Phished Brands and the Pareto Principle

The Pareto principle, sometimes known as the 80-20 rule, states thatroughly 80% of the effects stem from 20% of the causes. It was namedafter Vilfredo Pareto, an Italian economist, who observed that 20% ofItaly’s population received 80% of its income. This principle comes upin numerous other places in the social sciences and in engineering.

What does this have to with phishing? Well, recently I looked atwhich legitimate brands tend to get imitated the most in phishingattacks. I went back through data gathered from June through December2006. All in all, we found 343 brands being spoofed. Some of these werewell known banks, credit card companies, online retailers, and thelike. Others were smaller players. These included credit unions, localbanks, smaller retailers the like. Note that phishing attacks targetmany sectors beyond just the financial and retail sectors. I just choseto include these as an example.

It turns out that there is Pareto-like behavior among the brandsphishers choose to attack. In particular, roughly 85% of the phishingsites we saw targeted just 15 brands. This behavior is not altogetherunexpected. Phishers go after the money, and larger brands tend to havemore customers, and hence more victims who can be compromised.

At the other end of the spectrum, we still saw several hundredbrands being spoofed. That implies that phishers are continuing to goafter specific targets. For example, 219 of the remaining brands hadten or fewer phishing sites that targeted them.

Now, although I use the term phishers to describe a collectiveentity, it’s important to keep in mind that their behaviors areanything but collective. The reality is that there are likely numerous,but separate, organized phishing groups out there. Also, let’s notforget that some phishers are lone operators. While the mainstream goesafter the major brands with scattershot attacks, other phishing groupsare being more selective.

This type of trend is what makes phishing such a challengingproblem. Phishers are constantly stretching the limits of theirimagination with who to attack. Likewise, we need to make sure that westretch the limits of our technologies to protect against all attacks,not just the mainstream 85%.