Richard Clayton and I have been studying phishing website take-down for some time. We monitored the availability of phishing websites, finding that while most phishing websites are removed with a day or two, a substantial minority remain for much longer. We later found that one of the main reasons why so many websites slip through the cracks is that the take-down companies responsible for removal refuse to share their URL lists with each other.
One nagging question remained, however. Do long-lived phishing websites cause any harm? Would removing them actually help? To get that answer, we had to bring together data on the timing of phishing spam transmission (generously shared by Cisco IronPort) with our existing data on phishing website lifetimes. In our paper co-authored with Henry Stern and presented this week at the USENIX LEET Workshop in Boston, we describe how a substantial portion of long-lived phishing websites continue to receive new spam until the website is removed. For instance, fresh spam continues to be sent out for 75% of phishing websites alive after one week, attracting new victims. Furthermore, around 60% of phishing websites still alive after a month keep receiving spam advertisements.
Consequently, removal of websites by the banks (and the specialist take-down companies they hire) is important. Even when the sites stay up for some time, there is value in continued efforts to get them removed, because this will limit the damage.
However, as we have pointed out before, the take-down companies cause considerable damage by their continuing refusal to share data on phishing attacks with each other, despite our proposals addressing their competitive concerns. Our (rough) estimate of the financial harm due to longer-lived phishing websites was $330 million per year. Given this new evidence of persistent spam campaigns, we are now more confident of this measure of harm.
There are other interesting insights discussed in our new paper. For instance, phishing attacks can be broken down into two main categories: ordinary phishing hosted on compromised web servers and fast-flux phishing hosted on a botnet infrastructure. It turns out that fast-flux phishing spam is more tightly correlated with the uptime of the associated phishing host. Most spam is sent out around the time the fast-flux website first appears and stops once the website is removed. For phishing websites hosted on compromised web servers, there is much greater variation between the time a website appears and when the spam is sent. Furthermore, fast-flux phishing spam was 68% of the total email spam detected by IronPort, despite this being only 3% of all the websites.
So there seems to be a cottage industry of fairly disorganized phishing attacks, with perhaps a few hundred people involved. Each compromises a small number of websites, while sending a small amount of spam. Conversely there are a small number of organized gangs who use botnets for hosting, send most of the spam, and are extremely efficient on every measure we consider. We understand that the police are concentrating their efforts on the second set of criminals. This appears to be a sound decision.
@ Tyler,
“Conversely there are a small number of organized gangs who…
…We understand that the police are concentrating their efforts on the second set of criminals. This appears to be a sound decision.”
Which raises the question,
“For how long?”,
Or,
“When is police or bank action against this group going to be sufficiently successfull to cause a change in tactics by the group, so that they look like the other group or a new type of group?”
Potentialy your work can act as a barometer or “sea state” indicator and show when there is a change on the way and importantly from which direction.
Not only would that be of interest to the Police, but also to the banks. However I’m not sure the companies the banks employ would like it.
If you are company A with clients XYZ you are not only in competition with company B or C but with yourself.
On the assumption that as company A you are compleatly honest what do you do when you are aware of an attack against a bank who is not one of your clients there are several things you can do,
1, Nothing,
2, Take action against it yourself,
3, Tell your competitor so they can take action.
4, Inform the banks senior managment.
If you take option 4 it might help you when it comes around to the time when the bank looks to renew contracts.
If option 3 you are effectivly acting as an unpaid agent for one of your competitors, who are under no obligation to repay the favour or inform their employer of where the “tip” came from.
Likewise for option 2 only you are also expending further resources needlessly for no apparent gain.
Which is why option I on the surface looks to be the most cost effective for any of the companies.
But there is also a hidden point here, if you and your competitors become overly successfull then the attacks as they currently are will stop as they will no longer work for those commiting them.
Either they will give up (unlikley) or move to new methods.
Either way your company loses out, either because there is no need for the banks to pay for your services or because you will have to learn new ways to deal with the new methods employed by the attackers.
Now if you remove the assumption that one or more of these companies are honest you get an interesting dynamic arising.
As some will remember there have been past claims that virus companies where creating “lab only” viri to keep the competition busy and themselves in work. Similar claims have been made about malware in more recent times.
If a company where less than honest they would ensure that there was a stedy stream of new attacks not just against their competitors banks (ie make them look like poor performers by their slow response) but also against their own banks so that they can look like good performers by their very rapid response. It would take very few but noisy attacks to skew any one companies odds significantly.
So your work might just show up companies that are involved with less than honest behaviour (if any).