Yeah, a veritable ‘yahoo’ of bankers - I’ve reported a number of phishes w/ yahoo/yahoo-inc.com DNS hosted sites to abuse@yahoo.com and they get bounced for “phishing content” - er, yeah.

The other day I got what seemed to be a new flavour of “phishing” email. I forwarded it, as requested, to suspicious.email@citi.com - and their spam filters bounced my message.

What’s the phrase - “a wunch of bankers”?

I see what you are saying, you have removed the rock-phish for good reason…but you are assuming that those behind the rock-phish type attacks are totally independent (from a information sharing sense) from those that are attacking a single bank at a time.

As you are aware, those rock-phish kits are created and sold to other evil doers, so there is some group that is deeper in the community that could be a point of shared knowledge across phisher groups. Without getting into the blackhat phishing community this would be hard to proof, but it isn’t without some merit.

Using other groups, like the international drug cartels, as an example, I would believe that information is shared by whatever means between the groups sooner or later and thus creates an ever increasing shared knowledge base common to all. This information could include techniques to evade detection and removal (e.g. Sites for Primary and Secondary link redirects, DNS tricks, “slower” moving hosting providers, etc).

During my time at PIRT, I saw mostly rock-phish attacks, so my experience of the phishing community overall could be slanted in that manner.

However, I don’t necessarily agree that overall volume is an issue (since one would ramp up resources appropriately), but “burstiness” or “variability of attack” might be — since it prevents the “just turn the handle” approach that can clearly deal with never-ending attacks via a small number of free-hosting sites.

Also, Technocrat should note that we have already excluded the rock-phish attacks from these figures; the comment may be intending to indicate that during the rock-phish attacks more was learnt about a particular bank’s weaknesses, but I’m sceptical that this parlays into non-rockphish attack mechanisms (though knowledge of how good the bank was at back-office controls might affect their desirability as a future target).

Mmmh, I do not want to pester, but just getting some data and plotting it without a real model or theory behind is pretty much noise. Yes, those are the data. They *are* interesting as *data*, but they do not say much more than that yet (apart from the fact that there may be more data elsewhere).

I think in this case it would be better to give the table than the graph, as graphs tend to “convey a meaning” and, as you clearly state, we have still no meaning to ascribe to it.

Sorry, could not help it. I am not ranting, it was the mathematician inside, which rebels against “graphs” for “graphs”. We need information, not just data.

Thanks for the job, though.

Pedro.

Larger banks may be able to exert greater pressure on hosting and DNS companies than smaller local region banks. Larger banks might have regional offices in other parts of the world, which may already have a anti-fraud system in place with the local police…thus speeding up the take-down time. Not speaking the local language can slow the progress as well…

In addition, the total number of phishing attacks against a brand could play a role as well. EBay, Paypal and Bank of America are heavily targeted, thus increasing the the workload for take-down teams…this might enable some sites to stay up longer.

Also, many of the banks on the left hand side are commonly found on rock-phish sites. The bad guys that are deploying these rock-phish sites are most likely more organized than the groups attacking a single bank at a time. This increased skill / organization could enable rock-phisher to make it harder for the bank to take them down. They may have learned which hosting companies are more “bullet-proof” and are more likely to drag their feet on removal.

But overall, it does provide a lifespan snapshot of the modern phishing site..which is important regardless of the other factors Reducing these lifespans is the main goal of take-down teams like Castlecop’s PIRT (of which I am a former handler).