One of the most striking statistics in our recent Security Intelligence Report (SIRv10) is the change in social network phishing (attacks focused on impersonating a social networking site in an attempt to steal and exploit your credentials). This change was briefly mentioned in Vinny’s blog post that announced the release of the SIR.
 
I want to take a step back and look at this data in detail, starting with how the industry in general and the SIR in particular measure phishing. Common methods of measuring phishing are:

  • Volume of phishing emails received on a particular topic
  • Number of websites found that were phishing websites
  • Number of times users did or tried to go to those phishing websites

In SIRv10 reports on the last two - the number of phishing websites and the number of times users attempted to go to a known phishing site. The term we use for these visitation attempts is phishing impressions. Our phishing impressions are measured through the SmartScreen Filter, a feature of Internet Explorer first introduced with version 7.
 
In the past few years, phishing has been primarily associated with one primary vector – email, which often contains a link to the phishing site. These traditional phishing emails entice a victim to click a link to an imposter website that attempts to extract their login credentials, personal information, etc. However, other methods of enticing a user to click a link exist. A victim could be introduced to a phishing link in:

  • An instant message
  • A pop-up (or pop-under)
  • An infected website
  • An abused website (such as a website that allows users to post unmonitored or unregulated content)

The SmartScreen Filter captures all of these vectors. So, it doesn’t matter how the link arrived to the user – the SmartScreen Filter will detect and block, protecting the user, if the link is clicked. I stress if the link is clicked, because counting only when the link is clicked provides another piece of this telemetry story that goes one step beyond prevalence. It measures the success of the lures that sufficiently tricked users into to clicking that link.
 
What was the number one lure at the end of 2010? Phishing related to social networks. In January 2010, social network phishing impressions (the number of links clicked) represented only 8.3 percent of all phishing impressions. By December 2010, that number had increased to 84.5 percent. So, did volume change? Not really. With the exception of a spike of activity over the summer, the overall number of phishing impressions remained fairly constant throughout the year. On the other hand, the number of social network phishing impressions in December 2010 were 1,200% higher than the number counted in January. The following chart highlights this shift seen this year:
 

Figure 1. Impressions for each type of phishing site each month in 2010
 
A second method of measuring changes in phishing is to count the number of active, distinct phishing websites and categorize them by each type (financial, gaming, social networks, etc). In contrast to the changes described above for phishing impressions, the number of distinct phishing sites by type were incredibly constant, each month showing that sites impersonating financial institutions far outnumbered any other category.
 
While the categories in phishing impressions varied greatly, the actual number of websites set up to do the phishing remained relatively stable in each category. The difference between the large numbers of financial phishing sites and the relatively lower numbers of financial phishing impressions (again, links the users actually clicked) is striking. Conversely, social network phishing impressions skyrocketed while the number of phishing sites used to do the actual phishing varied minimally.


Figure 2. Active phishing sites tracked each month in 2010, by type of target
 
A number of reasons could explain the discrepancy:

  • The tactics for social network phishing are more crafty
    (for example, the phishing message comes from your friend – who has already had their account compromised)
  • The financial phishing sites are more likely to be discovered and taken down quickly, but require rapid replacement
  • Users are becoming more weary of financial phishing and let their guard down when it comes to social networks

In any case, a number of practices can help avoid trouble:

  • Employ technologies that help block phishing sites. (Shameless plug: Internet Explorer SmartScreen Filter is a great choice)
  • Click unsolicited links with caution. Emails, instant messages, pop-ups and links that may appear to come from friends or found on other websites may not be legitimate
  • Rather than clicking that link, considering going directly to the social network’s website, logging in directly, and then checking out what’s new

Stay safe, and enjoy the Microsoft Security Intelligence Report. We have much more to tell you about it, so stay tuned to our blog for more deep dives on some of the more interesting topics.
 
- Holly Stewart, MMPC