Vulnerabilities / Threats
12/3/2009
08:12 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Bank Phishing Attacks Snare Few Victims But Tally Major Damage

Live phishing attack data on major banks shows just a small percentage of victims translates into big profits for bad guys and big losses for bank customers

If you've ever wondered just how lucrative a phishing campaign against your bank can really be, then consider this: Phishers actually land a tiny percentage of victims, but the end result is big bucks -- to the tune of $2.4 million to $9.4 million a year, according to a new study that measured real phishing attacks on banks.

Trusteer, which gathers phishing intelligence via its Rapport browser security plug-in, found only 0.47 percent of a bank's customers fall prey to phishing attacks each year, but the bad guys typically make about $2,000 on each customer's account they compromise. The company collected data during a three-month period from 10 large banks in the U.S. and Europe, and then for the report (PDF) normalized the data per 1 million users.

Each phishing attack compromised about 0.000564 percent of online banking customers, and 45 percent of them who were redirected to a phishing Web page gave up their online credentials.

"I was a bit surprised by the volume of phishing that still gets through to the users and gets clicked on and acted upon," says Amit Klein, CTO at Trusteer. "What surprised me even more was that almost half of users that had a phishing site rendered in their browser decided to interact with the site and share their credentials. That's something remarkable in itself."

That demonstrates how attempts to educate users about phishing haven't succeeded, he says.

The report found that each bank was targeted on average by 16 phishing Websites a week, which comes out to 832 phishing attacks per year per brand. When compared to the Anti-Phishing Working Group estimates that the average number of phishing URLs per brand in June was 190, Trusteer concluded that only one of 2.7 phishing URLs reaches its intended target.

An average of 12.5 out of 1 million customers per bank visited each phishing Website. These are customers who may or may not have been targeted by the phishing attack, according to the report.

"This ratio translates to just 0.00125%, a relatively small number. However, taking into account the large number of phishing attacks that occur over the course of 12 months, 1.04% (12.5*832 = 10,400) of a bank's customers visit a phishing website each year," the report says. So for every one million bank customers, 4,700 online banking credentials are lost to the bad guys per year -- .47 percent of a bank's customers.

Phishing researcher Joshua Perrymon says Trusteer's data isn't too surprising because it focuses on consumers. "I would say that the 0.47 percent rate of people who are targeted probably click on the link. But again, they are talking about consumers in this report, and not employees of a company, so that is harder to calculate as you have no control over consumers, and it's hard to contact each one to ask if they got 'phished' because they don't know," says Perrymon, who is CEO at PacketFocus. "In this scenario, attackers are sending spam-style phishing emails to a large number of possible emails to directly target a single brand. So the chance of hitting a user that actually uses the bank is small to begin with, unless they got a list from an insider."

To get better numbers on phishing attack successes, Perrymon says, you would need to control the testing. "If they would have been given the list of consumer email addresses, they could better determine how effective phishing attacks due to technical controls and user security awareness," he says.

While security researchers across the industry have been pointing to targeted phishing attacks as more effective and lucrative than the wide net of a general phishing campaign, Trusteer's Klein says Trusteer's data appears to indicate that "carpet-bombing still appears to work" in the end.

As for whether phishing is on the rise or decline, Klein says his company's report didn't address that. "The research was not conducted over a long enough period of time to relate directly to the question of whether phishing is on the decline," he says. "We were looking at absolute figures...I think it clearly shows the overall phenomenon of phishing is not declining."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.