Tyler Moore and myself have a paper (An Empirical Analysis of the Current State of Phishing Attack and Defence) accepted at this year’s Workshop on the Economics of Information Security (WEIS 2007) in which we examine how long phishing websites remain available before the impersonated bank gets them “taken-down”.
We monitored the availability of several thousand phishing websites over a two month period and our results show that a typical phishing website can be visited for an average of 58 hours, but this average is skewed by very long-lived sites — we find that the distribution is lognormal — with the median lifetime being just 20 hours.
We also identified a significant subset of websites (over half of all URLs being reported to the PhishTank database we used) which were clearly being operated by a single “rock-phish” gang. These sites attacked multiple banks and used pools of IP addresses and domain names. We found that these sites remained available for an average of 94 hours (again with a lognormal distribution, but with a median of 55 hours). A newer architectural innovation dubbed “fast-flux” that used hundreds of different compromised machines per week, extended the website availability to a median of 202 hours.
The relative success of the rock-phish gang was a rather unexpected result — you’d think that with more banks wanting the sites removed, they’d disappear faster. It’s hard to say whether or not the rock-phish techies are evil genuises, or whether they just move around so fast that, pretty much by chance, they end up persisting in the locations where take-down is slow.
We believe that one important advance would be to reduce the information asymmetry for the defenders. Phishers obfuscate their behaviour and make sites appear independent and thereby phishing appears to many to be an intractable problem. Security vendors are happy to accept inflated (and ever-increasing) statistics to make the problem seem more important and even PhishTank trumpets the increase in the number of reports rather than their true uniqueness. Law enforcement will not prioritise investigations if there appear to be hundreds of small-scale phishing attacks, whereas their response would be different if there were just a handful of people involved. Hence, improving the measurement systems, and better identifying patterns of similar behaviour, will give defenders the opportunity to focus their response upon a smaller number of unique phishing gangs.
We were also able to examine web log summaries at a number of sites, along with some detailed records of visitors that a handful of phishers inadvertently disclosed. This allowed us to create a ball-park estimate of the number of visitors who divulged their data on a typical site, which was 25 if it remained up for one day, and growing by 10 more per day thereafter.
Our figures do demonstrate that the reactive strategy pursued by the banks reduces the damage done by phishing websites. However, it is clearly not occurring fast enough to prevent losses from occurring, and so it must not be the only response. In particular, we used the lifetime and visitor numbers to show that, on fairly conservative extrapolations, the banks’ losses that can be directly attributed to phishing websites are some $175m per annum, with a further $175m or so being raked in by the rock-phish gang. This total of $350m falls short of the $2000m estimated last November by Gartner. The disparity will be partly the very rough estimates we used (and the rough estimates in Gartner’s figures), and partly also other mechanisms such as theft of merchant databases and malware that scans your hard disk for passwords and installs keyloggers — we certainly cannot say that all phishing losses are phishing, but a chunk certainly is.