The Netcraft Toolbar has blocked more than 41,000 confirmed phishing URLs since its launch last Dec. 28. The volume of URLs increased throughout the year, from about 3,000 per month in June to 5,000-plus in September and more than 8,000 in October and November. With a year’s worth of data in hand, an analysis of attacks illustrates common patterns and practices in the operation of phishing scams.
Top Targets: eBay and Paypal: The eBay online auction site and its Paypal payment processing unit were the top target for phishing scams in 2005, comprising nearly 62 percent of all phishing URLs submitted to Netcraft. Many of these were “insta-spoofs” served from free sites or cracked machines, often via a botnet. Many of these spoof sites bear identical structures and file titles, suggesting deployment via kits that can be rapidly unpacked on a new machine.
While many of these scams are hosted on IP addresses, the filename often includes the name of the targeted brands or emulates aspects of their URLs. More than 13,000 confirmed phishing sites used URLs that included either “paypal” or “ebay,” usually as a subdirectory or filename. Of those, 3,659 used “look-alike” domain names designed to confuse the recipient. These domains included slight misspellings, substituting numbers for letters or using hyphenated phrases or third-level domains (paypal.mysite.com). Nearly 4,700 phishing URLs contained the string “webscr,” mimicking the genuine Paypal cgi script. Other URLs included “eBayISAPI,” which appears in many eBay searches.
eBay and Paypal have more than 68 million active users between them, all of whom use e-mail, meaning bulk phishing e-mails will get a higher percentage of “hits” (recipients with accounts at the targeted institution) for eBay properties than other potential financial targets.
Phishing URL Trends: Of the total of 41,047 URLs examined in our analysis, the following trends were seen:
- 13,716 phishing URLs were hosted on raw IP addresses
- 8,785 phishing URLs contain ‘/.’ (i.e. use a hidden directory on the web server)
- 2,104 specified a port number other than port 80
- 8 used cross-site scripting
- 6 were hosted on FTP servers