The evolution of a phishing attack is quite straightforward. At first, the fraudsters compromise a vulnerable server and deploy a package called a "phishing kit," which contains a clone application of the targeted institution. Then, mass mailing activities, with the aim of reaching a large number of recipients, are accomplished. Finally, the fraudsters use social engineering techniques to entice victims to submit their credentials, from which the fraudsters attempt to derive valid credentials. This will only happen if the fraudsters are able to convince users that they should trust the phishing website, or at least be tricked into believing it is a legitimate site and not raise any suspicion. Of course, this is not always a painless task.
Symantec has carried out several forensics analyses in order to evaluate the distribution of phished users over the different phases described above. Specifically, I want to focus my attention on the portion of users submitting valid credentials after visiting a phishing website. The figure below illustrates this statistic in relation to a recent single attack. This attack caught my eye, particularly because of the number of visits achieved and the exhaustive timeframe during which it survived before being taken offline.
Over the twelve days taken into consideration in this sample, an average of 1.6% of users provided their credentials and so were successfully phished. Further Symantec analysis conducted on other recent attacks confirmed that the average percentage of users effectively phished after visiting a clone website is usually between 1% and 2%. This percentage may not seem very high, but consider an analogous phishing study completed in 2006, which provides a similar result of 2% of users effectively phished. (Gartner, November 2006) Given the technological advancements adopted over the past two years, the fact that the percentage of users being phished is, unfortunately, remaining relatively stable is of some concern. On the other hand, there are more phishing websites and an increased amount of phishing attacks these days; therefore there is a much larger pool of potential victims of phishing threats. These facts point to some success for different protection software (e.g. browser toolbars, anti-phishing software) that warns web visitors about the potential threats of particular websites, and/or an increase of more web-conscious users that are wary of suspicious URL they are visiting.
These statistics highlight, once again, how important is to continue encouraging end users to practice safe online behaviors; that is, invite them to ensure the validity of the web application they are using as well as the legitimacy of the SSL certificate. In addition, it is just as important to assist them in taking care of their end points by recommending the usage of software that is capable of protecting against the latest online threats-for example, many financial institutions have already started providing discounted consumer protection software to their customers. There is still a requirement for further technical advancement and also increased education for end users so that we can all continue to combat phishing threats.