Phishing attack timeline: 21 hours from target to detection
Introduction
Phishing seems to be ever-present in the modern cyber-threat landscape. During the COVID-19 pandemic, there has even been an increase in phishing attacks as cybercriminals take advantage of stretched corporate resources and work from home disruptions. The associated phishing sites wreak havoc on unsuspecting users, stealing credentials and other identifying information used for subsequent fraud. Phishing email examples in 2020 include those exploiting the pandemic by spoofing the World Health Organization (WHO) as well as highly sophisticated Office 365 email phishing campaigns.
Finding ways to prevent phishing takes an understanding of how campaigns operate. A recent deep dive into phishing by researchers from Google, PayPal, Samsung and Arizona State University (“The Consortium”) offers the intelligence needed to help mitigate phishing campaigns.
Here is a look at that research and how the first 21 hours of a phish is the most critical.
See Infosec IQ in action
21 hours in the life of a phishing campaign
The Consortium report, “Sunrise to Sunset: Analyzing the End-to-end Life Cycle and Effectiveness of Phishing Attacks at Scale,” was based on data from over 4.8 million victims, each of whom visited a phishing website.
The researchers focused on the first 21-hour period of a phishing campaign. During this period, they were able to track a phishing campaign and see its impact as well as gain an insight into the elements making up its success. On average, it took 21 hours from campaign start to final victim before a phishing site was closed down. This is what those 21 hours revealed …
Attack metrics and phishing email examples
The research was based on 404,628 phishing sites, used to build up a picture of key phishing events during the 21-hour cycle. This research used three stages for analysis:
- Pre-analysis: The identified phishing sites for the research were used to map key events over the time period.
- Distribution phase: The original phishing email was mapped to traffic on the phishing site.
- Success rate: This was based on the timing and success of monetization efforts from account compromise and fraudulent transaction attempts.
The results present an important picture of the phishing process.
The “Golden Hours” of a phishing campaign
The 21-hour process between the first and last victim of a phishing campaign contains two key events:
- Event one: The detection of the first victim by anti-phishing entities occurs after nine hours.
- Event two: Browser-based warnings reach a peak seven hours after this first detection event.
These seven hours between the two events have been termed the “Golden Hours” by the researchers, so named because attackers gain their greatest Return on Investment (ROI) during this period. Over 37% of all attacks took place during these golden hours. Out of these, almost 7.5% of victims fell afoul of the attack, entering credentials into the phishing site that then led to a successful fraud event.
Further research outcomes: Long phishing and fraud
The analysis for the research took place over a year. During that year, it was noted that phishing campaigns were not evenly spread. Instead, some months had more campaigns than others. This fits in with general qualitative phishing observations. If you look at phishing email examples, you can easily correlate significant events in the world with increased phishing campaigns.
For example, during the COVID-19 pandemic, there was an uptick in phishing emails during the early stages of lockdown that spoofed the World Health Organization (WHO) brand. Similarly, during events such as Cyber Monday or Amazon Prime Day, there is an increase in phishing campaigns that use such events to phish users.
The 21 hours and the golden hours are interesting metrics, but so too are the sticky and ongoing nature of phishing campaigns. Whilst the research found the fastest time between phished credentials and a fraudulent transaction was one hour, fraudulent transactions happened with an average delay of 5.19 days, increasing in volume over a 14-day period.
In general, however, phishers act quickly and take advantage of a fast phish, committing fraud first then using the credentials to make further monies by selling them on via underground markets.
Effectiveness of phishing detection
One of the primary objectives of the research was to understand the effectiveness (or not) of phishing detection. The seven-hour “Golden Hours” delay is used to great effect by phishers. However, browser-based detention systems offer “effective mitigation overall” according to the research. The method used to work out the 7-hour rule and overall effectiveness was a ratio of:
- (Compromised Visitors for browsers with native defenses) / (Compromised Visitors for all browsers, at regular time intervals after attack detection).
This was then compared to a baseline ratio just prior to detection.
The results show that browser-based warnings reduce compromised phishing successes within one hour after detection to 71.51%. This figure drops to 43.55% within two hours and they slowly decline to hour seven, stabilizing in the 0-10% range.
Other worthy notes from the email phishing campaign research
HTTPS
Phishing attacks using supposedly secure sites, aka those using TLS (HTTPS), were around three times more successful than those using HTTP. This is in line with the move by Google to force the general use of TLS for secure online data communication. This has normalized the use of HTTPS across the web. In turn, cybercriminals are using HTTPS to trick users into a false sense of security.
In line with this, the researchers found 66.9% of the phishing URLs used HTTPS. Of these, 85.8% of victims were compromised via phishing sites with HTTPS.
Persistent and sophisticated phishing
The top 5% of attacks accounted for almost 78% of known visitor events and the top 10% accounted for over 89%. The most successful attacks both evaded detection and used sophisticated social engineering. In the latter case, the spoof sites were well designed, reflecting the navigational structure of the legitimate site. If users navigated away from the main credential capture page, they were funneled back to a malicious login page.
The sites also attempted to capture wider identity verification data including ID documents and even selfies. This will likely be used in creating online identity accounts that require a higher level of assurance to process financial transactions.
Further phishing trickery
ReCAPTCHA and CAPTCHA systems were shown to be used in a multi-layered system which both helps evade detection and tricks the user. This has been seen in a recent Office 365-focused phishing campaign that used CAPTCHA in a cascade of defensive and evasive tactics to ensure the user ended up on a spoof (but highly believable) Office 365 page. A recent Microsoft blog concurs with the findings of the researchers, stating:
“… threat actors have rapidly increased in sophistication over the past year, using techniques that make them harder to spot and that threaten even the savviest targets.”
Get six free posters
Reinforce cybersecurity best practices with six eye-catching posters found in our free poster kit from our award-winning series, Work Bytes.
Sunrise to sunset: The concluding thought on preventing phishing campaigns
The researchers conclude that proactive mitigation is the way forward. But this must be done by collaboration with the extended anti-phishing ecosystem. The use of the golden hour, as identified by the research, offers a framework to secure the accounts of victims before they can be compromised. The researchers conclude that:
“… closer collaboration between anti-phishing entities, coupled with the development of enhanced and standardized mechanisms for sharing intelligence, would allow such mitigations to better scale to the ecosystem level.”
Sources
Adam Oest, Penghui Zhang, Brad Wardman, Eric Nunes, Jakub Burgis, Ali Zand, Kurt Thomas, Adam Doupé and Gail-Joon Ahn, "Sunrise to Sunset: Analyzing the End-to-end Life Cycle and Effectiveness of Phishing Attacks at Scale"
Time to Warn Users About Black Friday & Cyber Monday Scams, DARKReading
Menlo Threat Labs Uncovers a Phishing Attack Using Captchas, Menlo Security
Microsoft report shows increasing sophistication of cyber threats, Microsoft
In this Series
- Phishing attack timeline: 21 hours from target to detection
- Keeping your inbox safe: How to prevent business email compromise
- The best 9 phishing simulators for employee security awareness training (2023)
- How to set up a phishing attack with the Social-Engineer Toolkit
- Extortion: How attackers double down on threats
- How Zoom is being exploited for phishing attacks
- 11 phishing email subject lines your employees need to recognize [Updated 2022]
- Consent phishing: How attackers abuse OAuth 2.0 permissions to dupe users
- The state of BEC in 2021 (and beyond)
- Why employees keep falling for phishing (and the science to help them)
- Phishing attacks doubled last year, according to Anti-Phishing Working Group
- The Phish Scale: How NIST is quantifying employee phishing risk
- 6 most sophisticated phishing attacks of 2020
- JavaScript obfuscator: Overview and technical overview
- Malicious Excel attachments bypass security controls using .NET library
- Phishing with Google Forms, Firebase and Docs: Detection and prevention
- Phishing domain lawsuits and the Computer Fraud and Abuse Act
- Phishing: Reputational damages
- Spearphishing meets vishing: New multi-step attack targets corporate VPNs
- Overview of phishing techniques: Brand impersonation
- BEC attacks: A business risk your insurance company is unlikely to cover
- Cybercrime at scale: Dissecting a dark web phishing kit
- Lockphish phishing attack: Capturing android PINs & iPhone passcodes over https
- 4 types of phishing domains you should blacklist right now
- Email attack trend predictions for 2020
- 4 tips for phishing field employees [Updated 2020]
- How to scan email headers for phishing and malicious content
- Should you phish-test your remote workforce?
- Overview of phishing techniques: Fake invoice/bills
- Phishing simulations in 5 easy steps — Free phishing training kit
- Overview of phishing techniques: Urgent/limited supplies
- Overview of phishing techniques: Compromised account
- Phishing techniques: Contest winner scam
- Phishing techniques: Expired password/account
- Overview of Phishing Techniques: Fake Websites
- Overview of phishing techniques: Order/delivery notifications
- Phishing technique: Message from a friend/relative
- [Updated] Top 9 coronavirus phishing scams making the rounds
- Phishing technique: Message from the boss
- Cyber Work podcast: Email attack trend predictions for 2020
- Phishing techniques: Clone phishing
- Phishing attachment hides malicious macros from security tools
- Phishing techniques: Asking for sensitive information via email
- PayPal credential phishing with an even bigger hook
- Your 2020 tax scam training guide
- Abusing email rules
- 8 phishing simulation tips to promote more secure behavior
- Top types of Business Email Compromise [BEC]
- Be aware of these 20 new phishing techniques
- Phishing in academic environments
- Phishing-as-a-Service
- Reduce security events
- Reinforce cyber secure behaviors
- Strengthen cybersecurity culture at your organization
