Online Fraud in Italy: Analysis of 5830 Phishing Attacks

Since May, phishing attacks against Italian banks have been a visiblebut rather limited phenomenon. Most financial institutions reactedquickly, setting-up proper fraud management processes, educationcampaigns for end users and technical countermeasures since early 2006.But in the last three months, Italian mailboxes have been flooded bymillions of phishing emails, moving the problem to the next level.


Number of single URLs per month (July 07 data includes attacks until July 27th)
(Click image for larger view)

As the graph illustrates, the number of attacks grew 14 times since the2006 peak (127 in August) to the current 2007 peak (1735 last May).Attack source analysis shows interesting numbers as well:


Attacks per hosting country and average time online
(Click image for larger view)

Public phishing statistics often report the overall number of attackshosted in a specific country, but this is not the only interestingdetail: phishing attacks are more dangerous when they can “survive”online until the majority of potential victims open the phish email.Our analysis shows how ISPs in some countries are relatively slowerthan others to shut down attacks. For example, Taiwan’s averageshutdown time has been only 19 hours on 92 attacks, while in Australiathe average for 98 attacks has been almost one week for a singleshutdown. Other countries slow to respond include the USA and India.Countries identified as responding quickly include Germany,Netherlands, Japan, Estonia, Poland and Russia.

While this data reflects a situation currently peculiar to the Italianscenario (worldwide attack peaks have been measured since November 2006due to the Rock Phish attack,with almost 40.000 single URLs reported by Mark Monitor in a singlemonth) some thoughts around these numbers can be of general interest.

First of all, when attacks that need to be managed increase from morethan one or two per week, banks need an automated process to manageusers’ and systems’ notifications. This should include setting up adedicated mailbox monitored 24x7 in order to kick-off the internalescalation process as quickly as possible, and delivering propertraining to customer-facing personnel (including call center and branchemployees) so that they can properly answer potentially scared or angrycustomers.

Encouraging end-users to practice safe behaviors online is another keypoint. Many banks engaged with antivirus vendors to provide either freeor substantially discounted consumer protection software to theircustomers and these initiatives have already been incredibly successfulfor online banking users. Other banks even decided to provide their owncustomers with a dedicated mailboxes protected by central anti-spamsystems that filter out phishing email and decrease the amount ofattacks reaching the end-user.

Finally, as the second graph suggests, attacks are not all equal andsome of them are harder to manage than others. Setting up a risk-basedprocess, with different escalation processes based on the risk level ofthe attacks, can be a viable option to manage online frauds in a moreefficient and cost-effective way.