One-third of phishing pages are active less than a day, according to a new analysis that finds the first hours a phishing page is online are the most dangerous for users.
In their investigation on the life cycle of phishing pages, Kaspersky researchers analyzed 5,307 examples of pages from July 19 through Aug. 2, 2021. Of these, 1,784 were inactive after the first day of monitoring, and several ceased to exist in the first hours. One-quarter were inactive within 13 hours of monitoring, and half lasted less than 94 hours, their research discovered.
The life cycle of a phishing page depends on when it becomes visible to site admins who can then remove it. Even if cybercriminals deploy their own server on a domain they purchased, the registrars might remove the phishers' right to host data on it if they suspect fraudulent activity.
A phishing page is added to more anti-phishing databases the longer it's active, meaning it will lure fewer visitors over time. Given the pages' short life cycle, the criminals behind them want to distribute links to them as soon as they're active to ensure broader reach. Often they will choose to create a new page instead of altering an existing one; further, they may change the page during its life cycle so they aren't blocked.
This information is useful not only for updating databases, but for incident response, says Egor Bubnov, security researcher at Kaspersky, in a statement. If a business is hit with a spam campaign containing fraudulent links, it will know to fight it the campaign in the first few hours because that is the most beneficial time for criminals' activity. And when people receive a link they're unsure of, they'll know to wait a few hours — during which time, the page may cease to exist.
Read more details here.