We recently published volume 15 of the Microsoft Security Intelligence Report. This volume of the report contains detailed data on the types of phishing attacks Microsoft products helped to block during the first half of 2013. For the first time ever, the report also contains data on phishing attacks that targeted mobile device users; data on the phishing sites that Windows Phone 8 devices encountered provides valuable insights into one of the ways attackers are trying to take advantage of the rapidly growing number of mobile devices coming online.
Phishing is a method of credential theft that tricks Internet users into revealing sensitive information, such as personal or financial information, online. Any system or device that sends and receives email and allows users to surf the Internet is at risk from this type of attack. One way that Microsoft helps to protect customers from phishing attacks is by trying to identify phishing sites and warning people about them if they attempt to visit them. Microsoft gets information about phishing sites and phishing impressions from users who choose to enable the Phishing Filter or SmartScreen Filter in Internet Explorer. A phishing impression is a single instance of a user attempting to visit a known phishing site with Internet Explorer and being blocked. If you are interested in more details on how this works, please see an article that I published a while back called Phishing Financial Institutions & Social Networks.
Figure 1: SmartScreen Filter in Internet Explorer blocks reported phishing and malware distribution sites to protect users
The Volume of Attacks
The numbers of active phishing sites and impressions rarely correlate strongly with each other. Phishers sometimes engage in campaigns that temporarily drive more traffic to each phishing page without necessarily increasing the total number of active phishing pages they maintain at the same time. As seen in Figure 2, there was a spike in impressions across all devices (PCs and mobile devices) in May, when impressions rose to 153.6 percent of the monthly average. This is a characteristic pattern that might have been caused by one or more phishing campaigns. With the exception of the spike in impressions in May, both sites and impressions were mostly stable throughout the first half of 2013, with both declining gradually between January and June.
Figure 2: Phishing sites and impressions reported by SmartScreen Filter across all devices (PCs and Windows Phone 8), January–June 2013, relative to the monthly average for each – as published in the Microsoft Security Intelligence Report volume 15
As the growth in adoption of mobile Internet connected devices continues, so does the volume of phishing impressions from mobile devices. Phishing impressions reported by Internet Explorer running on Windows Phone 8 varied significantly from month to month during the first half of 2013; as Figure 3 illustrates, the number of impressions reported in June (the month with the highest number of impressions) was more than double the number reported in April (the month with the lowest number of impressions). The number of unique phishing sites encountered by mobile device users more than doubled between February and June.
Figure 3: Phishing sites and impressions reported by SmartScreen Filter on Windows Phone 8, January–June 2013, relative to the monthly average for each – as published in the Microsoft Security Intelligence Report volume 15
The Targets of Attacks
Historically, phishing attacks have tended to target financial institutions and social networks more than other types of sites, as illustrated in Figure 4. Financial institutions have always been popular phishing targets because of their potential for providing direct illicit access to victims’ bank accounts. The increase in the relative number of financial institution phishing impressions in March and April, along with the corresponding dip in the relative number of social network phishing impressions, suggest the existence of one or more organized phishing campaigns targeting financial institutions during those months. There are far fewer social networks than financial institutions, i.e. there are thousands of banks but only one Facebook, one LinkedIn, one Twitter, etc. Subsequently, most social networking activity involves a small number of very popular websites, allowing phishers to more easily target large numbers of victims without having to maintain many different phishing sites. In contrast, financial activity worldwide takes place over a much larger number of sites, and attackers need to tailor their phishing sites individually to target each one. This explains why the percentage of phishing sites targeting financial institutions is so much higher than the percentage targeting social networks, as seen in Figure 5.
But in January of 2013 we saw things start to change. As Figures 4 and 5 illustrate, attackers have also been focused on targeting online services recently, with the percent of both phishing impressions and phishing sites more than doubling in the first half of 2013; the number of active phishing sites that targeted online services increased steadily throughout the first half of 2013, from 15.4 percent of all phishing sites in January to 33.8 percent in June. Impressions increased commensurately, from 8.7 percent of all impressions in January to 20.1 percent in June.
Figure 4 (Left): Impressions across all devices (PCs and Windows Phone 8) for each type of phishing site, January–June 2013, as reported by SmartScreen Filter; Figure 5 (right): Unique phishing URLs visited by Internet Explorer running on all devices (PCs and Windows Phone 8) for each type of phishing site, January–June 2013
The picture for mobile device users was a little different. The popularity of social networking activity on mobile platforms is reflected in the phishing impressions reported by devices running Windows Phone 8. Phishing sites that targeted social networking sites were responsible for more than three times as many mobile impressions as all other phishing sites combined for most months in the first half of 2013. The number of social networking impressions remained high throughout the period, even as the number of unique phishing URLs that targeted social networks declined by more than half between January and June. The number of phishing sites targeting online services being accessed by mobile users increased significantly between March and June as seen in Figure 7.
Figure 6 (Left): Impressions reported by SmartScreen Filter on Windows Phone 8 for each type of phishing site, January–June 2013; Figure 7 (right): Unique phishing URLs visited by Internet Explorer on Windows Phone 8 for each type of phishing site, January–June 2013, by type of target
The Origin of Phishing Attacks
Phishing sites are hosted all over the world on free hosting sites, on compromised web servers, and in numerous other contexts. Locations and relative concentrations of phishing sites are dynamic and can change rapidly. In the second quarter of 2013, locations with higher than average concentrations of phishing sites included Indonesia (11.6 per 1,000 Internet hosts), Ukraine (10.9), and Russia (8.5). Locations with low concentrations of phishing sites included Taiwan (1.2), Japan (1.3), and Korea (1.9).
Figure 8 (Left): Phishing sites per 1,000 Internet hosts for locations around the world in the first quarter of 2013; Figure 9 (right): Phishing sites per 1,000 Internet hosts for locations around the world in the second quarter of 2013
In the United States, the states with the highest concentrations of phishing sites in the second quarter of 2013, included Utah (13.4 per 1,000 Internet hosts in 4Q12), Georgia (10.0), and Arizona (7.7). States with low concentrations of phishing sites included West Virginia (0.4), Minnesota (0.9), and North Dakota (1.0).
Figure 10 (Left): Phishing sites per 1,000 Internet hosts for US states in the first quarter of 2013; Figure 11 (right): Phishing sites per 1,000 Internet hosts for US states in the second quarter of 2013
Defending Against Phishing Attacks
Phishers generally don’t care what browser, operating system, or mobile device potential victims are using. As I mentioned earlier, if your system(s) or mobile device(s) are used to surf the web and/or send and receive email, you should be on guard for phishing attacks. Here is some guidance to help you protect yourself and your organization.
- Phishing: Frequently asked questions
- How to recognize phishing email messages, links, or phone calls
- Enable or disable links and functionality in phishing email messages
- Safe browsing guidance
- Protecting the people in your organization
- Guarding Against Email Threats