As mentioned in one of my previous blog entries, I’ve been looking at some of the phishing data Symantec collects. As part of this effort, I looked at data associated with a recent Symantec offering called Norton Confidential (this product, which is geared towards providing transaction security, can detect phishing sites, among other things). The Norton Confidential back-end servers collect a tremendous amount of data associated with existing phishing sites.
Within these phishing sites, I decided to look a little more carefully at the distribution of spoofed brands that represent local US banks (for example, credit unions that are local to a specific state). For this purpose I considered a brand to be local if all the branch locations were in a specific state (or in states that directly bordered that state). I specifically looked at attacks that occurred from June through September, 2006.
A total of 42 local banking brands across 23 states were spoofed in phishing attacks during this period. As one might expect, the number of spoofed brands and phishing URLs seem to be positively correlated with state population. To make the comparison fair I included all states, even those that did not have any local spoofed brands (see table 1 below).
Table 1. Number of local brands spoofed and percentage of phishing attacks on these brands broken down by state (Source: Symantec Corporation)
Interestingly, a few states seemed to have a disproportionate number of spoof sites. The most noticeable is Florida, which has three spoofed local brands and 14.24 percent of phishing sites, which is more than any other state. That is to say, of those phishing attacks that target a local bank brand, 14.24 percent of them targeted a Florida bank. With just one spoofed brand and 9.60 percent of spoof sites, Wyoming has the largest phishing site to spoofed brand ratio (see table 1 and figure 1).
Figure 1. Distribution of phishing attacks spoofing state-specific local brands (Source: Symantec Corporation)
Next, I measured the correlation between elderly population (older than 65) and the percentage of spoof sites local to a given state. The corresponding correlation coefficient is +0.61, which indicates a slightly stronger positive correlation than just the population metric alone. I then measured the correlation between the percentage of spoof sites and the average per capita income of a state. The correlation coefficient was only +0.19. In fact, five of the top ten states in per capita income did not have any phishing attacks associated with local brands (Connecticut, New Jersey, Maryland, New Hampshire, and Delaware). One possible reason for this trend is that per capita income represents an average. Some states may exhibit a division of wealth, with some portions of the population being especially affluent. To see if there was any merit to this hypothesis, I looked at the top 100 counties nationwide in per capita income. For each state, I computed the number of counties in that state that were in the top 100. Correlating this number with the percentage of phishing sites yields a coefficient of +0.44 (please see table 2).
Table 2. Correlation between the percentage of phishing sites spoofing a state-specific brand and other characteristics (Source: Symantec Corporation, US Census data)
Of course, this data represents a relatively short period of time and only represents phishing sites that we know about. However, it supports the rather eerie hypothesis that phishers are putting thought into what and who they target. This analysis is included as part of a more comprehensive report I wrote on various phishing statistics from our data.