Vulnerabilities / Threats

12/3/2009
08:12 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Bank Phishing Attacks Snare Few Victims But Tally Major Damage

Live phishing attack data on major banks shows just a small percentage of victims translates into big profits for bad guys and big losses for bank customers

If you've ever wondered just how lucrative a phishing campaign against your bank can really be, then consider this: Phishers actually land a tiny percentage of victims, but the end result is big bucks -- to the tune of $2.4 million to $9.4 million a year, according to a new study that measured real phishing attacks on banks.

Trusteer, which gathers phishing intelligence via its Rapport browser security plug-in, found only 0.47 percent of a bank's customers fall prey to phishing attacks each year, but the bad guys typically make about $2,000 on each customer's account they compromise. The company collected data during a three-month period from 10 large banks in the U.S. and Europe, and then for the report (PDF) normalized the data per 1 million users.

Each phishing attack compromised about 0.000564 percent of online banking customers, and 45 percent of them who were redirected to a phishing Web page gave up their online credentials.

"I was a bit surprised by the volume of phishing that still gets through to the users and gets clicked on and acted upon," says Amit Klein, CTO at Trusteer. "What surprised me even more was that almost half of users that had a phishing site rendered in their browser decided to interact with the site and share their credentials. That's something remarkable in itself."

That demonstrates how attempts to educate users about phishing haven't succeeded, he says.

The report found that each bank was targeted on average by 16 phishing Websites a week, which comes out to 832 phishing attacks per year per brand. When compared to the Anti-Phishing Working Group estimates that the average number of phishing URLs per brand in June was 190, Trusteer concluded that only one of 2.7 phishing URLs reaches its intended target.

An average of 12.5 out of 1 million customers per bank visited each phishing Website. These are customers who may or may not have been targeted by the phishing attack, according to the report.

"This ratio translates to just 0.00125%, a relatively small number. However, taking into account the large number of phishing attacks that occur over the course of 12 months, 1.04% (12.5*832 = 10,400) of a bank's customers visit a phishing website each year," the report says. So for every one million bank customers, 4,700 online banking credentials are lost to the bad guys per year -- .47 percent of a bank's customers.

Phishing researcher Joshua Perrymon says Trusteer's data isn't too surprising because it focuses on consumers. "I would say that the 0.47 percent rate of people who are targeted probably click on the link. But again, they are talking about consumers in this report, and not employees of a company, so that is harder to calculate as you have no control over consumers, and it's hard to contact each one to ask if they got 'phished' because they don't know," says Perrymon, who is CEO at PacketFocus. "In this scenario, attackers are sending spam-style phishing emails to a large number of possible emails to directly target a single brand. So the chance of hitting a user that actually uses the bank is small to begin with, unless they got a list from an insider."

To get better numbers on phishing attack successes, Perrymon says, you would need to control the testing. "If they would have been given the list of consumer email addresses, they could better determine how effective phishing attacks due to technical controls and user security awareness," he says.

While security researchers across the industry have been pointing to targeted phishing attacks as more effective and lucrative than the wide net of a general phishing campaign, Trusteer's Klein says Trusteer's data appears to indicate that "carpet-bombing still appears to work" in the end.

As for whether phishing is on the rise or decline, Klein says his company's report didn't address that. "The research was not conducted over a long enough period of time to relate directly to the question of whether phishing is on the decline," he says. "We were looking at absolute figures...I think it clearly shows the overall phenomenon of phishing is not declining."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
New Free Tool Scans for Chrome Extension Safety
Dark Reading Staff 2/21/2019
Making the Case for a Cybersecurity Moon Shot
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  2/19/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-9015
PUBLISHED: 2019-02-22
A Path Traversal vulnerability was discovered in MOPCMS through 2018-11-30, leading to deletion of unexpected critical files. The exploitation point is in the "column management" function. The path added to the column is not verified. When a column is deleted by an attacker, the correspond...
CVE-2019-9016
PUBLISHED: 2019-02-22
An XSS vulnerability was discovered in MOPCMS through 2018-11-30. There is persistent XSS that allows remote attackers to inject arbitrary web script or HTML via the form[name] parameter in a mod=column request, as demonstrated by the /mopcms/X0AZgf(index).php?mod=column&ac=list&menuid=28&am...
CVE-2018-20784
PUBLISHED: 2019-02-22
In the Linux kernel before 4.20.2, kernel/sched/fair.c mishandles leaf cfs_rq's, which allows attackers to cause a denial of service (infinite loop in update_blocked_averages) or possibly have unspecified other impact by inducing a high load.
CVE-2019-9003
PUBLISHED: 2019-02-22
In the Linux kernel before 4.20.5, attackers can trigger a drivers/char/ipmi/ipmi_msghandler.c use-after-free and OOPS by arranging for certain simultaneous execution of the code, as demonstrated by a "service ipmievd restart" loop.
CVE-2019-9004
PUBLISHED: 2019-02-22
In Eclipse Wakaama (formerly liblwm2m) 1.0, core/er-coap-13/er-coap-13.c in lwm2mserver in the LWM2M server mishandles invalid options, leading to a memory leak. Processing of a single crafted packet leads to leaking (wasting) 24 bytes of memory. This can lead to termination of the LWM2M server afte...