Phishing, all IT departments know about it! However, do they know that most of these attacks focus on brands, peak on Wednesdays and occur within 3 to 5 days after the registration of the domain name created for phishing purposes? A recent analysis allows us to present a complete profile of these attacks and to offer our recommendations to limit their scope.
The in-depth study conducted from May 1 to July 31, 2020, by Interisle Consulting Group leaves no doubt about the increasingly clever strategies deployed by fraudsters. During this short period, 99,412 domain names used for phishing and 122,092 attacks were identified, which allows us to better understand the scope of this phenomenon, which represents 43% of the attacks and in which brands are the preferred targets. Among them, banks, social media, tax services, and universities, and to name the most famous: Amazon, Apple, AT&T, Chase, Facebook, LinkedIn, Microsoft, Outlook, Paypal and WhatsApp. Even worse, according to the data, more than 300 of them have been attacked at least five times!
Apart from these already significant figures, the study also helps to outline the current typical profile of phishing attacks: they are short (about 21 hours), take place mainly in the middle of the week and are not detected until 8 hours 44 minutes after the victims have started logging in.
It also shows that, for names with a known registration date, phishing attacks take place:
- within 14 days in 45% of cases;
- within the first 3 days for 57% of names registered for malicious purposes. Of these names identified as malicious, 17% (known as dormant) remain unused by hackers for more than 90 days after registration, while others remain unused for more than a year, awaiting future attacks.
- 54% of the names attacked are registered in .COM and .NET;
- Only 24% use geographical extensions (ccTLDs), but the preferred five that offer low-cost registrations are .TK (Tokelau), .GA (Gabon), .ML (Mali), .CF (Central African Republic) and .GQ (Equatorial Guinea);
- 18% of the names are in the new extensions (while these nTLDs represent only 9% of all the domain names registered in the world); it is worth noting that .BUZZ (more particularly dedicated to social interactions) has risen to the 5th place of the extensions used by hackers.
- certain evasive techniques used by fraudsters, such as “cloaking”, which consists of presenting different page content depending on whether the visitor is a human or a robot;
- the various policies governing data privacy that guarantee the anonymity of fraudsters, such as the GDPR.