Document Sample
b-state_of_phishing_report_01-2010.en-us Powered By Docstoc
					January 2010                                                                                             Report #27

        The data in this report is aggregated from a combination of sources including Symantec’s Phish
        Report Network (PRN), strategic partners, customers and security solutions.

        This report discusses the metrics and trends observed in phishing activity during the month of
        December 2009.
                                Highlighted in the January 2010 report:
              Symantec observed a 4 percent decrease from the previous month in all phishing at-
              21 percent of phishing URLs were generated using phishing toolkits; a decrease of 19
               percent from the previous month
              A 26 percent decrease from the previous month was observed in non-English phishing
              More than 118 Web hosting services were used, which accounted for 11 percent of all
               phishing attacks; an increase of 2 percent in total Web host URLs when compared to
               the previous month

        Phishing Tactic Distribution: Phishing sites
        were categorized based upon the domains
        they leveraged. In December, the total
        volume of phishing decreased by 4 percent
        from the previous month. Toolkit based
        phishing attacks faced a decrease of 19
        percent, which most likely led to the
        decrease in the overall volume of phishing.
        However, phishing attacks based on other
        methods including typosquatting, IP
        domains and use of webhosting sites have
        slightly increased from the previous

        David Cowings                 Mathew Maniyara                 Sagar Desai
        Executive Editor              Editor                          PR Contact
        Security Response             Security Response               Sagar_desai@symantec.com
Phishing site attack methods and target sectors
Phishing sites in December 2009 were categorized to understand the attack methods and
determine the sectors and brands impacted by the attacks.
The following categories were analyzed:
   Sectors
   Number of brands
   Phishing toolkits
   Fraud URLs with IP addresses
   Phish sites that use IP address domains – categorized by hosted cities
   Use of Web hosting sites
   Geo-locations of phishing sites
   Non-English phishing sites
   Top-Level domains of phishing sites
   Country of brand Non-English phishing sites
Sectors: Phishing target sectors are seen in the graphic below.

Number of Brands:
Symantec observed that 79
percent of all attacks were from
unique phishing websites,
which included more than 218
targeted brands. In December
2009, the unique phishing
activity increased by 2 percent
over the previous month. The
proportion of unique phishing
URLs increased from 75 percent
(in November 2009) to 79
percent (in December 2009).
The higher proportion of
unique phishing activity was a
result of a fall in the number of
toolkit phishing websites in the
Weekly Behavior of Phishing Toolkit Activity

Automated Phishing Toolkits:
Symantec observed that 21 percent of           rest of the month. The toolkit attacks on the
phishing URLs were generated using phishing    financial sector decreased considerably in De-
toolkits. The number of toolkit attacks        cember 2009. The information services sector
decreased considerably by 19 percent. A        had the majority of toolkit attacks during the
spike was observed in the first week of the    month. The attacks on the financial sector
month in toolkit phishing activity. However,   spanned several brands whereas the attacks
the volume of phishing attacks from these      in information services sector were primarily
toolkits was considerably low throughout the   targeted at a single brand.
Phishing Attacks Using IP Address Domains

Phishers today use IP addresses as part of the hostname instead of a domain name. This is a
tactic employed to hide the actual fake domain name that otherwise can easily be noticed.
Also, many banks use IP addresses in their website URLs.

A total of 1135 phishing sites were hosted in 61 countries. This amounted to an increase of
approximately 8 percent of IP attacks in comparison to the previous month. The United States
continued to be the top ranked country hosting phishing sites. The Greater China region con-
tinued to be at the second spot comprising of 7 percent of IP attacks. South Korea accounted
for approximately 7 percent of IP attacks in the month.
The top cities hosting phish sites were Seoul, Fort Lauderdale and Clarksville. Debuting in
December was Clarksville at the third position. Brooklyn, Atlanta and Montreal were common
to the list of top cities in the previous month as well.
Phishing Exploits of Free Web Hosting Services
For phishers, using free web hosting services has been the easiest form of phishing in terms of
cost and technical skills required to develop fake sites.

A total of 118 different web hosting services     However, this form of attack is not as widely
served as the home for 2,150 phishing sites in    used as it frequently requires manual efforts
the month of December. Symantec observed          to prepare the phishing Web page, unlike the
a 2 percent increase in the number of free        automated kit generated websites. Many free
web hosting services utilized for developing      web hosts have also improved their preventa-
phishing sites. More than 84 brands were          tive and corrective anti-phishing measures
attacked using this method in the reporting       significantly decreasing the lifespan of phish-
period.                                           ing sites on their systems.
Global Distribution of Phishing Sites
Phishing sites were analyzed based upon the geo-location of their web hosts as well as the
number of unique URL’s (referred as “lures” in the report) utilized to lure victims to the phish-

1. Geo-Location of Phishing Lures
Leading this area are the USA (37 percent),       in the previous month to (37 percent) in the
South Korea (5 percent) and Canada (5 per-        current month. The number of active lures
cent). The proportion of lures from the USA       from Canada exceeded that from Germany
has decreased considerably from (43 percent)      and has taken over the third position.

2. Geo-Location of Phishing Web Hosts
The top countries are the USA (43 percent),       previous month. In December, the distribu-
Germany (4 percent) and South Korea (3 per-       tion of web hosts was evenly distributed for
cent). Symantec observed that the phishing        all other locations.
hosts originated from more countries than the
                            Geo-Location of Phishing Web Hosts

Non-English Phishing Trends

Phishing attacks in Italian, French and Portu-
guese languages were the highest in Non-
English language attacks. In December 2009,
the number of attacks in Portuguese in-
creased further, exceeding Chinese and reach-
ing the third position. The increase in phishing
on a Brazilian social networking website was
the reason behind the increase of attacks in
Portuguese language. Phishing websites in
Italian and French remained higher in financial
brands. The attacks in Chinese language pre-
vailed in the e-commerce sector.

Top-Level Domains of Phishing Sites
Phishing URLs were categorized based on the Top-Level Domains (TLD). TLDs are the last part
of an Internet domain name; i.e., the letters that follow the final dot of any domain name. E.g.,
in the domain name www.example.com, the Top-Level Domain is .com (or COM, as domain
names are not case-sensitive). Country Code Top-Level Domains (ccTLD) are used by a country
or a territory. They are two letters long, for example .us is for the United States. Generic Top-
Level Domains (gTLD) are used by a particular type of organization (.com for a commercial
organization). It is three or more letters long. Most gTLDs are available for use worldwide, but
for historical reasons .mil (military) and .gov (government) are restricted to use by the respec-
tive U.S. authorities.

Comparisons of Top-Level Domains of Phishing Sites

Overall TLDs
The most used TLDs in phishing sites in the month of December were, .com, .net and .org com-
prising of (54 percent), (7 percent) and (4 percent) respectively.

The Top-Level Domains in phishing were then further categorized:
1. Generic Top-Level Domains (gTLDs)
The generic TLDs .com, .net and .co were the most utilized with (74 percent), (10 percent) and
(6 percent) of the total phish attacks respectively.

2. Country Code Top-Level Domains (ccTLDs)
The Russian, Chinese and United Kingdom ccTLDs were evaluated to be the highest in phishing
attacks with (11 percent), (8 percent) and (7 percent) respectively.
Country of Targeted Brands

The brands that phishing sites spoofed were categorized based on the country in which the
brand’s parent company is based.

The top countries of brands attacked in December were the USA, UK and Italy. There were 32
countries whose brands were attacked. As seen in the previous months, the trend of the sec-
tors targeted is similar throughout the countries of brand origin except for those belonging to
Germany and China. There was a combination of banking, e-commerce and information ser-
vices sectors in German brands. In China, the e-commerce sector remains a primary target. UAE
made its debut in the top countries of brands attacked. A higher number of phishing attacks on
a bank based in UAE led to the country making its debut in the list. Another contributing factor
was the disappearance of France and Israel from the list. There were fewer phishing attacks on
brands based in these two countries as compared to the previous month.
Glossary of Terms

Phishing Toolkits: Phishing toolkits are auto-    Top-Level Domain (TLD): Sometimes referred
mated toolkits that facilitate the creation of    to as a Top-Level Domain Name (TLDN): It is
phishing Websites. They allow individuals to      the last part of an Internet domain name; that
create and carry out phishing attacks even        is, the letters that follow the final dot of any
without any technical knowledge.                  domain name. For example, in the domain
                                                  name www.example.com, the Top-Level Do-
Unique Phishing Web site: The phishing Web        main is com (or COM, as domain names are
sites that have a unique Web page are classi-     not case-sensitive).
fied as “Unique Phishing Websites”. URLs
from phishing toolkits that randomize their       Country Code Top-Level Domains (ccTLD):
URL string are observed to point to the same      Used by a country or a dependent territory. It
Web page and do not contain a unique Web          is two letters long, for example .us for the
page in each URL. Unique Phishing Web sites       United States.
are the ones where each attack is categorized
on distinct Web pages.                            Generic Top-Level Domains (gTLD): Used by a
                                                  particular class of organizations (for example,
Web-Hosting: Type of Internet hosting ser-        .com for commercial organizations). It is
vice which allows individuals and organiza-       three or more letters long. Most gTLDs are
tions to put up their own websites. These         available for use worldwide, but for historical
websites run on the space of Web host com-        reasons .mil (military) and .gov
pany servers accessible via the World Wide        (governmental) are restricted to use by the
Web. There are different types of Web host-       respective U.S. Authorities. gTLDs are sub
ing services namely, free Web hosting, shared     classified into sponsored Top-Level Domains
Web hosting, dedicated Web hosting, man-          (sTLD), e.g. .aero, .coop and .museum, and un-
aged Web hosting, etc. of which the free Web      sponsored Top-Level Domains (uTLD), e.g.
hosting service is commonly used to create        .biz, .info, .name and .pro.
phishing websites.

Typo-Squatting: Typo-squatting refers to the
practice of registering domain names that are
typo variations of financial institution web-
sites or other popular websites.

Phishing Lure: Phishing lures are URLs distrib-
uted in spam/phishing email utilized to lure
victims to fraudulent phishing websites.