Phishing fighters have less than hour to act

White Hats have a narrow window to counter a phishing campaign.

White Hat reaction times to phishing campaigns have vastly improved over time, but they may not be improving fast enough.

A recent study by anti-phishing plug-in maker Trusteer shows that 50 percent of all the information harvested in a phishing campaign is harvested within an hour of its malicious mails hitting its guppies email boxes. Since it usually takes at least an hour for the security community to recognize a campaign and even longer to take down a phishing site, Trusteer is calling that first 60 minutes of a phishing campaign the “Golden Hour.”

          “The fact that so many Internet users visit a phishing website within such a short period of time means that blocking a phishing Web site–which is sometimes a cracked legitimate–site this golden hour has become absolutely critical,” Amit Klein, the company’s chief technology officer wrote in a blog.

Trusteer also found that within five hours of operation a phishing site will have collected, collated and prepared for use by cybercriminals 80 percent of the credentials that will be harvested by the site; in 10 hours, 90 percent will be processed. What that means is that blocking a phishing site after five hours of operation is almost irrelevant, Klein  reasoned.

          “A more effective model would prevent users from being directed to a phishing site and/or prevent them from entering their credentials if they do end up on a criminal site,” he added.

Phishing sites not only need little time to reap their ill-gotten gains, but little success to make big bucks, according to a study of phishing attacks at 10 large banks in the United States and Europe performed by Trusteer last year. The study was a ground breaker because, unlike others that just look at the number and origin of attacks by phishers, it quantified how successful attacks are, how many users respond to the attacks and how many targets actually give up their logins to the net miscreants.

For every million bank customers, Trusteer reported, 12.5 are lured to a phishing site. Over a year that means about 1.04 percent of a bank’s customers visit a phishing website.

Although a low percentage of customers are snared by phishers, the cybercriminal’s success rate jumps substantially once they get a target to their site. Then they have a 50 percent chance of prying personal information from the customer. That amounts to 4700 logins a year falling into criminal hands for every one million banking customers.

The relatively high success rate once a phishing site capture’s a target’s eyeballs is a testament to how sophisticated cybercriminals have become in disguising their intentions. There are very few clues at many phishing sites that something is amiss. Phishers cleverly disguise their sites’ URLs to give them the look of a legitimate banking site. It takes a keen eye to notice that a site’s URL isn’t genuine.

One tip off is that bank sites use https. Sites using https have security certificates associated with them. If a certificate is issued by an untrustworthy authority, most browsers will alert a user about it. Rather than risk discovery by a certificate sniffing browser, most phishers will just avoid using https and hope a target doesn’t know that a site without https support claiming to be affiliated with a bank  probably isn’t a bank site.

With such small success rates, one might wonder why phishing is so popular among denizens of the net’s criminal underworld. As with spam, the answer lies in volume. If each of the 4700 compromised accounts nets phishers $2000, then they can rake in $9.4 million for every million bank customers in the world. Even if each stolen account yields only $500–which would be a very low number, according to Trusteer–it would result in $2.35 million in purloined funds per million bank customers.

          “As an industry, our goal should be to reduce the time it takes for institutions to detect they are being targeted by a phishing attack from hours to within minutes of the first customer attempting to access a rogue phishing page,” Klein declared.

“We also need to establish really quick feeds into browsers and other security tools, so that phishing filters can be updated much more quickly than they are today. This is the only way to swiftly takedown phishing websites, protect customers, and eliminate the golden hour,” he added.