Commtouch report highlights differences in Phishing data

The latest Internet Threat Trends Report (Q3 2009) from Commtouch raises some interesting points as they discuss the Phishing trends observed this year. Their point is that, even though several venders reported rather a rise or drop in Phishing, each has a valid point depending on how you look at the data.

Symantec reported a 45-percent drop in Phishing in their State of Spam Report for September. In addition, they reported a 30-percent drop in Phishing toolkits that automate such campaigns. IBM reported a drop in Phishing, noting that they believe that Banking Trojans are taking the place of traditional Phishing campaigns targeting financial organizations. In the first half of 2009, IBM said, 66-percent of Phishing was targeted at the financial industry, down from 90-percent in 2008.

McAfee noted in their Q2 Threats Report that they seen an increase in the number of Phishing URLs targeting foreign banks and in foreign languages. They also noted that they’ve seen websites created en masse using different kits and methodologies. One such kit, McAfee explained, was used to generate 1,784 Phishing related sites, in different languages thanks to multilingual support.

In addition, MarkMonitor reported that the number of Phishing related domains skyrocketed to record levels in Q2 2009, with more than 150,000 domains established during the period.

Looking at the various numbers from seven different anti-Phishing organizations, Commtouch examined the data from their Security Alliance partners and noted the absolute number of URLs or IP addresses that led to Phishing sites. What Commtouch discovered is that some companies showed spikes, while others reported a steady decline.

In the report, Commtouch explained these variations as more of the methodology difference than anything. They noted that it is difficult to compare data between vendors because of the different methods used to gather and compile data. In addition, you have to consider that each vendor has its own definition of what constitutes an attack.

“You must have a common definition for a Phishing attack. In particular, when Fast-Flux botnets host Phishing, is a Phishing attack counted for each bot IP address, each unique URL, or each domain name that is fluxing as part of the attack?” asked John LaCour, President of Phish Labs, a Commtouch Security Alliance partner.

Adding to that statement, Commtouch’s Vice President of Web Security, Asaf Greiner, noted that it is not only the absolute number of attacks that is important when examining Phishing data, but the sophistication of such attacks as well. “Small, targeted attacks may cause much more financial damage than less sophisticated large scale ones,” he said.

“As Commtouch analyzes spam messages which lure end users to phishing sites, we see that there is not only great fluctuation in the volumes of attacks, but also great differences in the quality of them, which has a direct link to the likelihood of the attack to cause damage.”

Yet, LaCour maintains that definitions are explained and consistent. “What’s important is that definitions are explained, that they’re used consistently by the same reporting organization. Then you can make statements about trends as seen by that organization, but I don’t think you can make meaningful comparisons between different organizations.”

As vendors report their findings in the various reports, it’s always best to take the numbers with a grain of salt and focus on the risks that are detailed. For example, while Phishing might be on the rise or soon gone depending on who you ask, the fact is it currently exists.

Millions of Phishing messages or just one, it doesn’t matter, as all a criminal has to do is make just one person a victim to move forward with their crimes.

The full report is here.

Like this article? Please share on Facebook and give The Tech Herald a Like too!