During the last three months of 2004, phishing in general took on a more organized direction. Phishers have refined their attacks, both in e-mail and malware, and have begun to target specific secondary and tertiary targets. We highlight them here from the perspective of statistics and the evolutionary development of phishing:

■ Phishers are refining their e-mail techniques.Their e-mails are much more effective than regular spam. A single mass mailing of 100,000 emails may have a receive rate as high as 10 percent and collect as much as 1 percent in victims.

■ Phishers of 2005, mainly Romanians, build their own PHP bulk-mailing tools so they can move more efficiently off the Internet.This allows them to use hacked or stolen dedicated servers to offload their mass mailing rather than client-end bulk-mailing software.

■ Phishers have found a use for every account they acquire: from money laundering to theft, shuffling, and identity theft.

■ Phishers are refining their key-logging malware. Rather than collecting data from all Web sites, they are now looking for data from specific URLs as well as utilizing the botnet factor to arm themselves with distributed servers worldwide.Trojans such as Trojan.BankAsh poison the users’ host files and take them to spoofed bank sites to steal their user data.

■ Phishers are becoming more technically savvy. Besides using known and 0-day exploits to configure the systems used for phishing, they also use weaknesses in the telephone infrastructure, such as Caller ID (CID) spoofing, to protect themselves from the mules that they contact and to perform money-laundering activities.

■ Phishers are taking advantage of Cross-Site Scripting (XSS) vulnerabilities, URL redirection opportunities, and any browser-specific exploits that enable them to employ attacks that allow them to gain user information. Cross-Site Scripting is done by inserting a script into an URL or a form that is later executed in the client browser.

E-Mail Effectiveness

Over the last year, the volume of spam and phishing e-mail has grown dramatically—over 400 percent, by some reports.The Anti-Phishing Work Group (www.antiphishing.org) released a report showing a 28 percent increase in phishing e-mails in the second half of 2004. With all these e-mails being sent, one would expect the return rate to drop dramatically as people become accustomed to the scam. But how effective are these e-mails, and how many people are still falling victim?

Phishers use base camps to store and analyze victim information.These servers act as centralized communication and distribution points for group members.They also use blind-drop servers to collect victim information without compromising the base camps. Secure Science has been collecting and analyzing base camps, blind drops, and phishing servers and has identified the likely scope and effectiveness of a phishing bulk mailing, which includes these considerations:

■ How large are the bulk mailings?

■ How many people receive the e-mails? How many e-mails never reach their destinations?

■ How many people fall victim to a single mass mailing?

■ When do people fall victim?

■ Which is worse—e-mail phish or phishing malware? How Large Are the Bulk Mailings?

Each mass mailing is sent to a predetermined list of e-mail accounts.The size of the bulk mailing can be determined through a variety of methods. Some methods are statistically based, and others are quantitative observations.

Statistically Based Estimates

Phishers, like spammers, use precompiled lists for generating their e-mails. A common method for estimating the size of a mass mailing requires the use of collected e-mail addresses:

1. Create a set of e-mail addresses that will be used only for collecting spam.These are commonly called honeypot spam accounts.

2. Distribute these e-mail addresses in various locations.This process is called seeding because the honeypot addresses are “planted” in various forums.

3. Wait until the accounts start receiving spam.This could range from hours to months, depending on the forum.

The collection of unique mass mailings determines the overall volume of spam, which can then be subdivided into phishing-specific mailings. From this approach, antispam and antiphishing groups have estimated that phishing accounts for 0.5 percent of all spam, or roughly 25 million e-mails per day.
These statistics can also be compared with massive spam archives, such as the newsgroup net.admin.net-abuse.sightings (NANAS), to determine completeness. NANAS does not post every spam it receives. Instead, NANAS posts only spam that represents a mass mailing.The representation is determined by spam content. Thus, NANAS can be used to determine the number of mass mailings but not the size of the mass mailing. Instead, the size can be estimated from the honeypot addresses. For example, if NANAS records 15 percent more unique mass mailings than the collection of seeded e-mail addresses, the seeded addresses can be determined to be 85 percent complete and represent 85 percent of all mass mailings.

A set of 100 to 1000 e-mail accounts, distributed in distinct forums, is commonly estimated to be harvested and used by over 90 percent of the spam groups within one year. While the same spammers will harvest some of the accounts, different spammers will use most of the accounts.Thus, if 100 e-mail accounts imply 90 percent of all mass mailings, the ratio can be broken down to specific account volumes.

For example, one account may correspond with 1 million e-mail recipients. If the same mass mailing goes to three accounts, the size of the mass mailing can be estimated at 3 million e-mail addresses.

Based on this statistical approach:

■ The daily totals place phishing at 0.5 percent of all spam e-mails, or roughly 25 million phishing e-mails per day.

■ The totals per phishing group are somewhat different. Secure Science currently estimates that the bigger phishing groups use smaller mailing lists—between 100,000 and 1 million addresses per mass mailing.This is determined by the fact that few honeypot e-mail addresses receive the same phishing e-mail from the same mass mailing. Smaller phishing groups have been observed with lists in excess of 10 million e-mail addresses, but these groups generally do not send e-mail daily.

Quantitative Observations

Phishers use base camps to archive and distribute information.These base camps frequently contain the actual mailing lists used by the phishers as well as the list of proxy hosts used to make the mass mailing anonymous:

■ The total number ranges from 1 to 5 million e-mail addresses, but the large phishing groups have divided the address lists into files containing 100,000 addresses.This means that they likely generate 100,000 e-mails per mass mailing.

■ The larger groups use open proxies to make the mass mailing anonymous, but a few of the smaller phishing groups use the phishing server to also perform the mass mailing.The server’s mail log shows between 50,000 and 200,000 e-mails, depending on the mass mailing. Most mass mailings contain 100,000 e-mails.

■ One small group had an e-mail list that contained over 1 million addresses.That group likely sent out 1 million e-mails for its mass mailing.

Of the estimated 36 active phishing groups worldwide, some phishing groups send e-mails daily, whereas others operate on weekly or monthly cycles. Similarly, some groups only operate one phish per day, while the larger groups may operate a dozen blind drops on any given day.The average per group is approximately 750,000 e-mails per day. Considering that there are an estimated 36 groups, that makes the total daily amount of phishing e-mails approximately 27 million per day—very close to the statistical estimate of 25 million e-mails per day.

How Many People Receive the E-Mails?

Spam filters have made a significant impact on the number of spam messages that get delivered, but no antispam system is perfect. A recent survey by Network World shows that most spam filters are more than 95 percent accurate at identifying spam (www.nwfusion.com / reviews / 2004 / 122004spamside.html). But how effective are spam filters against phish?

There are two types of antispam filter: automated and human. For any spam message to be successful, it must first pass any automated antispam system and then be enticing and convincing enough to be opened and acted on by the human.Although automated systems might be 95 percent accurate, the combination of automated and human intelligence generally drops spam to less than 1 percent delivery. Most people can identify spam and delete it before opening it; the automated systems only simplify the sorting process for the human.

Professional phishers are methodical; they analyze the spam methods that work and apply the best techniques available. In some cases, phishing groups appear to be associated with spam groups—possibly for the R&D advantage of delivery systems. From the blind drops recovered, there are quantitative values for the effectiveness of the phishing e-mails.The effectiveness can be directly related to the number of people who clicked on an e-mail’s link. In particular, the Web logs show the IP address of every system that clicked on the link, and each system roughly translates into one recipient of the e-mail.
For blind drops involved in a mass mailing of 100,000 e-mail addresses, roughly 5000 to 10,000 unique client systems access the phishing server.This translates into successful delivery of 5-10 percent of the e-mails. E-mails that are delivered but not opened, or opened but not acted on, are considered “filtered” and not successfully received.The filtering process may be an automated system (spam filter) or a human ignoring the e-mail. Depending on the e-mail, the delivery rate can be as much as 15 percent—nearly three times as high as regular spam delivery.This suggests that as much as 15 percent of phishing e-mails are able to bypass automated antispam filters. Furthermore, the social engineering aspect of the e-mails can bypass most human filters.

The most effective phishing e-mails appear to be the ones with new content. For example, the first phishing e-mails asked people to validate their bank or credit card accounts. When the success rate for that scam dropped to 5 percent, new content was used: a “security alert notification.”The new content yielded a 10 percent return on e-mails. From this statistic we can conclude that, although only 5 percent of the old messages were acted on, as many as 10 percent of the e-mails may actually be delivered.The reduction from 10 percent to 5 percent is likely due to customer sensitivity and education rather than antispam technologies.

ROI of a Single Mass Mailing

Although a single mass mailing of 100,000 e-mails may generate 5 percent in clicks (5000 potential victims), not all the people that click actually submit data. Many people submit clearly false information or information that is incomplete. Few people actually submit their own personal information. Each mass mailing may collect between 10 and 100 victims.The return rate is between 0.01 percent and 0.1 percent. But for the people who do fall victim, they nearly always submit everything the phishers ask for: names, addresses, accounts, credit cards, Social Security numbers, and so on.

When Do People Fall Victim?

Phishers can use timestamps on their Web logs, along with samples of actual mass mailings, to determine phishing effectiveness:

■ Nearly 50 percent of the potential victims—people who click on an email link—occur within the first 24 hours of the mass mailing.

■ Nearly 50 percent of the potential victims occur during the second 24 hours of the mass mailing.

■ Less than 1 percent of the potential victims access the site after 48 hours.

Phishing servers that are shut down within 24 hours can cut the phisher’s return rate by half. In contrast, phishing servers that are not taken down within 48 hours stand a 50 percent chance of being used for another phishing attack within the next month.The duration between reuse varies by phishing groups: Some groups reuse servers immediately, others wait weeks before returning.

In contrast, the Web logs frequently show antiphishing accesses as well as victims:

■ Within the first hour of the mass mailing, as much as 20 percent of the accesses to the phishing server may be from antiphishing organizations. These can be determined in the logs by the type of browser (wget is a strong indicator of an antiphishing organization) and IP address. In particular, the IP address may trace to a known antiphishing group.

■ Of the antiphishing groups that do access the server, nearly 80 percent access within the first 12 hours.

■ After 48 hours, nearly all Web hits come from antiphishing organizations.These are likely antiphishing groups checking to see if the server is still active.