Posted on Wednesday, April 26th, 2006 | Bookmark on del.icio.us

Some Q1 ‘06 Phishing Stats

by Jose Nazario

This morning, on one of the malicious activity tracking lists that we subscribe to, someone asked about phishing stats for Q1 2006. I got curious, too, so I ran stats on the feed going into our Active Threat Feed (ATF) phishing policy, and came up with some surprising stats. From 1/26-4/26, we saw about 2700 phishing URLs that pointed to 1000 or so hosts.

The top targets remain the usual suspects, including eBay and Paypal (especially with the sysdll.php kit), although Chase has made a strong showing in this timeframe (more on that below). We haven’t seen significantly large numbers of changes to their methods, outside of the Chase targeting, and we continue to see the same kits deployed again and again. We are seeing improvements in the takedown efforts, though, as the community gets stronger.

Figure 1: Phishing attacks by targeted institution. Each unique URL is counted only once.

A few interesting stats from all of this:

  • 70% of all hosts have only one occurance in the list of phishing servers.
  • The top hosts (the ones hosting more than one phishing site) are responsible for 80% of the phishing attacks in this time frame.
  • Only two hosts had 100+ phishing sites hosted on them; the most had 270 unique URLs pointed at it.
  • The top host accounted for about 4% of the phishing sites advertised in the captured e-mails.

Figure 2: Phishing attacks by hosting server. Each URL is counted only once.

In this timeframe, we also saw a dramatic upsurge in phishing attacks targeting Chase accounts. The e-mails usually had a couple of attractors to them, most notably the “Get $20 for taking our customer survey” approach. See this PIRT report to see some screenshots and examples. Most of the Chase phishes using this approach look similar. This really shows up in the pie chart below showing phishing attacks by targeted institutions. Everyone I’ve talked to about it is curious as to why Chase got hit so hard in recent weeks and months, coming pretty much out of the blue. This hasn’t slowed down, either.

Figure 3: The number of Chase phishing attacks in recent observations. Each URL for any given hour counts as a separate phishing attack.

This entry was posted on Wednesday, April 26th, 2006 at 4:14 pm and is filed under Arbor Networks, Interesting Research, Phishing. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

One Response | Add your own



Comment Post by: Steve Woda — August 13th, 2006 @ 5:45 pm EST  Reply

This article was referenced on Steve Woda’s Blog: buySAFE, eCommerce, Trust & Safety. The blog post, “How To Avoid PayPal Fraudsters”, can be viewed at http://blog.swoda.com/blog/2006/08/tips_for_avoidi.html

Leave a Comment