Phishing: all IT departments know about it! However, do they know that most of these attacks focus on brands, peak on Wednesdays and occur within 3 to 5 days after the registration of the domain name created for phishing purposes? A recent analysis allows us to present a complete profile of these attacks and to offer our recommendations to limit their scope.
The in-depth study conducted from May 1 to July 31, 2020, by Interisle Consulting Group leaves no doubt about the increasingly clever strategies deployed by fraudsters. During this short period, 99,412 domain names used for phishing and 122,092 attacks were identified, which allows us to better understand the scope of this phenomenon, which represents 43% of the attacks and in which brands are the preferred targets. Among them, banks, social media, tax services, and universities, and to name the most famous: Amazon, Apple, AT&T, Chase, Facebook, LinkedIn, Microsoft, Outlook, Paypal and WhatsApp. Even worse, according to the data, more than 300 of them have been attacked at least five times!
Profiling phishing attacks to inform your tactics
Apart from these already significant figures, the study also helps to outline the current typical profile of phishing attacks: they are short (about 21 hours), take place mainly in the middle of the week and are not detected until 8 hours 44 minutes after the victims have started logging in.
It also shows that, for names with a known registration date, phishing attacks take place:
- within 14 days in 45% of cases;
- within the first 3 days for 57% of names registered for malicious purposes. Of these names identified as malicious, 17% (known as dormant) remain unused by hackers for more than 90 days after registration, while others remain unused for more than a year, awaiting future attacks.
Furthermore, the study states that:
- 54% of the names attacked are registered in .COM and .NET;
- Only 24% use geographical extensions (ccTLDs), but the preferred five that offer low-cost registrations are .TK (Tokelau), .GA (Gabon), .ML (Mali), .CF (Central African Republic) and .GQ (Equatorial Guinea);
- 18% of the names are in the new extensions (while these nTLDs represent only 9% of all the domain names registered in the world); it is worth noting that .BUZZ (more particularly dedicated to social interactions) has risen to the 5th place of the extensions used by hackers.
However, it is likely that the extent of phishing is underestimated. The study mentions several reasons that could impede the detection and identification of attacks. These include:
- certain evasive techniques used by fraudsters, such as “cloaking”, which consists of presenting different page content depending on whether the visitor is a human or a robot;
- the various policies governing data privacy that guarantee the anonymity of fraudsters, such as the GDPR.
The favourite technique of hackers is identity theft (spoofing) and the gateway to the majority of deceptions remains the domain name. Indeed, in order to create the fraudulent e-mail address that will be used for their phishing operations, hackers need to register a deceptive domain name beforehand. While it is not possible to prevent the creation of an email address, it is perfectly possible to limit the registration of domain names that are considered risky.
If you notice a significant increase in attacks, you must absolutely reinforce the detection of these attacks with the implementation of adapted surveillance, but also prevent these attacks by defensive registrations of highly targeted domain names.
For this reason, EBRAND offers you X-Ray, a brand new anti-phishing detection tool. This tool will monitor domain and subdomain records on an hourly basis to study the composition of fraudulent domain names and their registration frequency. The detection is done among the declared DNS records but also among other databases such as security certificates. Thanks to the study carried out, you will then be able to adapt your defensive strategy on the Internet more carefully. This method has proven to be very effective in anticipating attacks. In addition, hourly monitoring provides the necessary time margin to act before the 3-day deadline.
For more information on the X-RAY solution, discover how it work in our purpose-built page.