Computer forensics is a powerful instrumentavailable to financial institutions in the battle against online fraud.During the analysis of a phishing attack many players need to beconsidered. As illustrated by Andrea Del Miglio,the role of email service providers is fundamental, but hostingcompanies as well as individual owners of compromised Web sites canreally help in enhancing the effectiveness of the analysis. Theinformation found within the log files of a compromised Web server cansupport forensics operations; precious details such as IP addressesbelonging to end-users, timestamps, and the visited URLs are allrecorded into these files. Additionally, the total number of visitorscan contribute to the evaluation of the real risk associated with eachsingle attack. That is to say, the more visitors a fraudulent Web sitehas, the higher the risk.
During the last few months, Symantec analyzed several thousands ofthese log files that highlighted a number interesting and peculiarfeatures. One of these features in question is the distribution ofend-user visits over time, from the moment the fraudulent contentbecomes reachable over the Internet towards its removal. The analysisshows that the majority of the visits are concentrated closer to thetime the fraudulent content was first made available. This means astrong coordination must exist between spam activities and the setup ofthe fraudulent site. Because the average lifetime of such a URL islimited, especially when well known financial institutions areinvolved, phishers must concentrate the effort of both mass mailing andcredentials-gathering operations during these first instances.
(Click either figure for larger images)
Both figures 1 and 2 illustrate this interesting statistic. Almost aquarter of visitors hit the fraudulent Web site during its first hourof life and more than 60% within the first 12 hours. Even moreimpressive is the 75% of the total visitors reaching the phishing Website during the first 24 hours of its existence.
This simple statistic highlights the importance of building a properincident response process when dealing with online fraud. Incidentresponse should then be supported by comprehensive detection andnotification technologies and quick-to-act countermeasures—a delay ineither the detection or the shutdown phase could significantly increasethe risk of fraud.