Threat Research & Response Blog
One of the most striking statistics in our recent Security Intelligence Report (SIRv10) is the change in social network phishing (attacks focused on impersonating a social networking site in an attempt to steal and exploit your credentials). This change was briefly mentioned in Vinny’s blog post that announced the release of the SIR. I want to take a step back and look at this data in detail, starting with how the industry in general and the SIR in particular measure phishing. Common methods of measuring phishing are:
In SIRv10 reports on the last two - the number of phishing websites and the number of times users attempted to go to a known phishing site. The term we use for these visitation attempts is phishing impressions. Our phishing impressions are measured through the SmartScreen Filter, a feature of Internet Explorer first introduced with version 7. In the past few years, phishing has been primarily associated with one primary vector – email, which often contains a link to the phishing site. These traditional phishing emails entice a victim to click a link to an imposter website that attempts to extract their login credentials, personal information, etc. However, other methods of enticing a user to click a link exist. A victim could be introduced to a phishing link in:
The SmartScreen Filter captures all of these vectors. So, it doesn’t matter how the link arrived to the user – the SmartScreen Filter will detect and block, protecting the user, if the link is clicked. I stress if the link is clicked, because counting only when the link is clicked provides another piece of this telemetry story that goes one step beyond prevalence. It measures the success of the lures that sufficiently tricked users into to clicking that link. What was the number one lure at the end of 2010? Phishing related to social networks. In January 2010, social network phishing impressions (the number of links clicked) represented only 8.3 percent of all phishing impressions. By December 2010, that number had increased to 84.5 percent. So, did volume change? Not really. With the exception of a spike of activity over the summer, the overall number of phishing impressions remained fairly constant throughout the year. On the other hand, the number of social network phishing impressions in December 2010 were 1,200% higher than the number counted in January. The following chart highlights this shift seen this year: Figure 1. Impressions for each type of phishing site each month in 2010 A second method of measuring changes in phishing is to count the number of active, distinct phishing websites and categorize them by each type (financial, gaming, social networks, etc). In contrast to the changes described above for phishing impressions, the number of distinct phishing sites by type were incredibly constant, each month showing that sites impersonating financial institutions far outnumbered any other category. While the categories in phishing impressions varied greatly, the actual number of websites set up to do the phishing remained relatively stable in each category. The difference between the large numbers of financial phishing sites and the relatively lower numbers of financial phishing impressions (again, links the users actually clicked) is striking. Conversely, social network phishing impressions skyrocketed while the number of phishing sites used to do the actual phishing varied minimally.
Figure 2. Active phishing sites tracked each month in 2010, by type of target A number of reasons could explain the discrepancy:
In any case, a number of practices can help avoid trouble:
Stay safe, and enjoy the Microsoft Security Intelligence Report. We have much more to tell you about it, so stay tuned to our blog for more deep dives on some of the more interesting topics. - Holly Stewart, MMPC