Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

12:30 PM

Blacklists Miss 21% of Phishing Attacks, Internet Traffic Reveals

Visibility into phishing attacks by content delivery networks and security firms shows many domains fail to be classified as malicious.

More than 20% of the sites used for phishing are not detected by current blacklists as malicious, even days after the start of an attack, according to new research published by internet-services firm Akamai.

The result is that at least 2.4 million visitors to those websites have encountered a potentially malicious attack in a four-month period starting last October, including a spike around Black Friday of nearly 400,000 victims, Akamai concluded. The phishing pages mimicked the legitimate sites of more than 20 different brands using graphics and resources stolen from those sites, the company said.

That the infrastructure of a fifth of phishing attacks is not detected for some time underscores the dangers that phishing continues to pose, says Or Katz, a security researcher at Akamai.

"The fact that we are still seeing a lot of phishing attacks, and we don't see coverage for those 20% of those malicious URLs, limits our ability to defend against phishing," he says. "At the end of the day, a lot of these scams are highly effective."

Phishing continues to be a popular — and effective — technique for attackers. In 2019, nearly a third of all breaches involved a phishing attack, making it the top threat action used in successful breaches, according to Verizon's "2019 Data Breach Investigations Report" (DBR). While that report showed click rates on links in simulated phishing attacks have declined significantly — down to 3% in 2018, from nearly 25% in 2012 — the incidence of phishing remains high.

Phishing e-mail messages, for example, accounted for almost 90% of all high-risk e-mail blocked by security firm Trend Micro, and 44% of those phishing attacks attempted to convince users to part with their credentials, up from only 9% in 2018, the company said in its "Cloud App Security 2019 Report," published on March 10.

The reason is clear: Attackers are attempting to escape detection and collect credentials to use against other cloud services, the company said.

"Perhaps the simplest possible reason for this increase is that threat actors have been busy updating their phishing websites to reflect a new set of links to avoid detection by antivirus software," the company stated. "It's also possible that a number of new groups have begun launching campaigns with their own batch of URLs, hence the massive increase in the detection of unknown URLs."

The most convincing phishing attacks use content stolen from branded sites as camouflage to fool the victim. More than 1,300 URLs were used for phishing in the four months Akamai collected data, Akamai stated in its analysis.

The majority of the victims of the attacks appear to be from South America, while 28% were from South Asia, Akamai stated. While the company tallied at least 2.4 million potential victims based on visitors requesting resources from its network, that is a conservative estimate and is likely much higher, Akamai stated.

Akamai detected phishing domains and URLs by watching for sites that request resources from known legitimate websites, such as images, cascading style sheets (CSS), or legitimate libraries and services. After gathering information from a victim, many phishing sites will send the user back to the legitimate site to assuage suspicions. 

"This works when criminals create a website that looks similar, or identical, to the brand being abused, giving victims a false sense of security," the company said. "With that sense of security and trust established, victims often end up giving away personal or sensitive information."

The Akamai data did not indicate whether the victims were mobile users, but the Verizon 2019 DBIR found that an increasing number of those who click on phishing links — 18% in 2018 — were mobile users. Mobile devices have less capability to convey information that could tip users off to malicious sites, Verizon stated in the report.

"[O]n the one hand, the hardware and software on mobile devices restrict the quality of information that is available, while on the other they make it easier for users to make snap decisions," the Verizon report stated.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "Keys to Hiring Cybersecurity Pros When Certification Can't Help."


Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/21/2020
Cybersecurity Bounces Back, but Talent Still Absent
Simone Petrella, Chief Executive Officer, CyberVista,  9/16/2020
Meet the Computer Scientist Who Helped Push for Paper Ballots
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/16/2020
Register for Dark Reading Newsletters
White Papers
Latest Comment: Exactly
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-09-22
PHPGURUKUL Zoo Management System Using PHP and MySQL version 1.0 is affected by: SQL Injection via zms/animal-detail.php.
PUBLISHED: 2020-09-22
Arbitrary code execution vulnerability on Micro Focus Operation Bridge Reporter, affecting version 10.40 and earlier. The vulnerability could allow remote attackers to execute arbitrary code on affected installations of OBR.
PUBLISHED: 2020-09-22
WebAccess Node (All versions prior to 9.0.1) has incorrect permissions set for resources used by specific services, which may allow code execution with system privileges.
PUBLISHED: 2020-09-22
A vulnerability in Arista’s CloudVision Portal (CVP) prior to 2020.2 allows users with “read-only� or greater access rights to the Configlet Management module to download files not intended for access, located on the CVP server, by accessing ...
PUBLISHED: 2020-09-22
IBM Data Risk Manager (iDNA) 2.0.6 stores user credentials in plain in clear text which can be read by an authenticated user. IBM X-Force ID: 184976.