Back at the Hall of Justice

I saw this article from Light Blue Touchpaper a blog by researchers in the Security Group at the University of Cambridge Computer Laboratory describing how long the average phishing site existed online. It depended on a number of things, but mostly I guess it depends on banks getting them taken down. The paper that Tyler Moore and Richard Clayton published is available here.

We monitored the availability of several thousand phishing websites over a two month period and our results show that a typical phishing website can be visited for an average of 58 hours, but this average is skewed by very long-lived sites — we find that the distribution is lognormal — with the median lifetime being just 20 hours.

We also identified a significant subset of websites (over half of all URLs being reported to the PhishTank database we used) which were clearly being operated by a single “rock-phish” gang. These sites attacked multiple banks and used pools of IP addresses and domain names. We found that these sites remained available for an average of 94 hours (again with a lognormal distribution, but with a median of 55 hours). A newer architectural innovation dubbed “fast-flux” that used hundreds of different compromised machines per week, extended the website availability to a median of 202 hours. Source: How quickly are phishing websites taken down?

While lots can still be done to help combat phishing sites, mostly by the banks they target, the most important thing that needs to happen is user education and clicking on links in emails, instant messages, etc. If you get a website url, even from a trusted friend, through IM, holler at them and ask them what is before clicking, if they don’t know what you are talking about, then a piece of software probably sent it to you without their knowledge, in email, never click the link to open it, go to your web browser and type in the address yourself, that way you always know you are on the right websites. It is very easy to hide the url of where you are actually going, so even though the link says it is from Paypal, it doesn’t mean it really is. If you type it in by hand you can be assured your are going to the right place and not some phishing site that is going to steal your userid and password and then your money.

I also advise people who have IE7 to turn on the phishing filter, even though it does slow your browsing down just a bit, it has gotten better since I first tried it, better safe than sorry when it comes to your money online.

The data they were able to look at also allowed them to guess how many people per day who gave the site their information without checking to see if the site was legit. They came up with 25 per day and increasing by 10 per day it is allowed to remain online, so, it looks like it is imperative that banks have these sites taken down as quickly as possible, and it is also imperative that everyone out there quits clicking on just any old link.

While it is clear that more and more people know about phishing and some are hopefully avoiding it, banks have a long way to go if they think the current means they use to combat phishing is doing anything other than dragging our how long it takes them to make money.

Added: Just saw a post on Computerworld that said the number of phishing sites has nearly tripled over last month, going from 20,871 in March to 55,643 in April, talk about inflation. They say they are trying to overwhelm the phishing filters by using many different urls, many of which resolve to the same site.

Phishers using the tactic don’t register any more domains than usual but simply craft unique URLs by randomizing the subdomain to create new addresses.

“The idea is to come up with unique URLs that have not been reported and end-running the filters,” Cassidy said. Both Microsoft Corp.’s Internet Explorer and Mozilla Corp.’s Firefox rely on blacklists — lists of previously reported phishing URLs — to warn users that they may be about to visit a dangerous site. Source: Phishing URLs skyrocket

View the report here.