Posted October 8, 2014
Cyveillance is an enthusiastic Premium sponsor and Steering Committee member of Anti-Phishing Working Group (APWG). Last month, the APWG held its eCrime Research Symposium 2014 in Birmingham, Alabama. The event coincided with the APWG’s release of its semi-annual report on global phishing trends. Among other findings, the report found that Apple was the most-phished brand in the first half of 2014.
Back at Cyveillance, researchers were independently examining the previous 12 months’ worth of Phishing: The fraudulent practice of sending emails purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords and credit card numbers. URLs we have delivered for clients. Why? Because the better our systems and analysts can recognize a phishing attack, the faster we can get the site taken down, and the sooner our clients are happy.
In this post we’ll share an observation based on that data. Generally, we were examining the following scenario: if you only have a URL and cannot see the actual webpage whether a phishing attack may take place, what conclusions might you draw?
More specifically, the question we sought to answer was whether it’s true that sites which are more popular are less likely to be involved in phishing attacks. If you’ve been working in anti-phishing work for a while, you’ve probably noticed that big, popular sites like espn.com, expedia.com, or nbcnews.com are unlikely to be found hosting any phishing attacks. This is likely because those sites have lots of resources to shore up their defenses and prevent such chicanery. But we prefer to test assumptions like that instead of relying on hunches.
Looking at that group of all phishing URLs Cyveillance saw over a September 2013 through September 2014 period, we found a little more than 72,000 unique domains. We decided to test our hypothesis by looking at the global Alexa scores for a random sample of those 72,000 domains, as Alexa scores are a widely accepted gauge for website popularity. Low Alexa scores mean a site is very popular, and high scores mean the site is not popular. For example, forbes.com is a very popular online destination and has a corresponding very low Alexa score.
Of the 2,000 randomly selected domains involved in phishing attacks we saw in that twelve month period, we found…
- Only 493/2000 were popular enough to even receive an Alexa score
- The best Alexa score in the pack of the 2,000 randomly selected domains was 215. The worst was 19,133,355.
- The average Alexa score in the pack of the 2,000 randomly selected domains was 8,626,861. The standard deviation of those scores was 5,955,740.
- The likelihood of a domain having a phishing attack and having an Alexa score between 0 and 100,000 is 0.2%. That is to say, 99.8% of the time, sites with Alexa scores between 0 and 100,000 will not be hosting a phishing attack.
The last detail above is perhaps the most actionable for security professionals. While there will certainly be exceptions, particularly on sites where user-generated content is present like wordpress.com or blogspot.com, we can pretty confidently conclude that if a site’s Alexa score is good, it’s very unlikely that the site is involved in a phishing attack. We suspected that before, but now the numbers confirm it.