Phishing email creators rely on a short shelf life to beat your defences

Cybercriminals rely on rapid cycling of kit design, target URLs to avoid detection

Credit: ID 95319058 © Amin Yusifov |

More than 60 percent of phishing exploit kits are active for less than 20 days, according to new figures that highlight cybercriminals’ rapidly-changing tactics and the dominance of phishing attacks on Microsoft, PayPal, Dropbox, and DHL.

An Akamai analysis of 262 days’ worth of security data – part of the firm’s latest State of the Internet report – identified 62 different phishing kits that mimicked the Microsoft brand, with 3897 related domains handling clickthroughs and the associated distribution of malware.

Microsoft’s ubiquity has long made it a popular exploitation method for scammers: a malware downloader recently discovered by Proofpoint and dubbed WhiteShadow, for example, loaded Word and Excel email attachments with Microsoft Office macros that use SQL commands to retrieve and install malware from remote databases.

Some 14 different kits leveraged PayPal during Akamai’s observation period, with Dropbox used by 11 different kits due to its common usage as a conduit for shared files and photographs.

Around 43 percent of observed phishing kits were deactivated within 10 days, the analysis found – highlighting a tactic that, the firm said, reflects cybercriminals’ desire to “keep the kit below the radar”.

“Kits used in spear phishing attacks could target anything, including the common industries, but they’re usually one-off developments that are customised for the task at hand.”

Cybercriminals were also cycling through supporting domains quickly, with Akamai observing more than 2.06 billion unique domains that it said were “commonly associated with malicious activity”. Of these, 89 percent had a lifespan of less than 24 hours – and 94 percent were struck down within three days.

“Criminals are in a race against the security teams looking to shut down their operations,” the report notes.

“Although security teams report phishing URLs regularly, some criminals choose web hosts and domains where those reports are simply ignored. Yet, as the data shows, most kits have a short life, and the window of opportunity for most phishing kits is growing smaller.”

Akamai’s findings corroborate the ongoing narrative around cybercriminals’ flexibility – which is creating problems for businesses that put too much stock in their email defence solutions.

Mimecast’s latest Email Security Risk Assessment, for one, analysed 260m emails – gathered from 480,069 email users across a period of 2405 days – that had been cleared by incumbent scanning solutions, including 123m that passed Microsoft Office 365’s security checks.

The analysis found 28.9m questionable messages that would otherwise have made it to users’ desktops. Of these, 28.8m were marked as spam while 28,726 dangerous file types, 28,808 malware attachments and 60,495 impersonation attacks were all detected and flagged. The messages also included 470,588 malicious URLs spread across 34m emails – again highlighting the ongoing dangers of errant clicks as a source of inadvertent infection.

Akamai’s analysis also looked at its own experience as a target for cybercriminals, with 26.8 percent of phishing attempts targeted at engineering teams compared with 20.8 percent at finance and HR, 18.2 percent at marketing and sales staff, and just 12.2 percent of phishing targeting executives.

Vigilance and effective end-user training remain critical to mounting and maintaining an effective phishing defence, Akamai advises, noting that criminals “have adapted to many basic awareness training models, which is where the boom in BEC attacks came from.”

“Some phishing attacks are loud and easy to spot,” the report’s authors note, “but lately, that hasn’t been the norm. As phishing expands beyond email, new attacks can come from people and places that are known and trusted by the victim. This makes it infinitely harder to track and stop. Not impossible, mind you, just more difficult.”

Tags akamaicybercriminals

Show Comments