This entry continues my blog series on some Symantec phishing data I have recently analyzed. I decided to look at data that relates to how phishing attacks are becoming more targeted. During the periods studied, our data does not support the hypothesis that attackers are going after more and more specialized targets. For the periods studied, our data also indicates that targeted phishing campaigns are outweighed by more scattered ones. Again, it’s important to note that the data is specific to a given period of time, so it’s possible (and perhaps quite likely, given how rapidly the landscape is changing) that outside this time frame the picture could change dramatically.
Let’s consider unique brands first. From June through September, 2006, the Symantec Norton Confidential system recorded 154 distinct brands that were spoofed in a phishing attack. Of these 154 brands, 93 of them were spoofed in a phishing attack that occurred during June; this number jumped to 109 in July, dipped to 108 in August, and dipped again in September to 101. (A brand is counted in the tally of each month that it is spoofed.) The number of unique brands that were spoofed per month does not seem to be rising steadily, as one might expect (figure 1 and table 1).
Figure 1. Unique brands phished per month (Source: Symantec Corporation)
Table 1. Number of unique spoofed brands each month (Source: Symantec Corporation)
The analyzed data represents only known phishing sites (which only encompass a subset of the phishing sites that exist) and is only specific to a given period of time. Also, it is more challenging to gather data about attacks that target lesser known brands because the corresponding phishing email might only be delivered to a smaller number of people (and diminish the likelihood that the site comes to our attention). So, while our data does not support the hypothesis that phishers are targeting more brands, the data may not be robust enough to contradict this hypothesis.
The next area we investigated is whether phishing email campaigns as a whole are becoming more targeted. To measure this effect we looked at the ratio between the number of blocked phishing attempts and unique phishing emails from data gathered by Symantec. This ratio gives an indication of how many times a given phishing email is being sent out to targets. A high ratio indicates that on average, a given email is being sent to many individuals (attacks are scattered). A low ratio indicates that on average, emails are being sent to fewer people (attacks are more targeted). It is important to note that a single scattered attack may outweigh the effects of multiple targeted attacks in this ratio. We computed this ratio for each day between April 1, 2006 and September 30, 2006. We ran a regression to compute a trend line and found it has a positive slope (see figure 2).
So, on average, a given email is being sent to more people. Note that the analysis here is based on the aggregate daily totals, so it is possible that the number of targeted attacks has increased, but the effect may not have been observed because of a small number of highly scattered attacks. The wide range and high standard deviation further support the assertion that some attacks are highly scattered. There is more detailed analysis provided as part of a larger report that I wrote, which is available for download here.