Some vendors specialize in clustering phishing attacks to better understand the phishing ecosystem and reveal all of its nodes. Others too, armed with opportunistic business development strategies are developing a market segment to provide their customers with services for timely shutting down a phishing or malicious web site. Symantec recently released informative averages on the time a phishing site remains online, confirming the need for a such a market segment and prompting the discussion on alternative solutions :"Our analysis shows how ISPs in some countries are relatively slower than others to shut down attacks. For example, Taiwan’s average shutdown time has been only 19 hours on 92 attacks, while in Australia the average for 98 attacks has been almost one week for a single shutdown. Other countries slow to respond include the USA and India. Countries identified as responding quickly include Germany, Netherlands, Japan, Estonia, Poland and Russia."
Moreover, May's report from the Anti-Phishing Working Group has an ever better sample consisting of 37438 unique phishing sites, where the average time online for a phishing site was 3.8 days, and the longest time online was 30 days. Why are certain ISPs slower in shutting down phishing sites compared to the others? What motivates the best performing ones to react immediately? It's all a matter of perspective. Let's consider the facts :
- DIY phishing kits such as Rock Phish significantly increased the number of phishing sites, but sacrificed efficiency for quality. Rock Phish's major strength is Rock Phish's major weakness, namely that of centralization, so the phisher ends up with a single IP hosting phishing sites for numerous banks. In fact, according to IBM's X-Force, single domains were carrying an average of 1000 phishing sites
- Phishing sites hosted at home users PCs are harder to shut down compared to those hosted on a web server
- Russia is responding faster than the U.S because according to the APWG's Countries hosting phishing sites stats, Russia's percentage is 7.41% compared to the U.S 32.41%. We have the same situation with countries hosting trojans and downloaders where Russia accounts for 6% compared to China with 22%. It does not mean Russia is out of the game, not at all, but the way you may have a Russian phishing/malware campaign hosted in the U.S, you may also have a U.S phishing/malware campaign hosted in Russia
- The lack of incentives for ISPs to be in a hurry and the lack of accountability for them if they are not in a hurry. Perhaps if the vendors developing the market segment for shutting down phishing sites start sharing revenues in a win-win-win fashion, it would make a difference if no legislations are in place
- XSS vulnerabilities within E-banking sites often act as redirectors, so while you're shutting down the yet another .info domain, the XSS is still there waiting to get abused
- In a fast-flux empowered malicious economies of scale attacks, any stats should be considered at least partly "scratching the surface" only due to the fact that, while the redirector may be in the U.S, the second one with the phishing site may be in Russia, and the third one hosting the malware in Taiwan. And so, while you've shut down the most obvious nodes, the campaign remains in tact, and gets automatically re-mixed to achieve malicious diversity using the same domain names, but under different and dynamic IPs next time
What would be the most effective approach for the most targeted financial services to protect their customers from phishing attacks? Hire brandjacking monitoring services to shut down efficiently and persistently, the generated phishing sites with DIY phishing kits, educate E-banking customers, or do both? Assess their unique situation and balance while considerating that some folks still don't know what phishing really is. Now, try explaining to them what form input grabbing malware tools such as the Nuclear Grabber are.
Related posts:
A Client Application for Secure E-banking?
The Rock Phish Kit in action
The Brandjacking Index
Security threats to consider when doing E-banking
Banking Trojan Defeating Virtual Keyboards
Defeating Virtual Keyboards
