Not long ago, most companies whose brands were being abused in phishing scams focused their efforts mainly on shuttering the counterfeit sites as quickly as possible. These days, an increasing number of phished brands are not only disabling the sites, but also seizing on the opportunity to teach would-be victims how to spot future scams.
Instead of simply dismantling a phishing site and leaving the potential phishing victims with a “Site not found” error, some frequent targets of phishing sites are setting up redirects to phishing education pages.
For the past 20 months, Jason Hong, assistant professor of computer science at Carnegie Mellon University‘s Human Computer Interaction Institute, has been measuring referrals from phishing sites to an education page set up by the Anti-Phishing Working Group (APWG), an industry consortium. Hong said the site now receives close to 25,000 referrals per month from phishing sites that brand owners have modified.
The redirect process works like this: The brand owner or company whose customers are targeted by the phishing site verifies it as a scam site, and then the site’s ISP, hosting provider or domain registrar will redirect the phishing site to the APWG education page.
From Sept. 2008 to April 2010, Hong tracked 1.16 million hits from roughly 15,000 unique redirected URLs. To filter out probable victims from other “noise” traffic — such as random Web crawlers and people testing the landing pages — CMU scrubbed the data of hits that didn’t identify the original phishing site, as well as those that appeared to be for testing only (Internet addresses that hit multiple phishing URLs per day, for example).
After filtering the results, Hong said his team found roughly 200,000 hits on 1,285 URLs — or about 156 hits per URL — that were very likely clicks from people who would have given away financial data and/or passwords at phishing Web sites had those sites still been active at the time. That may seem like a lot of victims per phishing site, but while the average number of filtered hits per URL was 100-300 per month, the median is quite low, from 2-7 per month.
That means there are some really “successful” phishing attacks that many people click on, probably either because a huge number of spam e-mails advertising that fake site were sent, or because the phishing e-mails were particularly compelling. However, the majority of phishing campaigns appear to be quite unsuccessful, in that they don’t hook a lot of people, Hong said.
“There are a few sites that have a lot of hits, and a lot of sites that have very few hits,” he said. “That means there is a very long tail of phish.”
These figures are likely to be conservative. For one thing, the researchers had no way to measure how many people clicked through to the phishing site before it was shuttered and further visits were redirected to the APWG education page. What’s more, most Web browsers now include anti-phishing technology that blocks users from visiting known phishing Web sites, usually within hours of the scam sites going live.
Still, it may still be worthwhile even for phishers who hook just a handful of victims per attack, as the startup costs for phishing scams often are next to nil (spam is often routed through hacked machines, and the APWG estimates that between 75-80 percent of phishing sites are legitimate sites that have been hacked and seeded with phishing kits). I couldn’t find any recent and reliable stats on average phishing losses, but if we assume for the moment that people who get phished lose on average $500, it doesn’t take too many victims to make it a profitable venture.