Why phishing attack takedown coverage is key to cutting your exposure
Posted by Dylan Sachs on Fri, Dec 04, 2009
It has been well known for some time - at least, amongst those in the industry and by those with coverage - that having a solid takedown service is essential to limiting the exposure you and your customers face as a result of phishing attacks. Studies have shown - consistently - that brands who have a well-defined takedown process (including a third-party takedown company) experience significant reductions in the lifetimes of phishing sites targeting their customer base.
Recently, there has been a spike in fast-flux, high-volume phishing activity. Previously, this was known as "Rock Phish" activity; however that can be considered version 1.0 - domains, hosted on a botnet, targeting multiple financial brands and their customers via phis
hing sites. Version 2.0 - known as Avalanche or ZBOT - is particularly troubling as they have evolved to include a malware payload, and broadened their target base by including social networking sites, government agencies, and even spoofing the email recipient's domain. While complete fraud-loss and malware infection rates are difficult to come by, Damballa research found that the Zeus Trojan - the malware payload included in the Avalanche attacks - has infected 3.6 million systems in the U.S. alone.
In addition to giving up their banking credentials, hundreds - possibly thousands - of users are unknowingly becoming infected daily with one of the most difficult-to-detect pieces of malware ever seen. Zeus makes up 44% of all finance-related malware, and provides the fraudsters with complete access to the infected host, allowing them to upload keylogging software, automatically steal login credentials, even route legitimate domains to phishing pages. Even those systems with up-to-date anti-virus software aren't immune from infection by Zeus - Trusteer found that up to 77% of infected systems had up-to-date AV definitions (and that across all AV software, there was only a 23% detection rate of Zeus). Earlier, I mentioned that the Avalanche attacks were targeting social networking sites - the same social networking sites that have been used as command-and-control centres for other pieces of malware.
The simplest solution is often the most effective, and when dealing with hosted malware and phishing sites, the simplest solution to prevent further infections or credential loss is to get the content removed. Anti-Phishing Working Group recently published their 1H2009 Global Phishing Survey, in which they have a section detailing the Avalanche phish. Their findings showed that Avalanche domains had an average lifetime of 18 hours, 45 
minutes from the time the email was sent out to the time the site became unavailable. In the grand scheme of things, this is a fairly short lifespan - the same report outlines the average lifetime of standard phishing sites as being 39 hours, 11 minutes. While this is promising, it still leaves 18 ¾ hours open to steal credentials and infect unwitting users.
BrandProtect first saw our clients being targeted in late June, with three more clients being added to the target list in the following months. In total, 506 domains were launched which had pages (either phishing, malware, or both) targeting our clients. BrandProtect's 24/7 Incident Response Team has a distinct advantage over other takedown providers in that they have team members spanning the globe, able to converse with the registrars of these domains in their native tongue, during their normal business hours. This advantage resulted in an average lifetime of the domains targeting our clients of 7 hours, 48 minutes - or a 60% reduction over the reported industry average. Needless to say, our clients are quite pleased with these results.
Now, if only there was a way to prevent people from clicking links in email messages...