Phishing is a pernicious and nasty threat that shows no sign of abating. As with any area of security, a close look at what is going on reveals very interesting -- and in many cases distressing -- details.
The post at Light Blue Touchpaper offers a very interesting graphic on the life of bank phishing sites. On one axis of the chart is a timeline (0 to 150 hours) and on the other a list of 36 banks and related financial institutions. The graphic displays the average time it takes each institution to pull the plug on the fake sites phishers use. The loser was EGG, a U.K.-based online bank, whose phishing sites lasted more than 150 hours. Flagstar, at about 10 hours, got the bogus sites eliminated the most quickly.
The blogger said that the data was gathered during an eight-week period from mid February to mid April. He seems to go overboard in negating its value. The first disclaimer is that phishing sites that showed up late in the test period tended to count less. The blogger also said that the results could be skewed by the fact that those targeting more battle-tested institutions may do a better job of hiding the sites, thus enabling them to survive longer. Thus, an institution scoring poorly on the test isn't necessarily doing a worse job of ferreting out phishing sites.
What, then, is the chart good for? To a lay person, the best use of the chart is just as a general orientation and introduction to the cat-and-mouse game that is played by financial institutions and the hacker community. Many people don't know, for instance, that finding and eradicating these fraudulent sites is a specialty offered by brand protection companies.
This post at the impressively named blog Mind Streams of Information Security Knowledge also deals with the amount of time a phishing site generally is up. It references information from Symantec that said tests showed the average up time for a phishing site in Taiwan is 19 hours, while phishing sites going after businesses in Australia could remain active for almost a week. The blog said that a report in May from the Anti-Phishing Working Group put the average life of 37,438 sites at 3.8 days, with one phishing site surviving for 30 days. The post went on to speculate on why there disparity between site lives is so great.
There is no shortage of information about phishing. For instance, this post describes the fear in the U.K. of being the victim of a phishing attack. The piece offers good rules, such as using complex passwords and making sure the bank site is secure (via the padlock icon). The phishing e-mail highlight in this Goverment Executive post purports to be from the Internal Revenue Service. The document says that the recipient is entitled to a refund and contains a link to a site at which the target can fill out the proper forms -- which, of course, will be used by the phishers. The post says that the IRS has been the target of 161 scams this year. It a good sign that 14,000 people have forwarded the document to the agency.
Phishing attacks, of course, are part and parcel of larger cracker initiatives. As this story at iTWire describes well, folks falling for a recent phishing -- fake e-card greeting notifications -- fit into a larger pattern of illegality which includes taking over machines and turning them into zombies that are used for distributed denial of service (DDoS) and other initiatives.
The bottom line is that phishers are bright people who will continually adjust their methods to stay in business, such as creating specially targeted "spear phishing" e-mails. There are technical tools to fight them, but the best approach, no doubt, is effective user education.