The average phishing web site is online for about 54 hours, according to June data from the AntiPhishing Working Group (APWG), but some have been able to remain online for more than two weeks before being shut down or abandoned.
As awareness of phishing grows among consumers, hosting providers and law enforcement officials, the operating window for phishing crews is likely to shrink. But anti-phishing efforts haven’t stemmed the continued growth of these scams, which combine technology and trickery to steal login information for web banking and online retail sites. There were 1,422 separate phishing scams in June, according to the APWG, a 52 percent increase from May. Nearly 500 attacks targeted Citibank alone.
Speed is critical to the success of phishing operations, which typically migrate from one server to another in an effort to stay a step ahead of providers and police. One scam documented by the APWG operated a spoofed web page on seven different servers over a period of 12 days, including four in Korea, two at American ISPs, and one in Uruguay.
In each case, a web page mimicking a financial institution's web site was housed on a compromised server. The "bait" emails were sent in HTML, and many used an image map to initiate the link, a strategy that makes the spoofed destination URL (an IP address) less obvious to the user. The sophistication of the effort, and the fact that it targeted two different financial institutions, "indicates the participation of at least one well-orchestrated, systematic criminal organization in the phishing world," according to the APWG.
While that campaign used IP addresses rather than domains, other phishing attacks rapidly move domains between servers. The karl-marx.ru domain has been linked to separate scams in March (hosted in South Korea) and July (hosted at Affinity Interent) and has also been used to collect data stolen by malicious trojans. Research by APWG shows that about 8 percent of phishing scams tracked in June used a dedicated domain.
Netcraft has developed a service to help banks and other financial organizations identify sites which may be trying to construct frauds, identity theft and phishing attacks by pretending to be the bank, or are implying that the site has a relationship with the bank when in fact there is none.