Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

12:30 PM

Blacklists Miss 21% of Phishing Attacks, Internet Traffic Reveals

Visibility into phishing attacks by content delivery networks and security firms shows many domains fail to be classified as malicious.

More than 20% of the sites used for phishing are not detected by current blacklists as malicious, even days after the start of an attack, according to new research published by internet-services firm Akamai.

The result is that at least 2.4 million visitors to those websites have encountered a potentially malicious attack in a four-month period starting last October, including a spike around Black Friday of nearly 400,000 victims, Akamai concluded. The phishing pages mimicked the legitimate sites of more than 20 different brands using graphics and resources stolen from those sites, the company said.

That the infrastructure of a fifth of phishing attacks is not detected for some time underscores the dangers that phishing continues to pose, says Or Katz, a security researcher at Akamai.

"The fact that we are still seeing a lot of phishing attacks, and we don't see coverage for those 20% of those malicious URLs, limits our ability to defend against phishing," he says. "At the end of the day, a lot of these scams are highly effective."

Phishing continues to be a popular — and effective — technique for attackers. In 2019, nearly a third of all breaches involved a phishing attack, making it the top threat action used in successful breaches, according to Verizon's "2019 Data Breach Investigations Report" (DBR). While that report showed click rates on links in simulated phishing attacks have declined significantly — down to 3% in 2018, from nearly 25% in 2012 — the incidence of phishing remains high.

Phishing e-mail messages, for example, accounted for almost 90% of all high-risk e-mail blocked by security firm Trend Micro, and 44% of those phishing attacks attempted to convince users to part with their credentials, up from only 9% in 2018, the company said in its "Cloud App Security 2019 Report," published on March 10.

The reason is clear: Attackers are attempting to escape detection and collect credentials to use against other cloud services, the company said.

"Perhaps the simplest possible reason for this increase is that threat actors have been busy updating their phishing websites to reflect a new set of links to avoid detection by antivirus software," the company stated. "It's also possible that a number of new groups have begun launching campaigns with their own batch of URLs, hence the massive increase in the detection of unknown URLs."

The most convincing phishing attacks use content stolen from branded sites as camouflage to fool the victim. More than 1,300 URLs were used for phishing in the four months Akamai collected data, Akamai stated in its analysis.

The majority of the victims of the attacks appear to be from South America, while 28% were from South Asia, Akamai stated. While the company tallied at least 2.4 million potential victims based on visitors requesting resources from its network, that is a conservative estimate and is likely much higher, Akamai stated.

Akamai detected phishing domains and URLs by watching for sites that request resources from known legitimate websites, such as images, cascading style sheets (CSS), or legitimate libraries and services. After gathering information from a victim, many phishing sites will send the user back to the legitimate site to assuage suspicions. 

"This works when criminals create a website that looks similar, or identical, to the brand being abused, giving victims a false sense of security," the company said. "With that sense of security and trust established, victims often end up giving away personal or sensitive information."

The Akamai data did not indicate whether the victims were mobile users, but the Verizon 2019 DBIR found that an increasing number of those who click on phishing links — 18% in 2018 — were mobile users. Mobile devices have less capability to convey information that could tip users off to malicious sites, Verizon stated in the report.

"[O]n the one hand, the hardware and software on mobile devices restrict the quality of information that is available, while on the other they make it easier for users to make snap decisions," the Verizon report stated.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "Keys to Hiring Cybersecurity Pros When Certification Can't Help."


Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 6/3/2020
Stay-at-Home Orders Coincide With Massive DNS Surge
Robert Lemos, Contributing Writer,  5/27/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-06-03
Jenkins Selenium Plugin 3.141.59 and earlier has no CSRF protection for its HTTP endpoints, allowing attackers to perform all administrative actions provided by the plugin.
PUBLISHED: 2020-06-03
Jenkins Project Inheritance Plugin 19.08.02 and earlier does not require users to have Job/ExtendedRead permission to access Inheritance Project job configurations in XML format.
PUBLISHED: 2020-06-03
Jenkins Project Inheritance Plugin 19.08.02 and earlier does not redact encrypted secrets in the 'getConfigAsXML' API URL when transmitting job config.xml data to users without Job/Configure.
PUBLISHED: 2020-06-03
Jenkins Subversion Partial Release Manager Plugin 1.0.1 and earlier does not escape the error message for the repository URL field form validation, resulting in a reflected cross-site scripting vulnerability.
PUBLISHED: 2020-06-03
Jenkins Play Framework Plugin 1.0.2 and earlier lets users specify the path to the `play` command on the Jenkins master for a form validation endpoint, resulting in an OS command injection vulnerability exploitable by users able to store such a file on the Jenkins master.