Phishing website removal — comparing banks

Following on from our comparison of phishing website removal times for different freehosting webspace providers, Tyler Moore and I have now crunched the numbers so as to be able to compare take-down times by different banks.

The comparison graph is below (click on it to get a more readable version). The sites compared are phishing websites that were first reported in an 8-week period from mid February to mid April 2007 (you can’t so easily compare relatively recent periods because of the “horizon effect” which makes sites that appear later in the period count less). Qualification for inclusion is that there were at least 5 different websites observed during the time period. It’s also important to note that we didn’t count sites that were removed too quickly for us to inspect them and (this matters considerably) we ignored “rock-phish” websites which attack multiple banks in parallel.

Phishing website take-down times (5 or more sites, Feb-Apr 2007)

Although the graph clearly tells us something about relative performance, it is important not to immediately ascribe this to relative competence or incompetence. For example, Bank of America and CitiBank sites stay up rather longer than most. But they have been attacked for years, so maybe their attackers have learnt where to place their sites so as to be harder to remove? This might also apply to eBay? — although around a third of their sites are on freehosting, and those come down rather quicker than average, so many of their sites stay up even longer than the graph seems to show.

A lot of the banks outsource take-down to specialist companies (usually more general “brand protection” companies who have developed a side-line in phishing website removal). Industry insiders tell me that many of the banks at the right hand side of the graph, with lower take-down times, are in this category… certainly some of the specialists are looking forward to this graph appearing in public, so that they can use it to promote their services 🙂

However, once all the caveats (especially about not counting almost instantaneous removal) have been taken on board, one cannot be completely sure that this particular graph conclusively demonstrates that any particular bank or firm is better than another.

7 thoughts on “Phishing website removal — comparing banks

  1. Pretty interesting. It should be noted that a number of factors should be included when talking about take-down times.

    Larger banks may be able to exert greater pressure on hosting and DNS companies than smaller local region banks. Larger banks might have regional offices in other parts of the world, which may already have a anti-fraud system in place with the local police…thus speeding up the take-down time. Not speaking the local language can slow the progress as well…

    In addition, the total number of phishing attacks against a brand could play a role as well. EBay, Paypal and Bank of America are heavily targeted, thus increasing the the workload for take-down teams…this might enable some sites to stay up longer.

    Also, many of the banks on the left hand side are commonly found on rock-phish sites. The bad guys that are deploying these rock-phish sites are most likely more organized than the groups attacking a single bank at a time. This increased skill / organization could enable rock-phisher to make it harder for the bank to take them down. They may have learned which hosting companies are more “bullet-proof” and are more likely to drag their feet on removal.

    But overall, it does provide a lifespan snapshot of the modern phishing site..which is important regardless of the other factors Reducing these lifespans is the main goal of take-down teams like Castlecop’s PIRT (of which I am a former handler).

  2. A bit of a rant, but serious.

    Mmmh, I do not want to pester, but just getting some data and plotting it without a real model or theory behind is pretty much noise. Yes, those are the data. They *are* interesting as *data*, but they do not say much more than that yet (apart from the fact that there may be more data elsewhere).

    I think in this case it would be better to give the table than the graph, as graphs tend to “convey a meaning” and, as you clearly state, we have still no meaning to ascribe to it.

    Sorry, could not help it. I am not ranting, it was the mathematician inside, which rebels against “graphs” for “graphs”. We need information, not just data.

    Thanks for the job, though.


  3. Nice work.
    In order to analize better performance we also need to analize:
    – the number of phish site x day x company
    – the country where the phishsite is hosted
    – and finally where the phish site is hosted. I mean if the site is hosted on a free homepage service should be more easier to take it down (should…Alice docet) than an hacked page, etc

  4. We plan to do much more further analysis, so many of the comments are ones we’ve already made to ourselves.

    However, I don’t necessarily agree that overall volume is an issue (since one would ramp up resources appropriately), but “burstiness” or “variability of attack” might be — since it prevents the “just turn the handle” approach that can clearly deal with never-ending attacks via a small number of free-hosting sites.

    Also, Technocrat should note that we have already excluded the rock-phish attacks from these figures; the comment may be intending to indicate that during the rock-phish attacks more was learnt about a particular bank’s weaknesses, but I’m sceptical that this parlays into non-rockphish attack mechanisms (though knowledge of how good the bank was at back-office controls might affect their desirability as a future target).

  5. Hey Richard,

    I see what you are saying, you have removed the rock-phish for good reason…but you are assuming that those behind the rock-phish type attacks are totally independent (from a information sharing sense) from those that are attacking a single bank at a time.

    As you are aware, those rock-phish kits are created and sold to other evil doers, so there is some group that is deeper in the community that could be a point of shared knowledge across phisher groups. Without getting into the blackhat phishing community this would be hard to proof, but it isn’t without some merit.

    Using other groups, like the international drug cartels, as an example, I would believe that information is shared by whatever means between the groups sooner or later and thus creates an ever increasing shared knowledge base common to all. This information could include techniques to evade detection and removal (e.g. Sites for Primary and Secondary link redirects, DNS tricks, “slower” moving hosting providers, etc).

    During my time at PIRT, I saw mostly rock-phish attacks, so my experience of the phishing community overall could be slanted in that manner.

  6. I see Citibank shows up as pretty bad. I’m not surprised.

    The other day I got what seemed to be a new flavour of “phishing” email. I forwarded it, as requested, to – and their spam filters bounced my message.

    What’s the phrase – “a wunch of bankers”?

  7. > and their spam filters bounced my message.

    Yeah, a veritable ‘yahoo’ of bankers – I’ve reported a number of phishes w/ yahoo/ DNS hosted sites to and they get bounced for “phishing content” – er, yeah.

Leave a Reply

Your email address will not be published. Required fields are marked *