Phishing and the gaining of "clue"

Tyler Moore and I are in the final throes of creating a heavily revised version of our WEIS paper on phishing site take-down for the APWG eCrime Researchers Summit in early October in Pittsburgh.

One of the new results that we’ve generated, is that we’ve looked at take-down times for phishing sites hosted at, a provider of free webspace. Anyone who signs up (some Italian required) gets a 150MB web presence for free, and some of the phishing attackers are using the site to host fraudulent websites (mainly eBay (various languages), but a smattering of PayPal and Posteitaliane). When we generate a scatter plot of the take-down times we see the following effect:

Take-down times for phishing sites hosted at

The sloping line from mid April to early May indicates that for several weeks almost no sites were removed at all, and then they were pretty much all removed at once. Thereafter, with occasional blips, sites were removed within a day or so.

We ascribe this pattern to a learning process — initially either wasn’t receiving complaints (because eBay didn’t know where to send them, or spam filters rejected them) or weren’t acting upon them (they weren’t in Italian, or the seriousness of the complaint wasn’t appreciated, or there wasn’t a proper policy in place for dealing with phishing). One can only speculate (and there’s many more possible reasons than the ones I’ve just guessed at) as to why the sites weren’t removed… but at some point “clue” was gained by all concerned, and thereafter things have worked just fine (albeit the take-down is not as quick as at some other free-hosting sites, but that’s another story for another day).

We went looking for similar patterns elsewhere, and turned up two more — the removal rate of “rock-phish” domains in the .hk (Hong Kong) and .cn (China) top level domains. The same pattern is present — and in each case you can pick out the date when clue was obtained:

Take-down times for .hk rock-phish domains
Take-down times for .cn rock-phish domains

The important thing to note about the data presented in this article is that the world is chock-a-block with free webspace providers, registrys, registrars and for that matter ISP abuse teams who will be asked to remove phishing sites from other types of webspace. Although some will have had experience of take-down procedures (they have gained “clue”), many will not. What that means is that phishers who are mobile, continually changing providers, will benefit from slower take-down times as clue is slowly disseminated across the whole industry, one place at a time.

The only way to avoid this continual drip-feed of “clue” into the industry will be for far wider awareness of what is going on, and the techniques the phishers are using. We hope that, in our own little way, we are contributing to that.

5 thoughts on “Phishing and the gaining of "clue"

  1. Great visualization — I like the idea of “clue” as a quantifiable characteristic.

    I am curious what happened in mid-June in both .hk and .cn — there was a small upwards blip. Somebody in the abuse department on a summer holiday? Innovative design by phishers that their abuse department didn’t recognize? Analysis of graphs like this could definitely lead to improvements in an abuse-reporting process, as well as internally by ISP’s to examine their own abuse department’s effectiveness.

  2. Susan,
    There are a number of plausible reasons why there was an uptick in mid-June, and you listed a couple of them. What’s noteworthy is that site lifetimes are always quite volatile. Even ‘clued-up’ providers inadvertently let sites slip through the cracks for many days before removing them. Such high variation seems to be a fundamental characteristic of phishing site lifetimes.


  3. Hi Tyler interesting article.
    Why do you compare in your research an Internet provider as Alice with a generic statistic of top level domain ?
    Around Internet there are many Internet provider as Alice; why have you choose it?

  4. We were trying to make the point that “gaining clue” is a general phenomenon that can be observed in several different situations. We chose Alice because it had recently been chosen by the phishers (probably a small number of attackers, possibly even just one) and hence we can measure the change in their response rates. The TLDs were again chosen because the phishers had chosen to start using them during the period we were making measurements — though to be strict we are really measuring the response of a small number of registrars rather than registrys, but for some TLDs the difference is moot.

Leave a Reply

Your email address will not be published. Required fields are marked *