APWG Global Phishing Survey Musings
I always enjoy when new reports are released from various industry orgs that discuss the latest trends in spam, phishing, and cyber crime. Last week the Anti-Phishing Working Group released the results from their 2H 2011 Global Phishing Survey. There were a couple of things that I found interesting about the report that I wanted to take a moment to comment on.
* Paypal is no longer the top phished brand on the internet
This mantle has been passed to Taobao.com, one of China’s largest e-commerce sites. This is a significant shift from the first half of 2011 where Paypal was still far and away the global leader in phishing attacks.
Let’s dive into that for a moment and discuss why that could be the case.
Back in 2007 and 2008 Paypal made arrangements with Yahoo and Google to block unauthenticated emails that appeared to be coming from Paypal’s domains. These relationships made direct domain spoofing of Paypal impossible at some of the largest mailbox providers in the world and prevented a significant amount of phishing attacks from ever being delivered. Over time this made Paypal a less attractive target to spammers because they are typically going to gravitate to where the barrier to get what they want is lowest.
* The average uptime for a phishing site is about 46 hours
In my opinion, although there have been some significant strides made in reducing the uptime of phishing sites, there is still a lot of work that needs to be done. The faster that an attack can be blocked, the lesser the downstream effect to the company being targeted. This means that being able to block phishing attacks proactively through technologies like DMARC (which Return Path is a founding member company of) becomes that much more important because while the attack is happening, emails that are being sent out using the targeted brand’s domain can be blocked before ever reaching customer inboxes.
According to an article that was posted to SC Magazine back in December 2010, 90% of the credentials that are going to be stolen during a phishing attack are going to be stolen within the first 10 hours that the attack is live and 50 percent are stolen within the first hour. So, as you can see there is a point of significant diminishing returns after only a very short period of time after the attack is launched.
* APWG Reports that the top 20 phishing targets accounted for 78% of phishing attacks
Nobody will argue the fact that financial institutions are still the most frequently targeted vertical for phishing attacks (well, you shouldn’t argue this), but the other 22% is spread across almost every other vertical where consumers spend their time, money, and sensitive information on the internet such as social networking and online gaming (did you know that Cryptic Studios, makers of games such as City of Heroes and Star Trek Online just recently announced a breach of their own?). This remaining 22% accounts for a significant amount of malicious email traffic daily and for the brands that are targeted even just once or only a handful of times, they suffer from a significant amount of brand loyalty loss and mistrust from their customers. The takeaway here is not to assume that phishing is only a problem for the financial services companies. Such a mentality leads to a letting down of your own guard, which makes your organization ripe to be the next target.