Vulnerabilities / Threats
12/3/2009
08:12 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Bank Phishing Attacks Snare Few Victims But Tally Major Damage

Live phishing attack data on major banks shows just a small percentage of victims translates into big profits for bad guys and big losses for bank customers

If you've ever wondered just how lucrative a phishing campaign against your bank can really be, then consider this: Phishers actually land a tiny percentage of victims, but the end result is big bucks -- to the tune of $2.4 million to $9.4 million a year, according to a new study that measured real phishing attacks on banks.

Trusteer, which gathers phishing intelligence via its Rapport browser security plug-in, found only 0.47 percent of a bank's customers fall prey to phishing attacks each year, but the bad guys typically make about $2,000 on each customer's account they compromise. The company collected data during a three-month period from 10 large banks in the U.S. and Europe, and then for the report (PDF) normalized the data per 1 million users.

Each phishing attack compromised about 0.000564 percent of online banking customers, and 45 percent of them who were redirected to a phishing Web page gave up their online credentials.

"I was a bit surprised by the volume of phishing that still gets through to the users and gets clicked on and acted upon," says Amit Klein, CTO at Trusteer. "What surprised me even more was that almost half of users that had a phishing site rendered in their browser decided to interact with the site and share their credentials. That's something remarkable in itself."

That demonstrates how attempts to educate users about phishing haven't succeeded, he says.

The report found that each bank was targeted on average by 16 phishing Websites a week, which comes out to 832 phishing attacks per year per brand. When compared to the Anti-Phishing Working Group estimates that the average number of phishing URLs per brand in June was 190, Trusteer concluded that only one of 2.7 phishing URLs reaches its intended target.

An average of 12.5 out of 1 million customers per bank visited each phishing Website. These are customers who may or may not have been targeted by the phishing attack, according to the report.

"This ratio translates to just 0.00125%, a relatively small number. However, taking into account the large number of phishing attacks that occur over the course of 12 months, 1.04% (12.5*832 = 10,400) of a bank's customers visit a phishing website each year," the report says. So for every one million bank customers, 4,700 online banking credentials are lost to the bad guys per year -- .47 percent of a bank's customers.

Phishing researcher Joshua Perrymon says Trusteer's data isn't too surprising because it focuses on consumers. "I would say that the 0.47 percent rate of people who are targeted probably click on the link. But again, they are talking about consumers in this report, and not employees of a company, so that is harder to calculate as you have no control over consumers, and it's hard to contact each one to ask if they got 'phished' because they don't know," says Perrymon, who is CEO at PacketFocus. "In this scenario, attackers are sending spam-style phishing emails to a large number of possible emails to directly target a single brand. So the chance of hitting a user that actually uses the bank is small to begin with, unless they got a list from an insider."

To get better numbers on phishing attack successes, Perrymon says, you would need to control the testing. "If they would have been given the list of consumer email addresses, they could better determine how effective phishing attacks due to technical controls and user security awareness," he says.

While security researchers across the industry have been pointing to targeted phishing attacks as more effective and lucrative than the wide net of a general phishing campaign, Trusteer's Klein says Trusteer's data appears to indicate that "carpet-bombing still appears to work" in the end.

As for whether phishing is on the rise or decline, Klein says his company's report didn't address that. "The research was not conducted over a long enough period of time to relate directly to the question of whether phishing is on the decline," he says. "We were looking at absolute figures...I think it clearly shows the overall phenomenon of phishing is not declining."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Security Technologies to Watch in 2017
Emerging tools and services promise to make a difference this year. Are they on your company's list?
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.