Threat Intelligence Blog

Posted May 29, 2015

In this final installment of our three-part blog series, we’ll discuss original research presented by Cyveillance phishing experts at this week’s Anti-Phishing Working Group’s eCrime Symposium in Barcelona.

Today we delve deeper into data provided by Google’s URL Shortener API. Cyveillance submitted approximately ‘s worth of goo.gl links that deliver visitors to phishingPhishing: The fraudulent practice of sending emails purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords and credit card numbers. attacks to the URL Shortener API. Today we examine where visitors come from, what type of computers they tend to use, and more.

Recap of Our Research

As mentioned in earlier posts in this three-part series, Cyveillance requested information from the URL Shortener API about 800 goo.gl links that lead to phishing attacks. Here’s an example of what some data looked like for a single goo.gl link that lead to a phishing attack against Apple Computer. (You can click on any of the images in this post to view larger versions in a new tab.)

phishing-attack-data

Similar data was returned from the API for a total of 590 goo.gl links. In aggregate, some very interesting – and possibly counterintuitive – trends about phishing attacks were revealed.

What Type of Internet User Clicks Phishing Links?

Most People Who Click Phishing Links are Sitting at a Desktop Computer

phishing-mobile-vs-desktop-cyveillance

Despite an ever-increasing trend towards more online browsing taking place on mobile devices like tablets and smart phones, almost nine of every ten clicks on these goo.gl links that lead to phishing attacks happened on a desktop computer!

Most People Who Click Phishing Links are Using Windows

phishing-platforms-cyveillance

Windows users made up three of every four clicks on these shortened links that lead to phishing attack URLs.

Most People Who Click Phishing Links are Using Internet Explorer

phishing-browsers-cyveillance

With the increased usage of browsers like Safari (particularly on iOS), Chrome, and Firefox, Microsoft’s Internet Explorer has seen less of total usage over time. Data from providers like akamai.io support this trend. However, in the data from 590 goo.gl URLs that lead to phishing attacks in our sample, Internet Explorer users accounted for three of every five clicks.

The data above paint a very singular image of what type of Internet user finds themselves exposed to a phishing attack sent by a cyber criminal: by and large, this person tends to be someone sitting in front of a desktop computer running Windows using Internet Explorer. The impact of anti-phishing education funding can be maximized by targeting populations that meet this criteria.

What Countries Account for Most Visits to Phishing Attacks?

phishing-countries-cyveillance

Another data point available using the Link Shortener API is which countries clicked these goo.gl links. We found that every single attack contained a visit from the United States, and on average the number of clicks coming from the United States was significantly higher than from any other country.

It makes some sense that there were so many visits from the United States. The brands being impersonated in these phishing attack emails are commonly known brands in the United States, and the emails were presumably in the English language. Internet users in foreign countries that receive spamSPAM: Unsolicited usually commercial messages (such as e-mails, text messages, or Internet postings) sent to a large number of recipients or posted in a large number of places. emails in English that reference American brands would probably be less likely to click the links in those emails.

The second most likely country to visit any of these phishing attacks was Israel. However, while visits from Israel were far more common than from any country other than the United States, the average number of clicks from Israel per attack was quite low. More investigation is required to better understand the high number of attacks which received visits from Israel.

Always Vigilant!

We hope you’ve enjoyed the data in this three-part series on phishing attacks. Cyveillance will continue to fight for an Internet that is safe, and investigate tactics, techniques, and procedures used by cyber criminals. Please reach out to us if you have any questions!

Our Anti-Phishing solution protects businesses from the earliest stages of a phishing attack, including pharming and malware, to the takedown and removal of phishing websites. Contact us for more information.

Additional Posts

Cyveillance Phishing Report: Top 20 Targets – June 1, 2015

  Phishing Report: Top 20 Targets Week of May 24 - 30, 2015   This week saw more than a ...

Link Shorteners in Phishing Attacks, Part II: How Many People Click on Phishing Attack Links?

In this three-part blog series, we'll discuss original research presented by Cyveillance phishing ...