Phishing's "Golden Hour"

We stumbled across a fascinating story on the Trusteer Web site recently (Trusteer is an Internet security firm whose principal products focus on fraud detection and prevention for the banking industry; their Rapport software is a must-download utility for anyone who banks online whose bank hasn't already provided him or her with a copy). The story is entitled "The Golden Hour of Phishing Attacks," and it delivers some mind-boggling information based on analysis of real, honest-to-gosh phishing Web sites. Before we share some details on this, here's a graph from that same source:

[caption id="attachment_277" align="aligncenter" width="300" caption="Percentage of total phishing victim credential harvests over time"]
Percentage of total phishing victim credential harvests over time[/caption]

What this graph shows is nothing less than astounding: over 50% of phishing victim's credentials are harvested in the first hour after they receive and respond to a phishing e-mail. According to Trusteer, that's also about how long it takes for IT security vendors to determine that a phishing attack is actually underway. In fact, because so much of the damage is done before anybody can even notice what's going on, Trusteer calls this initial time period "the golden hour," beause that's when cybercrooks score their biggest potential payoff. It takes another 9 hours for that percentage to climb to 90%, and 19 more hours to get to 100%, so there's as much action in the first 60 minutes after a phishing site goes up as there is in the next 28 hours after that!

Here's how Trusteer conveys this information in somewhat drier fashion:

During the golden hour, our research suggests that:

*  More than 50 per cent of stolen credentials are harvested

*  Within five hours, more than 80 per cent are collated and become usable by cypercriminals

*  The first 10 hours produce more than 90 per cent of the total credentials that will be stolen by any given phishing site

The story goes on to observe that this also means that blocking a phishing site more than 5-10 hours after it goes up is "almost irrelevant." We concur! Their call to action is also one that we must endorse heartily and heavily. They suggest that "...a more effective model would prevent users from being directed to a phishing site and/or prevent them from entering their credentials if they do end up on a criminal site." They also go on to say that " an industry, our goal should be to reduce the time it takes for institutions to detect they are being targeted by a phishing attack from hours to within minutes..." Finally they opine that "...we also need to establish really quick feeds into browsers and other security tools, so that phishing filters can be updated much more quickly than they are today."

It's interesting to put this into the same context as a recent ESET study that observed that one out of every five users who visit a phishing site actually provides credentials. That means these e-mails incite as much action in the first hour after they're sent as they do for the next day and more thereafter. It's enough to make a jaded cynic think that many people just sit around waiting for phishing messages to hit their inboxes so they can give their money away, and their credit ratings a solid wallop. Ouch! That story concludes with the line "Phishing can still be lucrative." Boy, we'll say!

Stu Sjouwerman

Topics: Phishing, KnowBe4

Subscribe To Our Blog

Ransomware Hostage Rescue Manual

Get the latest about social engineering

Subscribe to CyberheistNews