Phishing study finds major brands heavily targeted, niche sites also at risk

Phishing experts at the Anti-Phishing Working Group (APWG) have released their latest global survey, revealing the latest trends observed in the second half of 2014.

Brands and industry sectors

Of all phishing spotted in the period covered, more than half (54%) targeted just three brands – Apple, Paypal, and Chinese marketplace Taobao were hit by 20,000 unique phishing attacks each, while the top ten brands accounted for over 75% of all phishing and many of these saw more than 1000 separate attacks per month.

At the other end of the scale, the report notes that a high level of churn is seen in the smaller brands targeted, with well over half of those being hit in the first half of 2014 absent from the latest batch of stats.

This shows that phishers are regularly updating their approaches, probing new areas and looking out for new victims in niche industry segments and regions, as well as taking aim at larger global players and their users.

The report suggests that one reason for going after smaller accounts is to catch victims unawares, access data like card information using the logins acquired for smaller target sites, and then trying the same access codes elsewhere in the hopes of finding people indulging in password re-use.

Regular Naked Security readers will doubtless be well aware of the dangers of re-using passwords across multiple sites, but the fact that phishers still see value in trying implies that a lot of people haven’t got the message and aren’t keeping themselves as safe as they could be.

Among the new targets were manufacturing firms, telecoms and power providers, insurance houses and even the US toll-road payment system E-ZPass, alongside the more traditional banks and online shopping sites.

E-commerce was the most targeted sector, with 39.5% of all phishing attacks, while banking and money transfer services took 22% and 20.7% respectively. Social networking and email providers were the only other significant sector, targeted by 11.6% of all attacks observed.

The diversification of targets should be a warning sign to smaller businesses, that they need to ensure their security is as tough and thorough as that of the bigger firms traditionally targeted by phishing.

Things like strong password policies, proper password storage and reset methods, use of 2-factor authentication, and strong network and web application security are now just as vital for small firms as for large.

Hijacked sites, hosting and shortening services

Elsewhere in the report, just over a quarter of phishing sites (28.6%) were thought to have been registered specifically with malicious intent, many of these suspected to be down to Chinese phishers using free or cheap registration services.

The remainder were all legitimate domains hijacked for phishing purposes. It seems far too many sites fail to properly secure themselves from hijacking or code injection, and become carriers for phishers’ devious messages.

The most common methods for hijacking sites are vulnerabilities in web software such as databases or CMS solutions like the ubiquitous WordPress, which can be mitigated with responsive patching regimes, and credentials being stolen by keylogging malware, phished or guessed thanks to re-use from other compromised sites.

Again, a solid security regime with security software at every level, good user education and strict policies should minimise these dangers.

The use of sub-domain services declined sharply, from 14% in the first half of 2014 to just 6% in the second half, with one provider, altervista.org, making up very close to 50% of all those phishing sites.

The use of URL shortening services by phishers, previously all but eradicated, continued to rise slightly, now making up 2.5% of all phishing. Again one service dominated, with tinyurl.com used for just shy of half (48.3%) of all shortener-based attacks.

Uptime and spear-phishing

The overall average uptime for phishing sites decreased slightly to just under 30 hours, but the median increased, with half of all phishing sites staying live for more than 10 hours.

It’s not clear whether this last figure is down to less accurate monitoring by ISPs and other watchers, or slower cleanup times from the admins of all those compromised sites, but either way it indicates some more work is required.

All businesses operating a web presence should have emergency protocols to ensure any unwanted content hosted on their sites is removed as rapidly as possible.

The report contains a wealth of detailed statistics, analysing the phishing problem from many angles. One thing it cannot cover, as the authors note, is the spear-phishing phenomenon targeting specific people, roles or businesses and often at the root of the most spectacular and damaging hacks.

While hard to measure, thanks to its inherent stealth, there are ways to reduce the risks to a business from such carefully targeted phishing attacks, particularly the use of 2-factor authentication or even, where possible, avoiding the use of simple passwords altogether.

If more people have started paying more attention to security issues over the last few months, then perhaps the next report will show some encouraging declines.

Image of phishing courtesy of Shutterstock.