Phishing attack timeline: 21 hours from target to detection
Phishing seems to be ever-present in the modern cyber-threat landscape. During the COVID-19 pandemic, there has even been an increase in phishing attacks as cybercriminals take advantage of stretched corporate resources and work from home disruptions. The associated phishing sites wreak havoc on unsuspecting users, stealing credentials and other identifying information used for subsequent fraud. Phishing email examples in 2020 include those exploiting the pandemic by spoofing the World Health Organization (WHO) as well as highly sophisticated Office 365 email phishing campaigns.
Finding ways to prevent phishing takes an understanding of how campaigns operate. A recent deep dive into phishing by researchers from Google, PayPal, Samsung and Arizona State University (“The Consortium”) offers the intelligence needed to help mitigate phishing campaigns.
Here is a look at that research and how the first 21 hours of a phish is the most critical.
21 hours in the life of a phishing campaign
The Consortium report, “Sunrise to Sunset: Analyzing the End-to-end Life Cycle and Effectiveness of Phishing Attacks at Scale,” was based on data from over 4.8 million victims, each of whom visited a phishing website.
The researchers focused on the first 21-hour period of a phishing campaign. During this period, they were able to track a phishing campaign and see its impact as well as gain an insight into the elements making up its success. On average, it took 21 hours from campaign start to final victim before a phishing site was closed down. This is what those 21 hours revealed …
Attack metrics and phishing email examples
The research was based on 404,628 phishing sites, used to build up a picture of key phishing events during the 21-hour cycle. This research used three stages for analysis:
- Pre-analysis: The identified phishing sites for the research were used to map key events over the time period.
- Distribution phase: The original phishing email was mapped to traffic on the phishing site.
- Success rate: This was based on the timing and success of monetization efforts from account compromise and fraudulent transaction attempts.
The results present an important picture of the phishing process.
The “Golden Hours” of a phishing campaign
The 21-hour process between the first and last victim of a phishing campaign contains two key events:
- Event one: The detection of the first victim by anti-phishing entities occurs after nine hours.
- Event two: Browser-based warnings reach a peak seven hours after this first detection event.
These seven hours between the two events have been termed the “Golden Hours” by the researchers, so named because attackers gain their greatest Return on Investment (ROI) during this period. Over 37% of all attacks took place during these golden hours. Out of these, almost 7.5% of victims fell afoul of the attack, entering credentials into the phishing site that then led to a successful fraud event.
Further research outcomes: Long phishing and fraud
The analysis for the research took place over a year. During that year, it was noted that phishing campaigns were not evenly spread. Instead, some months had more campaigns than others. This fits in with general qualitative phishing observations. If you look at phishing email examples, you can easily correlate significant events in the world with increased phishing campaigns.
For example, during the COVID-19 pandemic, there was an uptick in phishing emails during the early stages of lockdown that spoofed the World Health Organization (WHO) brand. Similarly, during events such as Cyber Monday or Amazon Prime Day, there is an increase in phishing campaigns that use such events to phish users.
The 21 hours and the golden hours are interesting metrics, but so too are the sticky and ongoing nature of phishing campaigns. Whilst the research found the fastest time between phished credentials and a fraudulent transaction was one hour, fraudulent transactions happened with an average delay of 5.19 days, increasing in volume over a 14-day period.
In general, however, phishers act quickly and take advantage of a fast phish, committing fraud first then using the credentials to make further monies by selling them on via underground markets.
Effectiveness of phishing detection
One of the primary objectives of the research was to understand the effectiveness (or not) of phishing detection. The seven-hour “Golden Hours” delay is used to great effect by phishers. However, browser-based detention systems offer “effective mitigation overall” according to the research. The method used to work out the 7-hour rule and overall effectiveness was a ratio of:
- (Compromised Visitors for browsers with native defenses) / (Compromised Visitors for all browsers, at regular time intervals after attack detection).
This was then compared to a baseline ratio just prior to detection.
The results show that browser-based warnings reduce compromised phishing successes within one hour after detection to 71.51%. This figure drops to 43.55% within two hours and they slowly decline to hour seven, stabilizing in the 0-10% range.
Other worthy notes from the email phishing campaign research
Phishing attacks using supposedly secure sites, aka those using TLS (HTTPS), were around three times more successful than those using HTTP. This is in line with the move by Google to force the general use of TLS for secure online data communication. This has normalized the use of HTTPS across the web. In turn, cybercriminals are using HTTPS to trick users into a false sense of security.
In line with this, the researchers found 66.9% of the phishing URLs used HTTPS. Of these, 85.8% of victims were compromised via phishing sites with HTTPS.
Persistent and sophisticated phishing
The top 5% of attacks accounted for almost 78% of known visitor events and the top 10% accounted for over 89%. The most successful attacks both evaded detection and used sophisticated social engineering. In the latter case, the spoof sites were well designed, reflecting the navigational structure of the legitimate site. If users navigated away from the main credential capture page, they were funneled back to a malicious login page.
The sites also attempted to capture wider identity verification data including ID documents and even selfies. This will likely be used in creating online identity accounts that require a higher level of assurance to process financial transactions.
Further phishing trickery
ReCAPTCHA and CAPTCHA systems were shown to be used in a multi-layered system which both helps evade detection and tricks the user. This has been seen in a recent Office 365-focused phishing campaign that used CAPTCHA in a cascade of defensive and evasive tactics to ensure the user ended up on a spoof (but highly believable) Office 365 page. A recent Microsoft blog concurs with the findings of the researchers, stating:
“… threat actors have rapidly increased in sophistication over the past year, using techniques that make them harder to spot and that threaten even the savviest targets.”
Sunrise to sunset: The concluding thought on preventing phishing campaigns
The researchers conclude that proactive mitigation is the way forward. But this must be done by collaboration with the extended anti-phishing ecosystem. The use of the golden hour, as identified by the research, offers a framework to secure the accounts of victims before they can be compromised. The researchers conclude that:
“… closer collaboration between anti-phishing entities, coupled with the development of enhanced and standardized mechanisms for sharing intelligence, would allow such mitigations to better scale to the ecosystem level.”
Adam Oest, Penghui Zhang, Brad Wardman, Eric Nunes, Jakub Burgis, Ali Zand, Kurt Thomas, Adam Doupé and Gail-Joon Ahn, “Sunrise to Sunset: Analyzing the End-to-end Life Cycle and Effectiveness of Phishing Attacks at Scale“
Menlo Threat Labs Uncovers a Phishing Attack Using Captchas, Menlo Security