than a day. The Global Phishing Survey also reports a median uptime of five hours and 45 minutes.

While investigators note that both average and median times are record lows, they also call attention to the same, sobering realities of phishing attacks:

"The longer a phishing attack remains active, the more money the victims and target institutions lose."

The organization that has its website compromised, and the company or brand that is phished, are victims."

The conclusion: early detection, notification, and prompt response by website operators is doubly important.

The Global Phishing Survey historical data, collected since 2008, provides what is a self-evident context for phishing attack victims: Phishers tend to use compromised web servers more frequently than servers they host and name using domain names they register directly. The reason, according to the study, is because "reputation services block domains and subdomains quickly and registrars and registries are more responsive to malicious registrations and have increased their fraud controls."

The lesson? Every legitimate website is a potential target, and so site operators need to consider and implement some form of web application firewall, server hardening, server grade host intrusion detection, and network monitoring.

One of the more difficult findings to corroborate in the Web Vulnerabilities Survey is how the attackers were able to hack into websites. (See Logging: A Vanishing Art Form and Elements of an Effective Logging Game Plan.)

Sadstory2
Image by opk
Read independently from the Global Phishing Survey, victim reports don’t paint a clear picture. However, if we correlate certain observations from the two studies, we can draw some interesting conclusions.

 

From the Global Phishing Survey, we see that:

  • Phishers have automated scripts and services that find and exploit large numbers of web servers using known vulnerabilities;
  • There are more exploitable web services, particularly applications like WordPress or Joomla.

In the Web Vulnerability Survey findings, we learn that:

  • LAMP (Linux, Apache, MySQL, PHP) is the most popular web operating environment
  • PHP is used by 78 percent of compromised websites
  • Joomla or Wordpress are used by over fifty percent for site management.

Taken together, we can conclude that web applications and site management are preferred attack vectors. For organizations, that means security teams should consider the secure deployment strategy mentioned in the Web Vulnerability Survey, which includes web application vulnerability scanning, secure application development, patch currency maintenance, and best-practices for secure application configuration (for Wordpress sites, see How to Protect Your Wordpress Site from Hackers and Use These Wordpress Plugins to Help Secure Your Site).

These are only highlights of a large and diverse set of findings and recommendations you and your partners will find in the APWG reports. The Global Phishing Survey studies are repeated biannually, so they can be particularly valuable as a means to monitor the constantly changing phishing attack surface.

This an updated version of an article published November 2012 at The Champion Community.

Posted at 07:50 AM in Anti-Malware and Anti-phishing |

Comments

Feed You can follow this conversation by subscribing to the comment feed for this post.

Verify your Comment

Previewing your Comment

Posted by:  | 

This is only a preview. Your comment has not yet been posted.

Working...
Your comment could not be posted. Error type:
Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.

Working...

Post a comment

Comments are moderated, and will not appear until the author has approved them.

Your Information

(Name is required. Email address will not be displayed with the comment.)

Find me on Mastodon and Facebook

Spotlight Posts

  • New study: Cybercrime Supply Chain 2023
    Today, my Interisle colleagues and I released a study, Cybercrime Supply Chain 2023: Measurements and Assessments of Cyber Attack Resources and Where Criminals Acquire Them. Criminals who perpetrate malware, spam, phishing and other serious cybercrimes enjoy an enormous economic advantage over defenders and responders. They can acquire resources from an online cybercrime supply chain where everything from phishing kits and malicious software, email lists and mobile numbers, domain names and Internet addresses, and places to host attacks are all readily and cheaply available. Our report examines these supply chains. We examined over 10M reports collected at the Cybercrime Information Center...
  • Interisle study reveals that phishing attacks have tripled since May 2020, situation worsening each year
    My colleagues at Interisle Consulting Group and I today announced the publication of an industry report, Phishing Landscape 2023, A Study of the Scope and Distribution of Phishing. We analyzed more than 11 million phishing reports collected from 1 May 2020 to 30 April 2023 to provide annual and triennial measurements of phishing. Our study identifies distinct, persistent exploitation and abuse of Internet resources, reveals that criminals can trivially acquire everything they need to phish. Among the major findings in the study, Interisle reports that: The number of phishing attacks has tripled since May 2020, and has increased 65% over...
  • FTC's proposed Trade Regulation Rule on Impersonation of Government and Businesses is important for #infosec
    M3AAWG comments on the FTC's proposed rule Trade Regulation Rule on Impersonation of Government and Businesses is available. I was one of the contributors to the comment. In the comment, M3AAWG "suggests additional regulatory solutions and best practices to complement the goals of this rule, such as clarifying the scope of the rule to include the use of domain names in impersonation schemes and the use of technologies that enable impersonation" and the important role that Whois plays in investigating impersonation and fraud. Several reports that my Interisle colleagues and I published are cited in the comment, along with the...
  • Cybercrime Information Center reports sharp increases in phishing attacks, unique domains reported in August-October 2022 time period
    A recent ebb in domain names reported for phishing created some euphoria in the domain industry. With phishing activity, as with tides, ebbs are invariably followed by flows. In their August- October 2022 Quarterly Phishing Activity, the Cybercrime Information Center observed a 40% increase in phishing attacks and a nearly 20% increase in unique domain names reported for phishing.
  • Cybercrime Information Center's YouTube Channel
    My colleagues and I at Interisle have created a YouTube channel to complement the quarterly reporting and studies of cybercrime we host at the Cybercrime Information Center. Our goal is to share, in a few minutes, the findings and insights from our research in a format that's easily accessible and shareable, informative, and entertaining. The inaugural videos provide 2-5 minute summaries of our annual Phishing and Malware Landscape studies. We'll continue to produce videos of our annual studies. If you like what you see, leave us a comment.

Search

My Photo

Categories