Study: Most phishing pages are abandoned or disappear in a matter of days

Research from Kaspersky finds that a quarter of phishing sites are gone within 13 hours — how in the world can we catch and stop cyber criminals that move so quickly?

Email / envelope with black document and skull icon. Virus, malware, email fraud, e-mail spam, phishing scam, hacker attack concept. Vector illustration

Image: Vladimir Obradovic, Getty Images/iStockphoto

Research from cybersecurity firm Kaspersky has found that most phishing websites vanish or go inactive within days, giving us yet another reason to fear phishing: It’s fly-by-night, hard to track and happens in a flash. 

Kaspersky’s in-depth analysis of phishing websites found that nearly three quarters of all phishing pages stop showing signs of activity within 30 days. A quarter of those are dead within 13 hours, and half last no more than 94 hours, or just under 4 days.

The fear and paranoia that phishing can evoke may only be made worse by this news, but have faith: Kaspersky said that it believes its data “could be used to improve mechanisms for re-scanning pages which have ended up in anti-phishing databases, to determine the response time to new cases of phishing, and for other purposes,” all of which could make katching, tracking and killing phishing pages and their operators easier.

SEE: Google Chrome: Security and UI tips you need to know  (TechRepublic Premium)

Kaspersky pulled a total of 5,310 links identified as bad by its anti-phishing engine, and tracked those pages over the course of 30 days. “Over a thirty-day period from the moment a “phishing” verdict was assigned to a page, the analysis program checked each link every two hours and saved the response code issued by the server as well as the text of the retrieved HTML page,” Kaspersky said. 

Based on the information it gathered over that 30-day period, Kaspersky decided to focus on the title of the page, its size and its MD5 hash (which changes when any edit is made to a website). Those criteria allowed Kaspersky to build an analysis method that classified pages as having different content, a change in phishing target or no change.

What Kaspersky learned about phishing websites

A lot of information can be gleaned from those few publicly available statistics about a page, and Kaspersky has done just that with the phishing data it investigated. 

Life cycle statistics may be the most surprising; as mentioned above, phishing pages tend to vanish quickly. “The classification of links according to the number of hours they survived shows the bulk of phishing pages were only active for less than 24 hours. In the majority of cases, the page was already inactive within the first few hours of its life,” Kaspersky said in its report.

In addition to learning that phishing pages are short lived, the study also found that phishing pages almost always remain unchanged throughout their active period. Some changes do occur, as with a campaign targeting players of the PC game PlayerUnknown’s BattleGrounds that was regularly edited to keep up with in-game events. 

Not once, however, did a phishing website change its target in the course of Kaspersky’s study, which it attributed to the fact that many phishing websites rely on spoofed domain names made to closely mimic legitimate websites. “This kind of phishing is difficult to reorientate to copy a different organization, and it’s easier for the cybercriminals to create a new phishing page than tweak an existing one,” Kaspersky said. 

Pages also occasionally change something on the back end, which causes their MD5 hashes to change and phishing filters to not recognize the page if it uses hashes to identify content.

Kasperksy breaks its data down even further, grouping pages by four formal criteria: Date of domain creation, top level domain (like .com or .org), location of the phishing page on the website’s directory (root or somewhere else), and domain level where the page is located. 

SEE: Password breach: Why pop culture and passwords don’t mix (free PDF) (TechRepublic)

There’s a lot of additional data to break down, and for all the details be sure to read Kaspersky’s full report. Suffice it to say, the most pertinent information for security professionals looking to identify phishing pages and root them out can be found in the statistics and easily rephrased as recommendations:

  •  Dynamic DNS website DuckDNS is a common way cybercriminals fake domain names: It’s a free DNS service that anyone can create a subdomain and register a site on. If your business has no connection to DuckDNS or its services, it may be a good idea to block it internally. 

  • Phishing pages located on website subdirectories are far more resilient than those at the top-level of a domain. If you’re worried about the integrity of your website, be sure to scan everything to check for suspicious code hiding out in a deep, rarely-frequented part of your site. 

  • Phishing pages rarely change. If you know that your people or organization have become a target, be sure to identify phishing pages and get them blocked as fast as possible. 

Unfortunately, without being able to put Kaspersky’s phishing site identification methodology into practice at a large scale, it only serves to remind us once again that phishing is real, it’s serious, and it’s incredibly tricky to pin down. Be sure you’re implementing best anti-phishing practices and other phishing awareness measures. 

Also see

Menu