A mixed team of security researchers from Google, PayPal, Samsung, and Arizona State University has spent an entire year analyzing the phishing landscape and how users interact with phishing pages.
In a mammoth project that involved analyzing 22,553,707 user visits to 404,628 phishing pages, the research team has been able to gather some of the deepest insights into how phishing campaigns work.
"We find that the average phishing attack spans 21 hours between the first and last victim visit, and that the detection of each attack by anti-phishing entities occurs on average nine hours after the first victim visit," the research team wrote in a report they are scheduled to present at the USENIX security conference this month.
"Once detected, a further seven hours elapse prior to peak mitigation by browser-based warnings."
The research team calls this interval between the start of the campaign and the deployment of phishing warnings inside browsers the "golden hours" of a phishing attack -- when attackers make most of their victims.
But the research team says that once the golden hours end, the attacks continue to make victims, even after browser warnings are deployed via systems like Google's Safe Browsing API.
"Alarmingly, 37.73% of all victim traffic within our dataset took place after attack detection," researchers said.
Further, researchers also analyzed user interactions on the phishing pages. They said that 7.42% of the victims entered credentials in the phishing forms, and eventually suffered a breach or fraudulent transaction on their account.
On average, crooks would attempt to breach user accounts and perform fraudulent transactions 5.19 days after the user visited the phishing site, on average, and victim credentials would end up in public dumps or criminal portals after 6.92 days after the user visited the phishing page.
Most phishing campaigns come from a few major players
But while researchers analyzed more than 400,000 phishing sites, they said that the vast majority of phishing campaigns weren't really that effective, and that just a handful of phishing operators/campaigns accounted for most of the victims.
"We found that the top 10% largest attacks in our dataset accounted for 89.13% of targeted victims and that these attacks proved capable of effectively defeating the ecosystem's mitigations in the long term," they wrote in the report.
Researchers said that some campaign remained active as long as nine months, while making tens of thousands of victims, using nothing more than "off-the-shelf phishing kits on a single compromised domain name [phishing site]."
The study's findings are conclusive with what Sherrod DeGrippo, Sr. Director, Threat Research and Detection at Proofpoint, told ZDNet in an interview this week. DeGrippo said that Proofpoint usually tracks around 12 million credential phishing attacks per month and that the best threat actors focus on evasion tactics to avoid getting detected, knowing this would keep their campaigns running for longer, and prolong the "golden hours."
"In terms of evasion, this is something the credential phish threat actors absolutely work hard on," DeGrippo said.
More collaboration needed
The academic team blamed the current state of affairs on the reactive nature of anti-phishing defenses, which are usually slow in detecting phishing attacks. However, researchers also blamed the lack of collaboration between industry partners, urging the different anti-phishing entities to work together more.
"Cross-industry and cross-vendor collaboration certainly makes all entities stronger against phishing and other attacks," DeGrippo also added, echoing the study's conclusion.
However, the Proofpoint exec also says that entities outside the anti-phishing and cyber-security world also need to pitch in, as well.
"Additional effectiveness also involves domain registrars, encryption cert providers, and hosting companies to complete abuse takedowns, which can be a challenge as providers can be resource-restrained.
"Stopping phishing attacks is vital to help protect organizations worldwide and industry collaboration, insight sharing, and action, such as blocking cred phish from reaching victims, is essential," DeGrippo said.
The full academic study, entitled "Sunrise to Sunset: Analyzing the End-to-end Life Cycle and Effectiveness of Phishing Attacks at Scale," is available for download as a PDF.