Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

12:30 PM

Blacklists Miss 21% of Phishing Attacks, Internet Traffic Reveals

Visibility into phishing attacks by content delivery networks and security firms shows many domains fail to be classified as malicious.

More than 20% of the sites used for phishing are not detected by current blacklists as malicious, even days after the start of an attack, according to new research published by internet-services firm Akamai.

The result is that at least 2.4 million visitors to those websites have encountered a potentially malicious attack in a four-month period starting last October, including a spike around Black Friday of nearly 400,000 victims, Akamai concluded. The phishing pages mimicked the legitimate sites of more than 20 different brands using graphics and resources stolen from those sites, the company said.

That the infrastructure of a fifth of phishing attacks is not detected for some time underscores the dangers that phishing continues to pose, says Or Katz, a security researcher at Akamai.

"The fact that we are still seeing a lot of phishing attacks, and we don't see coverage for those 20% of those malicious URLs, limits our ability to defend against phishing," he says. "At the end of the day, a lot of these scams are highly effective."

Phishing continues to be a popular — and effective — technique for attackers. In 2019, nearly a third of all breaches involved a phishing attack, making it the top threat action used in successful breaches, according to Verizon's "2019 Data Breach Investigations Report" (DBR). While that report showed click rates on links in simulated phishing attacks have declined significantly — down to 3% in 2018, from nearly 25% in 2012 — the incidence of phishing remains high.

Phishing e-mail messages, for example, accounted for almost 90% of all high-risk e-mail blocked by security firm Trend Micro, and 44% of those phishing attacks attempted to convince users to part with their credentials, up from only 9% in 2018, the company said in its "Cloud App Security 2019 Report," published on March 10.

The reason is clear: Attackers are attempting to escape detection and collect credentials to use against other cloud services, the company said.

"Perhaps the simplest possible reason for this increase is that threat actors have been busy updating their phishing websites to reflect a new set of links to avoid detection by antivirus software," the company stated. "It's also possible that a number of new groups have begun launching campaigns with their own batch of URLs, hence the massive increase in the detection of unknown URLs."

The most convincing phishing attacks use content stolen from branded sites as camouflage to fool the victim. More than 1,300 URLs were used for phishing in the four months Akamai collected data, Akamai stated in its analysis.

The majority of the victims of the attacks appear to be from South America, while 28% were from South Asia, Akamai stated. While the company tallied at least 2.4 million potential victims based on visitors requesting resources from its network, that is a conservative estimate and is likely much higher, Akamai stated.

Akamai detected phishing domains and URLs by watching for sites that request resources from known legitimate websites, such as images, cascading style sheets (CSS), or legitimate libraries and services. After gathering information from a victim, many phishing sites will send the user back to the legitimate site to assuage suspicions. 

"This works when criminals create a website that looks similar, or identical, to the brand being abused, giving victims a false sense of security," the company said. "With that sense of security and trust established, victims often end up giving away personal or sensitive information."

The Akamai data did not indicate whether the victims were mobile users, but the Verizon 2019 DBIR found that an increasing number of those who click on phishing links — 18% in 2018 — were mobile users. Mobile devices have less capability to convey information that could tip users off to malicious sites, Verizon stated in the report.

"[O]n the one hand, the hardware and software on mobile devices restrict the quality of information that is available, while on the other they make it easier for users to make snap decisions," the Verizon report stated.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "Keys to Hiring Cybersecurity Pros When Certification Can't Help."


Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-15
A XSS Vulnerability in /uploads/dede/action_search.php in DedeCMS V5.7 SP2 allows an authenticated user to execute remote arbitrary code via the keyword parameter.
PUBLISHED: 2021-05-15
DedeCMS V5.7 SP2 contains a CSRF vulnerability that allows a remote attacker to send a malicious request to to the web manager allowing remote code execution.
PUBLISHED: 2021-05-14
The Linux kernel before 5.11.14 has a use-after-free in cipso_v4_genopt in net/ipv4/cipso_ipv4.c because the CIPSO and CALIPSO refcounting for the DOI definitions is mishandled, aka CID-ad5d07f4a9cd. This leads to writing an arbitrary value.
PUBLISHED: 2021-05-14
In the Linux kernel before 5.12.4, net/bluetooth/hci_event.c has a use-after-free when destroying an hci_chan, aka CID-5c4c8c954409. This leads to writing an arbitrary value.
PUBLISHED: 2021-05-14
The block subsystem in the Linux kernel before 5.2 has a use-after-free that can lead to arbitrary code execution in the kernel context and privilege escalation, aka CID-c3e2219216c9. This is related to blk_mq_free_rqs and blk_cleanup_queue.