Book Review: Internet Down, A Modern American Western
The New Face of IP Address Scanning

Research & Victim Phishing Reports Tell Same Sad Story

Photo by ~Aphrodite
The AntiPhishing Working Group has released a study of phishing attacks detected in the first half of 2012, and a second study of reports by phishing victims over a period of nearly two years. The Global Phishing Survey 1H2012: Trends and Domain Name Use uses a large sampling of confirmed phishing URLs. The Web Vulnerabilities Survey September 2012 uses reports submitted by organizations whose websites were compromised and subsequently used to host phishing attacks. 


While the studies use entirely different data sets, they share several of the same findings. In both reports, researchers found that the average phishing uptime (how long it takes for a phishing website, once detected, to remain up) is less than a day. The Global Phishing Survey also reports a median uptime of five hours and 45 minutes.

While investigators note that both average and median times are record lows, they also call attention to the same, sobering realities of phishing attacks:

"The longer a phishing attack remains active, the more money the victims and target institutions lose."

The organization that has its website compromised, and the company or brand that is phished, are victims."

The conclusion: early detection, notification, and prompt response by website operators is doubly important.

The Global Phishing Survey historical data, collected since 2008, provides what is a self-evident context for phishing attack victims: Phishers tend to use compromised web servers more frequently than servers they host and name using domain names they register directly. The reason, according to the study, is because "reputation services block domains and subdomains quickly and registrars and registries are more responsive to malicious registrations and have increased their fraud controls."

The lesson? Every legitimate website is a potential target, and so site operators need to consider and implement some form of web application firewall, server hardening, server grade host intrusion detection, and network monitoring.

One of the more difficult findings to corroborate in the Web Vulnerabilities Survey is how the attackers were able to hack into websites. (See Logging: A Vanishing Art Form and Elements of an Effective Logging Game Plan.)

Image by opk
Read independently from the Global Phishing Survey, victim reports don’t paint a clear picture. However, if we correlate certain observations from the two studies, we can draw some interesting conclusions.


From the Global Phishing Survey, we see that:

  • Phishers have automated scripts and services that find and exploit large numbers of web servers using known vulnerabilities;
  • There are more exploitable web services, particularly applications like WordPress or Joomla.

In the Web Vulnerability Survey findings, we learn that:

  • LAMP (Linux, Apache, MySQL, PHP) is the most popular web operating environment
  • PHP is used by 78 percent of compromised websites
  • Joomla or Wordpress are used by over fifty percent for site management.

Taken together, we can conclude that web applications and site management are preferred attack vectors. For organizations, that means security teams should consider the secure deployment strategy mentioned in the Web Vulnerability Survey, which includes web application vulnerability scanning, secure application development, patch currency maintenance, and best-practices for secure application configuration (for Wordpress sites, see How to Protect Your Wordpress Site from Hackers and Use These Wordpress Plugins to Help Secure Your Site).

These are only highlights of a large and diverse set of findings and recommendations you and your partners will find in the APWG reports. The Global Phishing Survey studies are repeated biannually, so they can be particularly valuable as a means to monitor the constantly changing phishing attack surface.

This an updated version of an article published November 2012 at The Champion Community.


Feed You can follow this conversation by subscribing to the comment feed for this post.

Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Your comment could not be posted. Error type:
Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.


Post a comment

Comments are moderated, and will not appear until the author has approved them.

Your Information

(Name is required. Email address will not be displayed with the comment.)