Lack of phishing attacks data sharing puts $300M at stake annually

Lack of phishing attacks data sharing puts $300M at stake annually

Summary: To share phishing URLs, or not to share? That's the rhetorical question, since sharing ultimately serves the final customer and ensures a lower average time for a phishing site to remain online.

TOPICS: Security

Phishtank Phishing statistics SeptemberTo share phishing URLs, or not to share? That's the rhetorical question, since sharing ultimately serves the final customer and ensures a lower average time for a phishing site to remain online. In a recently published research (The consequence of non-cooperation in the fight against phishing) Tyler Moore and Richard Clayton analyze the current state of delayed data sharing, and argue that the impact of non-cooperation among vendors is resulting in an estimated $326 million annual loss :

"The paper contains all the details, and gives all the figures to show that website lifetimes are extended by about 5 days when the take-down company is completely unaware of the site. On other occasions the company learns about the site some time after it is first detected by someone else; and this extends the lifetimes by an average of 2 days. Since extended lifetimes equate to more unsuspecting visitors handing over their credentials and having their bank accounts cleaned out, these delays can also be expressed in monetary terms. Using the rough and ready model we developed last year, we estimate that an extra $326 million per annum is currently being put at risk by the lack of data sharing. This figure is from our analysis of just two companies’ feeds, and there are several more such companies in this business.

Not surprisingly, our paper suggests that the take-down companies should be sharing their data, so that when they learn about websites attacking banks they don’t have contracts with, they pass the details on to another company who can start to get the site removed."

Phishing site take down service NetcraftWhy wouldn't "take-down companies" be interested in sharing the data so that more customers get protected by visiting a phishing site that has already been shut down? Because the process of taking down phishing sites has been commercialized by vendors diversifying their fraud protection and brand reputation services a long time ago. Such competition is in fact supposed to provide more value to the end users, since on their way to achieve better results than the competing company, the vendor will inevitably start taking down phishing sites more efficiently. However, as long as data is not shared so that a particular company can claim that it's taking down phishing sites faster than the other, the end users remain at risk.

In a related research published by Symantec in 2007, the company analyzed the average online time for phishing sites and argued that the take-down process is greatly affected based on the country the site is hosted in :

"Public phishing statistics often report the overall number of attacks hosted in a specific country, but this is not the only interesting detail: phishing attacks are more dangerous when they can “survive” online until the majority of potential victims open the phish email. Our analysis shows how ISPs in some countries are relatively slower than others to shut down attacks. For example, Taiwan’s average shutdown time has been only 19 hours on 92 attacks, while in Australia the average for 98 attacks has been almost one week for a single shutdown. Other countries slow to respond include the USA and India. Countries identified as responding quickly include Germany, Netherlands, Japan, Estonia, Poland and Russia."

Non-profit community driven projects such as Phishtank and are great examples of how this sharing mentality can protect most end users, so feeding these services with phishing/malware URLs in between ensuring that a phishing email never actually gets the chance to reach the inbox of an end user at the first place, is the way to go. Moreover, phishing emails are only part of the problem since banker malware has gotten so efficient and sophisticated, that I can easily argue that more money are at stake due to the increasing number of people infected with banker malware, compared to those interacting with phishing emails, since the banker malware remains active long after the phishing site has been shut down. Competitive practices must be balanced with social responsibility, which is where sharing of data comes into play.

Topic: Security

Dancho Danchev

About Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • A Contrary Perspective On Data Sharing

    I completely agree that speed is the critical matter in taking down phishing sites. Unfortunately, I respectfully have to differ with Moore, Clayton and Danchev's suggested method for improving those times. Their prescription is exactly the wrong one. Rather than improve protection for banks and consumers, this proposal would in fact have the opposite effect.

    Here's why: Speed in detection and speed in takedown both take technology, staff, and expertise - in other words, investment and lots of it. This is evidenced by comparing the best commercial offerings against exactly the type of "cooperative efforts" you highlight, such as Phishtank. These efforts, while laudable, are, when compared head-to-head with purpose-built systems, terrible performers on both volume and timeliness of discovery. If they weren't, companies like ours would not be securing large-dollar contracts for timely, accurate and comprehensive detection. The market would simply say "you're no faster or better than phishtank."

    As a matter of fiduciary responsibility, this huge commitment of our investors' capital is to produce an ROI. By "demanding" that capable companies give away data to their feebler competitors, you only incent the competent players to exit the market. Those with flexible technology and smart people will simply devote their staff, budget and expertise to other products where they are not being told to give away the value they have worked so hard to create. Only the companies with weak detection capabilities could applaud such an idea.

    This is not theory. I have personally devoted much of the last two years developing exactly the detection systems we're discussing. Yet if this prescription were followed, I would be the first one recommending to our Board of Directors that we exit this market and spend our time (and their money) more productively on another product.

    The banks that rely on these providers will thus be left with only the least efficient, least competent vendors to choose from, and the performance and protection offered will suffer, not improve.

    For a more complete explanation of this differing opinion, including a discussion of why the A/V industry is not in fact a proper analog for this suggestion, please see the link below.

    A Contrary Perspective ?? Forced Data Sharing Will Decrease Performance and Reduce Protection

    Eric Olson - Vice President, Cyveillance, Inc.
    • RE: A Contrary Perspective On Data Sharing

      @Eric: Thanks for your thoughtful post. I do appreciate the importance of competition among take-down companies in creating more comprehensive feeds of phishing URLs. However, I disagree that the forces of competition alone can yield the best detection. For the take-down companies we studied, both could have identified and removed more phishing websites had they known about the sites their competitors knew about.

      So the question that remains is how to devise a sharing mechanism that rewards take-down companies with better feeds. Here is our proposal. Take-down companies share phishing feeds with a trusted third party (e.g., the Anti-Phishing Working Group), who immediately passes on the aggregated feed to the other companies. Periodically, contribution levels from each take-down firm are checked. Companies that provide more URLs than they receive from others are compensated by the net-receiving firms. This payment rewards firms that are better at detecting more phishing websites and deters free-riding.

      The full details of our sharing proposal appear in this blog post: