Phishing is a method of credential theft that tricks Internet users into revealing sensitive information, such as personal or financial information, online. Phishers use phony websites or deceptive email messages that mimic trusted businesses and brands to steal sensitive information, such as user names, passwords, credit card numbers, and other identification numbers.
How Microsoft Tracks Phishing Sites and Phishing Impressions
Microsoft gathers information about phishing sites and impressions from phishing impressions generated by users who choose to enable the Phishing Filter or SmartScreen Filter in Internet Explorer. A phishing impression is a single instance of a user attempting to visit a known phishing site with Internet Explorer and receiving a warning, as illustrated in the figure on the left below. The figure on the right compares the volume of active phishing sites in the Microsoft URL Reputation Service database each month with the volume of phishing impressions tracked by Internet Explorer.
Figure on left: how Microsoft tracks phishing impressions; figure on right: phishing sites and impressions tracked each month from July 2010 to June 2011 relative to the monthly average for each, as reported in the Microsoft Security Intelligence Report volume 11
Following a large spike in impressions in June 2010, the figures for both sites and impressions were mostly stable over the following 12 months. Most phishing sites are short lived, and attackers often create new ones to replace older ones as they are taken offline, so the list of known phishing sites is prone to constant change without significantly affecting overall volume.
Phishing impressions and active phishing pages rarely correlate strongly with each other. In August 2010, the month with the highest number of impressions in the twelve months shown, the number of active phishing sites tracked was actually near its lowest level for the entire period.
Who are Phishers Targeting
Phishers target specific institutions, seeking to victimize the customers or users of these institutions. The two figures below show the percentage of phishing impressions and active phishing sites, respectively, recorded by Microsoft during each month in the first half of 2011 for the most frequently targeted types of institutions.
Figure on left: Impressions for each type of phishing site each month in the first half of 2011 (1H11), as reported by SmartScreen Filter as reported in the Microsoft Security Intelligence Report volume 11; figure on right: Active phishing sites tracked each month in the first half of 2011 (1H11), by type of target as reported in the Microsoft Security Intelligence Report volume 11
Phishers have traditionally targeted financial sites more than other types of sites, but the largest share of phishing impressions in the first half of 2011 was for sites that targeted social networks, reaching a high of 83.8% of impressions in April. Overall, impressions that targeted social networks accounted for 47.8% of all impressions in the same time period, followed by those that targeted financial institutions at 35.0%.
By contrast, phishing sites that targeted financial institutions accounted for an average of 78.3% of active phishing sites tracked each month in the first half of 2011, compared to just 5.4% for social networks. One explanation for this is that there are a relatively large number of financial institutions targeted by phishers (numbering in the hundreds) that require customized phishing approaches for each one. But the number of popular social networking sites is much smaller; phishers who target social networks can effectively target many more people per site. That said, the allure of direct illicit access to victims’ bank accounts likely means that financial institutions will remain perennially popular phishing targets. Additionally, many social networks have their own messaging systems for their users that can be leveraged for phishing. To date there hasn’t been the type of sustained user education around social network targeted phishing as there has been for financial institutions for many years.
This phenomenon also occurs on a smaller scale with online services and gaming sites. A small number of online services account for the majority of traffic to such sites, so phishing sites that targeted online services garnered 11.0% of impressions with just 3.6% of sites. Online gaming traffic tends to be spread out among a larger number of sites, so phishing sites that targeted online gaming destinations accounted for 8.9% of active sites but gained just 4.3% of impressions.
Phishing sites that targeted e-commerce sites were responsible for just 3.8% of active sites and 1.9% of impressions, suggesting that phishers have not found e-commerce sites to be especially profitable targets.
The Global Distribution of Phishing Sites
Most phishing sites are short-lived, and attackers often create new ones to replace older ones as they are taken offline. Subsequently, the list of known phishing sites is prone to constant change. Phishing sites are hosted all over the world on free hosting sites, on compromised web servers, and in numerous other contexts. Performing geographic lookups of IP addresses in the database of reported phishing sites makes it possible to create maps that show the geographic distribution of sites and to analyze patterns.
Figures: phishing sites per 1,000 Internet hosts for locations around the world in the first quarter (left) and second quarter (right) of 2011 as reported in the Microsoft Security Intelligence Report volume 11
Locations with smaller populations and fewer Internet hosts tend to have higher concentrations of phishing sites, although in absolute terms most phishing sites are located in large, industrialized countries/regions with large numbers of Internet hosts.
The worldwide distribution of phishing sites remained mostly consistent between the first and second quarters of 2011. Notable exceptions during this time period include China, Canada and France. Phishing sites per thousand hosts in China increased from 0.35 in the first quarter of 2011 to 2.54 in the second quarter. Phishing sites hosted in Canada decreased from 2.05 to 1.02 per thousand hosts and in France from 1.34 to 0.81 per thousand hosts.
Defending Against Phishing Attacks
Phishers won’t be going away as long as phishing attacks continue to be successful for them. Remember that phishers generally don’t care what browser or operating system potential victims are using – if your system(s) are used to surf the web and/or send and receive email, you should be on guard for phishing attacks. Here is some guidance to help you protect yourself and your organization.
- Phishing: Frequently asked questions
- How to recognize phishing email messages, links, or phone calls
- Enable or disable links and functionality in phishing email messages
- Safe browsing guidance
- Protecting the people in your organization
- Guarding Against Email Threats