Posted May 29, 2015
In this final installment of our three-part blog series, we’ll discuss original research presented by Cyveillance phishing experts at this week’s Anti-Phishing Working Group’s eCrime Symposium in Barcelona.
Today we delve deeper into data provided by Google’s URL Shortener API. Cyveillance submitted approximately ‘s worth of goo.gl links that deliver visitors to phishing attacks to the URL Shortener API. Today we examine where visitors come from, what type of computers they tend to use, and more.
Recap of Our Research
As mentioned in earlier posts in this three-part series, Cyveillance requested information from the URL Shortener API about 800 goo.gl links that lead to phishing attacks. Here’s an example of what some data looked like for a single goo.gl link that lead to a phishing attack against Apple Computer. (You can click on any of the images in this post to view larger versions in a new tab.)
Similar data was returned from the API for a total of 590 goo.gl links. In aggregate, some very interesting – and possibly counterintuitive – trends about phishing attacks were revealed.
What Type of Internet User Clicks Phishing Links?
Most People Who Click Phishing Links are Sitting at a Desktop Computer
Despite an ever-increasing trend towards more online browsing taking place on mobile devices like tablets and smart phones, almost nine of every ten clicks on these goo.gl links that lead to phishing attacks happened on a desktop computer!
Most People Who Click Phishing Links are Using Windows
Windows users made up three of every four clicks on these shortened links that lead to phishing attack URLs.
Most People Who Click Phishing Links are Using Internet Explorer
With the increased usage of browsers like Safari (particularly on iOS), Chrome, and Firefox, Microsoft’s Internet Explorer has seen less of total usage over time. Data from providers like akamai.io support this trend. However, in the data from 590 goo.gl URLs that lead to phishing attacks in our sample, Internet Explorer users accounted for three of every five clicks.
The data above paint a very singular image of what type of Internet user finds themselves exposed to a phishing attack sent by a cyber criminal: by and large, this person tends to be someone sitting in front of a desktop computer running Windows using Internet Explorer. The impact of anti-phishing education funding can be maximized by targeting populations that meet this criteria.
What Countries Account for Most Visits to Phishing Attacks?
Another data point available using the Link Shortener API is which countries clicked these goo.gl links. We found that every single attack contained a visit from the United States, and on average the number of clicks coming from the United States was significantly higher than from any other country.
It makes some sense that there were so many visits from the United States. The brands being impersonated in these phishing attack emails are commonly known brands in the United States, and the emails were presumably in the English language. Internet users in foreign countries that receive spam emails in English that reference American brands would probably be less likely to click the links in those emails.
The second most likely country to visit any of these phishing attacks was Israel. However, while visits from Israel were far more common than from any country other than the United States, the average number of clicks from Israel per attack was quite low. More investigation is required to better understand the high number of attacks which received visits from Israel.
We hope you’ve enjoyed the data in this three-part series on phishing attacks. Cyveillance will continue to fight for an Internet that is safe, and investigate tactics, techniques, and procedures used by cyber criminals. Please reach out to us if you have any questions!
Our Anti-Phishing solution protects businesses from the earliest stages of a phishing attack, including pharming and malware, to the takedown and removal of phishing websites. Contact us for more information.