Honeynet Reports on Traffic to Phishing Sites

Despite months of intensive anti-fraud education efforts by the banking industry, new research shows that phishing attacks can easily generate hundreds of visits to a spoofed site in a short period of time, as victims continue to click on malicious links in "bait" emails.

The study of phishing scams hosted on cracked web servers from The Honeynet Project documented two recent attacks that attracted hundreds of click-throughs from unknowing users. A UK site mimicking a major US bank received 256 visits in 4 days, while a compromised German server redirected 721 users in just 36 hours to a PayPal phishing site hosted in China.

The data from The Honeynet Project, which monitors activity on hacked computers, suggests that bank customers may exercise somewhat greater caution than PayPal users when presented with fraudulent electronic mails. Phishers' behavior reinforces this assumption, as eBay and its PayPal subsidiary are far and away the most frequent targets in those attacks reported by the Netcraft Toolbar community. But the steady traffic to scam sites demonstrates that a significant number of bank customers are still being tricked by bogus e-mails.

While social engineering tactics continue to yield click-throughs, phishing operations are becoming even more nimble in deploying scam infrastructure across networks of compromised servers, using automated attack tools and prepackaged spoof sites to speed their work.

"We have observed pre-built archives of phishing web sites targeting major online brands being stored, ready for deployment at short notice ... (and) propagated very quickly through established networks of port redirectors or botnets," the report noted. "Web traffic has been observed arriving at a newly compromised server before the uploaded phishing content was completed, and phishing spam sent from one compromised host does not always appear to advertise the sending host, which again suggest it is likely that distributed and parallel phishing operations are being performed by organised groups."

The banking industry and online retailers have emphasized customer education in their response to phishing. But the persistent traffic to scam sites underscores the importance of additional proactive defensive measures to protect customers from their own bad habits and the technical innovations of phishing scams.

Netcraft provides a range of tools and services to protect businesses and individuals from phishing scams and accompanying financial losses, including the Netcraft AntiPhishing Toolbar, an Open Redirect Detection Service to locate web site weaknesses that can be exploited by phishers, and the Phishing Site Feed - a list of phishing sites available as a continuously updated feed suitable for ISPs, hosting companies and enterprises that operate mail servers and web proxies.