Phishers are a nimble bunch: About 84% of phishing sites exist for less than 24 hours, with an average life cycle of under 15 hours.
According to data collected by Webroot, phishing attacks have become increasingly sophisticated and carefully crafted in order to obtain sensitive information from specific organizations and people.
“Our data shows that a phishing site can last for as little as 15 minutes,” said Hal Lonas, CTO for Webroot. “In years past, these sites could endure for several weeks or months, giving organizations plenty of time to block the method of attack and prevent more victims from falling prey. Now, phishing sites appear and disappear in the span of a coffee break, leaving every organization, no matter its size, at an immediate and serious risk from phishing attacks.”
During 2016, an average of over 400,000 phishing sites have been observed each month, with 13,000+ new phishing sites per day.
“To keep up with the incredibly short phishing life cycles and sheer volume of phishing sites and URLs, old techniques that use static or crowdsourced blacklists of bad domains and URLs must be abandoned,” Webroot noted in its quarterly threat report. “These lists become obsolete within moments of being published.”
Also, nearly all of today’s phishing URLs are hidden within benign domains, and the practice of phishing attacks using dedicated domains has disappeared. URLs now must be checked each time they are requested, because a page that was nonthreatening just seconds ago may have since been compromised.
Google, PayPal, Yahoo and Apple are heavily targeted for phishing attacks—Webroot took a closer look at the companies for which impersonation would likely cause the largest negative impact. Of these Google was the most heavily targeted of these “high-risk” organizations, with 21% of all phishing sites between January and September 2016 impersonating the company.
“Cybercriminals are constantly developing new methods and approaches to obtain sensitive data,” Webroot noted. “In order to successfully discover and block today’s polymorphic malware, ransomware, phishing attacks and other advanced and targeted threats, billions of events must be analyzed daily. Cloud-based machine-learning is the only way to keep up with the volume and identify modern attack methods, such as polymorphic behaviors.”
The ability to analyze billions of associations across the diverse object types, combined with historical knowledge on how millions of objects have behaved over time, results in the predictive nature of threat intelligence driven by advanced machine learning.
“When it comes to finding the richest and most highly differentiated source of input for cloud-based machine learning driven security, nothing beats real-world endpoint and web sensor data,” the report concluded. “Organizations that incorporate real-world data from millions of endpoint sensors are better positioned to identify never-before-seen and zero-day threats the moment they emerge, anywhere in the world.”