New research shows that most victims of phishing experience a fraudulent transaction around 5 days after getting phished.

A group of security researchers from companies such as Google, Paypal, Samsung and Arizona State University have been analysing 22,553,707 user visits to 404,628 phishing pages. They’ve been doing this in order to research the whole area of phishing and just how users interact with phishing pages. As a result, some deep discoveries have been uncovered as to how phishing campaigns really work.

The research group wrote in their report:

Firstly, “that the average phishing attack spans 21 hours between the first and last victim visit.”

Secondly, that the “detection of each attack by anti-phishing entities occurs on average nine hours after the first victim visit.”

And lastly, “once detected, a further seven hours elapse prior to peak mitigation by browser-based warnings.

At the next USENIX security conference they will present their findings.

Nicknamed, the “golden hours” by the research group are the intervals between the start of the campaign and the deployment of phishing warnings inside browsers. That’s the time period when attackers reap most of their victims.

But once the golden hours end the attackers are still reaping victims, according to the research team. Even if say Google’s Safe Browsing API browser warnings are deployed.

In other words, people are just not paying attention to the warning signs.

The researchers point out that, “alarmingly, 37.73% of all victim traffic within our dataset took place after attack detection.”

In addition, researchers found that 7.42% of phishing victims who ended up entering their credentials into a phishing form suffered:

  1. Breach
  2. Fraudulent transaction on their account

According to researchers after the user visited the phishing site:

Firstly, on average it takes crooks 5.19 days to breach user accounts and perform fraudulent transactions.

Secondly, on average it a take 6.92 days for a victim’s credentials to end up on criminal portals.

Most Phishing Campaigns Come from A Few Major Players

The vast- majority of phishing campaigns just aren’t that effective say the researchers, after analysing more than 400,00 phishing sites.

They wrote in the report that, the top 10% largest attacks in our dataset accounted for 89.13% of targeted victims and that these attacks proved capable of effectively defeating the ecosystem’s mitigations in the long term.

Further to this, researchers note that campaigns can be open for up to nine months, while they made tens of thousands of victims. But they achieve their sinister schemes by “using an off the shelf phishing kits on a single compromised domain name [phishing site].” It’s just that simple for them.

Sherrod DeGrippo Sr. Director at Threat Research and Detection at Proofpoint concurs that these findings are conclusive to what they found in their research. DeGrippo says Proofpoint,

Firstly, tracks around 12 million credential phishing attacks per month.

And secondly, the best threat actors focus on evasion tactics to avoid getting detected, knowing this would keep their campaigns running for longer, and prolong the “golden hours.”

In other words, “evasion” is what the threat actors work hard on,” DeGrippo said.

More Collaboration Needed

The academic team lays the blame on the current situation on:

Firstly, the reactive type nature of anti-phishing defences which are usually slow in detecting phishing attacks.

Secondly, the lack of collaboration by industry partners. We need the different anti-phishing entities to work together more.

DeGrippo agrees, saying that “cross-industry and cross-vendor collaboration certainly makes all entities stronger against phishing and other attacks

Further to this, the Proofpoint Executive also wants the entities outside the anti-phishing and cyber-security arena to pitch in too. These could include organisation specialising in domain registrars, encryption cert providers, and hosting companies. Resource restrains could pop up as a challenge here for these type providers.

But stopping attacks is vital, DeGrippo says.

Importantly, it is essential “to help protect organisations worldwide and industry collaboration, insight sharing, and action, such as blocking cred phish from reaching victims.

I think this sort of research by Google, Paypal, Samsung and Arizona State University is the first step to seeing perhaps a more collaborate approach when it comes to the phishing platform.