Vulnerabilities / Threats

12/3/2009
08:12 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Bank Phishing Attacks Snare Few Victims But Tally Major Damage

Live phishing attack data on major banks shows just a small percentage of victims translates into big profits for bad guys and big losses for bank customers

If you've ever wondered just how lucrative a phishing campaign against your bank can really be, then consider this: Phishers actually land a tiny percentage of victims, but the end result is big bucks -- to the tune of $2.4 million to $9.4 million a year, according to a new study that measured real phishing attacks on banks.

Trusteer, which gathers phishing intelligence via its Rapport browser security plug-in, found only 0.47 percent of a bank's customers fall prey to phishing attacks each year, but the bad guys typically make about $2,000 on each customer's account they compromise. The company collected data during a three-month period from 10 large banks in the U.S. and Europe, and then for the report (PDF) normalized the data per 1 million users.

Each phishing attack compromised about 0.000564 percent of online banking customers, and 45 percent of them who were redirected to a phishing Web page gave up their online credentials.

"I was a bit surprised by the volume of phishing that still gets through to the users and gets clicked on and acted upon," says Amit Klein, CTO at Trusteer. "What surprised me even more was that almost half of users that had a phishing site rendered in their browser decided to interact with the site and share their credentials. That's something remarkable in itself."

That demonstrates how attempts to educate users about phishing haven't succeeded, he says.

The report found that each bank was targeted on average by 16 phishing Websites a week, which comes out to 832 phishing attacks per year per brand. When compared to the Anti-Phishing Working Group estimates that the average number of phishing URLs per brand in June was 190, Trusteer concluded that only one of 2.7 phishing URLs reaches its intended target.

An average of 12.5 out of 1 million customers per bank visited each phishing Website. These are customers who may or may not have been targeted by the phishing attack, according to the report.

"This ratio translates to just 0.00125%, a relatively small number. However, taking into account the large number of phishing attacks that occur over the course of 12 months, 1.04% (12.5*832 = 10,400) of a bank's customers visit a phishing website each year," the report says. So for every one million bank customers, 4,700 online banking credentials are lost to the bad guys per year -- .47 percent of a bank's customers.

Phishing researcher Joshua Perrymon says Trusteer's data isn't too surprising because it focuses on consumers. "I would say that the 0.47 percent rate of people who are targeted probably click on the link. But again, they are talking about consumers in this report, and not employees of a company, so that is harder to calculate as you have no control over consumers, and it's hard to contact each one to ask if they got 'phished' because they don't know," says Perrymon, who is CEO at PacketFocus. "In this scenario, attackers are sending spam-style phishing emails to a large number of possible emails to directly target a single brand. So the chance of hitting a user that actually uses the bank is small to begin with, unless they got a list from an insider."

To get better numbers on phishing attack successes, Perrymon says, you would need to control the testing. "If they would have been given the list of consumer email addresses, they could better determine how effective phishing attacks due to technical controls and user security awareness," he says.

While security researchers across the industry have been pointing to targeted phishing attacks as more effective and lucrative than the wide net of a general phishing campaign, Trusteer's Klein says Trusteer's data appears to indicate that "carpet-bombing still appears to work" in the end.

As for whether phishing is on the rise or decline, Klein says his company's report didn't address that. "The research was not conducted over a long enough period of time to relate directly to the question of whether phishing is on the decline," he says. "We were looking at absolute figures...I think it clearly shows the overall phenomenon of phishing is not declining."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
It Takes an Average of 3 to 6 Months to Fill a Cybersecurity Job
Kelly Jackson Higgins, Executive Editor at Dark Reading,  3/12/2019
Cybercriminals Think Small to Earn Big
Dark Reading Staff 3/12/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: LOL  Hope this one wins
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
The State of Cyber Security Incident Response
The State of Cyber Security Incident Response
Organizations are responding to new threats with new processes for detecting and mitigating them. Here's a look at how the discipline of incident response is evolving.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-6149
PUBLISHED: 2019-03-18
An unquoted search path vulnerability was identified in Lenovo Dynamic Power Reduction Utility prior to version 2.2.2.0 that could allow a malicious user with local access to execute code with administrative privileges.
CVE-2018-15509
PUBLISHED: 2019-03-18
Five9 Agent Desktop Plus 10.0.70 has Incorrect Access Control (issue 2 of 2).
CVE-2018-20806
PUBLISHED: 2019-03-17
Phamm (aka PHP LDAP Virtual Hosting Manager) 0.6.8 allows XSS via the login page (the /public/main.php action parameter).
CVE-2019-5616
PUBLISHED: 2019-03-15
CircuitWerkes Sicon-8, a hardware device used for managing electrical devices, ships with a web-based front-end controller and implements an authentication mechanism in JavaScript that is run in the context of a user's web browser.
CVE-2018-17882
PUBLISHED: 2019-03-15
An Integer overflow vulnerability exists in the batchTransfer function of a smart contract implementation for CryptoBotsBattle (CBTB), an Ethereum token. This vulnerability could be used by an attacker to create an arbitrary amount of tokens for any user.