The Netcraft Toolbar blocked more than 609,000 confirmed phishing URLs in 2006, an enormous jump from just 41,000 in 2005. The volume of attacks grew gradually until the final quarter of the year, when the number of blocked sites soared as attackers perfected techniques to automate and propagate networks of spoof pages. These networks were replicated across botnets, creating a huge jump in submissions and confirmed phishing sites. Blocked URLs ranged between 1,000 and 20,000 per month before ramping up to 45,000 in October, 135,000 in November and more than 277,000 in December.
The dramatic surge in attacks was fueled by new tools to rapidly deploy entire networks of phishing sites on cracked web servers. These packages, known broadly as Rockphish or R11, each included dozens of sites spoofing major banks, and could be unzipped in a subdirectory of a hacked site to create an instant phishing network. By using a common directory structure and sophisticated DNS management, phishers created dozens of spoof sites with subdomains including the name of the target institution. These networks were installed on large numbers of compromised machines in botnets, organized with management tools that allowed attackers to rapidly add and redirect sites within their networks.
Phishing scams also expanded and diversified their list of targets in 2006. A total of 942 institutions were targeted in 2006, including banks and credit unions of all sizes, online payment gateways, e-commerce retailers, sopcial networking sites, ISPs, online games and govenment agencies.
Phishing is a truly international phenomenon, as demonstrated by our scoreboard of the phishiest countries. A large volume of phishing sites continue to be hosted in South Korea, China and Romania, while countries in Eastern Europe have also proven to be fertile ground for phishing scams. This is illustrated by Armenia, which with 3,267 phishing URLs has more than three times as many phishing attacks as web sites (947).
The Netcraft Toolbar Community is a digital neighborhood watch scheme, in which the most alert and expert members act to defend the larger community of users against phishing frauds. Once the first recipients of a phishing mail have reported the target URL, it is blocked for toolbar users who subsequently access the URL. Widely disseminated attacks (people constructing phishing attacks send literally millions of electronic mails in the expectation that some will reach customers of the bank) simply mean that the phishing attack will be reported and blocked sooner.
The Phishing Site Feed is also available to ISPs and Enterprises who wish to protect their customers or employees against phishing. Netcraft also offers services to detect open redirects on corproate web sites to prevent abuse, and fraud detection and phishing site countermeasure services.