Core Brands and Phishing

I recently looked at some data collected from the NortonConfidential server on brands spoofed in phishing attacks from Junethrough December of 2006. In total, we saw phishing attacks on 343different brands. Looking further into the data, I wanted to get asense of which types of brands are consistently targeted by phishers.

I found that there 57 “core” brands that were consistently spoofedin each month from June through December. These core brands weredetermined by identifying seven lists of brands, one for each month inour data collection (June through December) in which a new Web sitespoofing that brand was reported. The core brands, then, made up theintersection of these lists.

There is a distinction between core brands and the most frequentlyspoofed brands. The former are brands that are consistently spoofedeach month. The latter are brands that are the most frequently spoofedoverall, measured by the number of Web sites that imitate these brands.

At first you might think that the most frequently spoofed brandswould consist of core brands. It turns out that’s not true. In fact,among the top 57 most frequently spoofed brands, only 47 are on thelist of core brands. Of these, the ninth most frequently spoofed brandfrom the data we gathered turned out not to be a core brand. That is,there was at least one month where no phishing Web sites spoofing thatbrand were reported.

At the other end of the spectrum, the 112th most frequently spoofedbrand turned out to be a core brand. There were only twelve phishingWeb sites that were set up to spoof it. One new site was reported ineach of June, July, August, September, and November. Three new siteswere reported in October and two sites were reported in December. Thenumber of new sites, while not great, did increase at a consistentpace. (In a future blog entry, I plan to describe how these brands turnover from month-to-month in an effort to get a better picture of howphishers operate.)

So far, the numbers continue to suggest that phishers do not alwaystake a scatter-shot approach in their attack attempts. Instead, forspecific targets, they prefer methodical smaller-scaled approaches,albeit at a consistent pace. Some phishers seem to conform to the adagethat slow and steady wins the race. I don’t know that we can afford thesame luxury when it comes to developing countermeasures.