Researchers from Google, Samsung, PayPal, and Arizona State University spent a year exploring and analyzing the landscape of phishing-related threats and how users interact with phishing pages. Analyzing 22.553.707 user visits on 404.628 phishing pages, the researchers gathered a lot of information about how phishing campaigns work.
Specifically, from their findings the researchers found that a phishing attack It takes an average of 21 hours from the first to the last victim to visit a page, while each phishing attack by entities is detected an average of 9 hours after the first victim visits. The researchers will present their findings in more detail at the security conference USENIX which will take place 12 - 14 August.
Once detected, they remained for another 7 hours before maximizing browser-based alerts. Researchers describe the interval between its onset campaign and the development of phishing alerts on browsers until "Golden hours" of a phishing attack - in which attackers attract most of their victims. But when the "golden hours" are over, attacks continue to increase their casualties, even after the browser warns through systems such as API Google Safe Browsing. Of concern is the fact that 37,73% of the total movement of victims within the data set collected by the researchers, took place after the detection of the attack.
In addition, the researchers analyzed users' interactions with phishing pages and reported that 7,42% of victims entered credentials into phishing forms and eventually suffered infringement or noticed that a "fraudulent" transaction had taken place on his account. On average, scammers tried to breach user accounts and make "fraudulent" transactions 5,19 days after the user visited the phishing site, while credentials of the victims ended up in public dumps or criminal portals, 6,92 days after the user visited the phishing page.
The findings of the study correspond to those reported by Sherrod DeGrippo, Sr. Director, Threat Research and Detection at Proofpoint, on ZDNet. In particular, DeGrippo said that Proofpoint detects about 12 million phishing attacks each month, while the best cybercriminals focus on avoidance tactics to avoid detection, knowing that this way they will be able to keep their campaigns "active" for a longer period of time and extend the "golden hours".
Arizona State University research team said the success of these attacks is largely due to their slow detection by defense mechanisms. In addition, the researchers added that the lack of cooperation between industry partners is another factor that contributes to the success of the attacks. For this reason, they urge the various entities to work together more to defend and counter phishing attacks. They also stressed that cooperation makes all entities stronger against phishing and other types of attacks. According to Proofpoint, registrars, among others, must assist in this effort domain, encryption certificate providers and hosting companies. Finally, the researchers stressed that stopping phishing attacks is vital for her protection of organizations worldwide, while just as important is the correct and timely information officials to suspect such attacks.
The full academic research is entitled "Sunrise to Sunset: Analysis of the End-to-end Life Cycle and Effectivity of Phishing Attacks at Scale".