In a new report from the combined efforts of Arizona State University, PayPal, Google, and Samsung, researchers found that at least 7.42% of victims who visit phishing pages input their credentials resulting in compromised accounts and experience fraudulent transactions as a result. The researchers monitored traffic to phishing pages recording over 4.8 million victims who visited phishing pages. Beyond finding the number of victims who succumbed to the attacks, the researchers determined that the average phishing attack campaign takes place over a surprisingly short 21 hours from first to last victim.
While browser-based warnings, which warn the user if the website fails to pass checks against a known blacklist, are fairly standard across the major browsers, there exists a golden hour between when an attack is first launched and when these browser-based warnings begin to alert website visitors. The researchers found that an average of nine hours occurs between when the first victims visit the site to when it is reported to anti-phishing entities, and a further seven hours pass before browsers begin to alert potential visitors to the nefarious nature of the websites.
As the majority of visits occur before the browser-based warnings show up, attackers have begun using cloaking and redirection to avoid the crawlers from these browsers. Cloaking works by displaying content that would not be picked up by the anti-phishing crawlers when they detect that a visit is not from a real visitor, and uses a variety of filters to identify who to show which content to. Redirection links are also standard practice whereby the initial pages that are linked contain content which is not a threat when crawled by email clients initially, and then changed to redirect those who click on the link to their phishing page. Researchers found that "only 3.99% of emails contained the same URL as the final phishing page" showing that the vast majority of emails made use of redirection techniques. Often these links change frequently and are used in combination with cloaking.
Of the known visitors to the phishing sites, 7.42% suffered a fraudulent transaction. While this number is within the range of previous research, due to the nature of the data which was collected, this number is estimated to be low, since 55.56% of other traffic to these sites was unable to be confirmed as a known visitor, which made up 25.04% of the traffic, or as a crawler, 19.40% of the traffic. Once a victim entered their information, a fraudulent transaction would occur within 5.19 days on average, with the earliest occurring less than an hour after the first victim visit and continuing to occur up to 14 days later. Within 6.92 days, the credentials of 63.61% of these victims would appear in a public data dump.
"Phishing remains a significant threat to Internet users in part because of the reactive anti-phishing defenses that are standard throughout the ecosystem."
Overall, the researchers found that despite the best efforts and significant increases in anti-phishing technology, there still exists a "golden hour" in which attackers are able to effectively target their victims, of which a number will input their credentials which are then able to be be very quickly abused. While the technology race between attackers and anti-phishing organizations will continue, one of the best ways to protect against future attacks is to be proactive in the defense against attacks by training users how to identify potential threats and correct email protocol.