We’ve always known phishing scammers work very quickly, moving from campaign to campaign, but new data indicates some scammers are moving on in terms of literally hours.
The first viruses were static bits of code that could be identified by their signature. So, malware authors went polymorphic – having the code change every time to avoid being detected by a specific signature. In the same way phishing scammers can’t keep using the exact same phishing landing page for months on end; the sharing of threat data means the moment a given page is flagged, its half-life is measured in minutes
It’s interesting to see this belief (which is based on good guy solution response times) be proven using real data. A new bit of research by the folks at Kaspersky shows that out of over 5100 phishing web pages, over 1/3 of them (1784) are inactive after 24 hours. What’s even more interesting is another nearly 1/3 of those pages (a bit more than 500) are inactive within just 4 hours!
This data confirms what we already believe – scammers understand the nature of being identified by security solutions in short order and are responding by moving quickly and leveraging new domain names and URLs at a near-constant rate. Nearly 99% (98.85%) of the pages are unaltered throughout their lifetime, demonstrating that scammers are not trying to obfuscate the pages intent through modifying the page itself, but are solely focused on creating new pages with unique URLs at a rapid rate.
For now, it feels like security solutions are identifying these pages at an appropriate rate. But we’ve seen unique URLs being used for targeted attacks on specific individuals with Charming Kitten, so the idea that threat actors may work to outpace security solutions should remain a concern.
Keeping users from ever seeing these malicious phishing pages by educating them via Security Awareness Training to not engage with malicious emails, links, and attachments, is a far better strategy. Eventually the phishing scammer will figure out how to outsmart security solutions (even if only for a brief period), but if a user can spot a suspicious email straightaway, the likelihood of them becoming a victim is low.
