Security

Do Phishers Have More Poles in the Water?

Are phishing attacks going up or down? The answer depends on who you ask.

Undoubtedly, phishing is still a big problem on the Internet, but regular statistical reports from various vendors leave a mixed picture. Vendors tend to collect data in different ways as well as from different sources, and it's difficult to find two reports that enable a true one-to-one comparison.

MarkMonitor, a San Francisco company that tracks domain-name abuse, released a report Monday saying the number of phishing attacks reached a record level for the period of April through June.

MarkMonitor's findings come shortly after two other major security companies, IBM and Symantec, concluded that phishing was declining.

So which company is right? It really depends on what is being measured.

MarkMonitor counted more than 150,000 phishing attacks for the second quarter of 2009, with an attack defined as a unique URL (uniform resource locator) hosting a phishing site. In a phishing attempt a cybercriminal creates a Web site that looks legitimate and fools people into divulging their sensitive personal or financial details.

MarkMonitor finds out about possible phishing sites from companies such as Yahoo and AOL, which forward suspicious-looking URLs that appear in e-mail, said Charlie Abrahams, vice president of MarkMonitor for Europe, the Middle East and Africa.

The company then manually checks those URLs to ensure they are indeed phishing sites and takes steps on behalf of their customers to get those sites shut down, either through contacting domain-name registrars or the ISPs hosting them.

IBM, however, recently came to a different conclusion in its X-Force midyear trend report for 2009, released in August. The company looked at phishing e-mail as a percentage of spam, a much different measure than MarkMonitor. Phishing sites are mostly promoted through spam.

IBM found that for the first half of 2009, phishing e-mails were only 0.1 percent of spam, down from 0.5 percent in 2008. The company came to the conclusion that phishing is falling.

"The decline in phishing and increases in other areas (such as banking Trojans) indicate that attackers may be moving their resources to other methods to obtain the gains that phishing once achieved," according to IBM's report.

A report from Symantec that covered one month, August of this year, concluded that phishing attacks fell 45 percent over the previous month, although it's not clear from the report how that figure was calculated. In another statistic, Symantec noted that it saw 4 percent fewer phishing URLs compared to July.

MarkMonitor's Abrahams said his company counts the number of unique URLs. That has the potential to dramatically raise the number of what MarkMonitor classifies as attacks. For example, criminals are often use a single hostname for a site, but the site is actually hosted on many servers in different locations and switch servers after a short period of time, a method known as fast flux.

So one bad Web site might be hosted in hundreds of places, each counted as an attack.

"There's lots of different measurements for phishing," Abrahams said. "We think the number of sites is what matters rather than the number of e-mails."

The Anti-Phishing Working Group (APWG), which is composed of private companies and other groups, tracks unique e-mail campaigns. If the subject line in hundreds of e-mails is the same, that's counted as one campaign. As far as phishing sites, APWG counts the unique base URL of a particular site.

In its report for the last six months of 2008, APWG said the number of e-mail campaigns peaked in October at 34,758. That data was compiled from reports submitted by consumers. But the figure fell to 23,187 by December.

Unique phishing sites increased from July through October 2008, hitting a high of 27,739. But that was still fewer than February 2008 or the massive spike in April 2007 of 55,643, according to APWG.

Subscribe to the Security Watch Newsletter

Comments