I recently had the opportunity to look at some phishing data generated from the Symantec Brightmail AntiSpam system from April through September 2006, inclusive. The data included both the number of unique phishing messages that Symantec discovered per day, as well as the total number of blocked phishing messages. Note that a given phishing email might be blocked in multiple places, so the number of blocked messages exceeds the number of unique ones. (Also, several unique phishing emails may correspond to the same phishing site.) Our data for this period supports some interesting seasonal- and weekend-type effects in terms of phishing activity.
First, let’s look at the overall numbers. According to the tenth edition of the Symantec Internet Security Threat Report, from January 2006 to June 2006, Symantec blocked 1.3 billion phishing attempts and recognized 157,477 unique phishing emails. Since then, during the July 2006 to September 2006 time period, Symantec blocked an additional 790 million phishing attempts and recognized 85,106 more unique phishing emails (table 1).
Table 1: Blocked and unique phishing attempts (Source: Symantec Corporation)
Next, I broke down the data by month and found an interesting seasonal effect. In particular, the number of unique phishing emails dropped during the summer months. The number of unique phishing emails dipped from May (28,573) to June (24,819). While the numbers started climbing again in July (25,987) and August (27,995), it is not until September (31,124) that the number rises again to the pre-summer levels (table 2 and figure 1).
Table 2: Blocked and unique phishing attempts (Source: Symantec Corporation)
Figure 1: Unique phishing emails by month (source: Symantec Corporation)
I also broke this data down per the day of the week (table 3). For the purposes of taking aggregate statistics, I excluded the final day of the period (September 30) from the data to ensure that each day of the week was represented the same number of times (26 times). Here, the data supports some interesting day-of-week effects. In particular, the number of unique phishing emails is down dramatically on Sundays and Mondays. The average number of unique phishing emails on Sundays (16,933 unique) and Mondays (16,173 unique) drops by nearly 36 percent and the average number of blocked attempts drops by almost eight percent when compared with the average for the remaining days of the week. Starting on Tuesday, the number of unique phishing emails goes up to 25,702 and slowly increases until its peak on Thursday when it reaches 28,537. On Friday, the number drops to 24,907 and stays nearly the same on Saturday before plummeting on Sunday.
Table 3: Day of week breakdown - Apr 1 to Sep 29, 2006 (Source: Symantec Corporation)
What does all this data mean? Well, it’s only a small data sample taken over a few months, but it seems to support the hypothesis that people who conduct phishing attacks treat it as a regular job. They work less on the weekends and perhaps take vacation over the summer! Generally speaking, the trend toward attacking for profit is one that Symantec has noticed and has been speaking about for some time. It would seem that the traditional notion of anti-social teenagers writing viruses that delete files is quickly being replaced by actual professional criminals who are looking to make some serious money.
I’ve written a more comprehensive paper that contains these statistics, as well as others that I’ve been able to gather from our data.