The cooperative effort of ISPs, security vendors, volunteer groups and other interested parties has helped develop a quick and efficient method for taking down phishing sites, usually within hours or days of their appearance. However, many phishing sites that have been up for a week or more still send out quite a lot of spam and also draw in new phishing victims, according to a new paper by researchers at the University of Cambridge.
The paper, which researchers presented at the USENIX LEET Workshop last week, discusses the problems that the refusal of takedown companies to share data causes within the industry.
For instance, fresh spam continues to be sent out for 75% of phishing websites alive after one week, attracting new victims. Furthermore, around 60% of phishing websites still alive after a month keep receiving spam advertisements.
Consequently, removal of websites by the banks (and the specialist take-down companies they hire) is important. Even when the sites stay up for some time, there is value in continued efforts to get them removed, because this will limit the damage.
However, as we have pointed out before, the take-down companies cause considerable damage by their continuing refusal to share data on phishing attacks with each other, despite our proposals addressing their competitive concerns. Our (rough) estimate of the financial harm due to longer-lived phishing websites was $330 million per year. Given this new evidence of persistent spam campaigns, we are now more confident of this measure of harm.
I saw one of the researchers, Tyler Moore, give a talk on a similar topic at the WEIS conference last summer, and his insights are typically excellent. You can see the full presentation here, and it’s well worth the time.
*Image from ToastyKen’s Flickr photostream.
