Remember our article at the end of November “Phishing on the rise“?

We were monitoring that the Chase phishing is becoming a serious part in our statistics for phishing and malware. Well, after almost three weeks, it seems that the phishers and malware authors are preparing for the holidays.

Fig. 1: Phishing in December

In comparison with the last month, until 16.12.2008, phishing went down by round about 66% percent (from 22031 to 7557 entries). Malware also went down by approximately 45% (from 5818 to 3213 entries). But, do not forget: we are just in the middle of the month. There is still a lot of time to catch up.

Overall, the situation in the last months is looking interesting:

Fig. 2: Middle December statistics

We hope that the trend is going to remain like this, which means for all of us a quiet Christmas and New Year holidays.

Sorin Mustaca
Manager International Software Development

The Spamtraps used by Avira to collect spam, phishing and malware from Internet, recorded some interesting data which show us a change in the trends for the end of this year.

As can be seen in the graphics below, there is a big increase in the levels of Phishing and a decrease in the level of Malware in the last 3 months. The system which records these statistics was started and filled with data at the end of September and this is why we can see such a big increase in the malware URLs.

Phishing on the rise, malware down

But, from that point on, the number of phishing URLs increased constantly until reaching 45226 unique URLs (38.3%) at the end of November, tendency is to grow even further.

The Malware URLs sum to a 72833 unique URLs, representing a 61.7% of the total entries.

The amount of phishing URLs is taking up a much bigger part in the meantime.

The exact distribution of Phishing and Malware can be seen in the graphic below, from September 2008 until the end of November 2008 (date of writing this article). The level of Phishing is still growing constantly from October to November.

Development of the amount of phishing URLs in the past three months

Sorin Mustaca
Manager International Software Development

Since yesterday we’re monitoring a weird development. Usually, the top phishing targets are eBay and Paypal. But now, phishing-sites for the Chase bank are spreading very fast.

Weird incident: New no. 1 in phishing targets is the Chase bank.

There were spam runs with emails which are claiming that the Chase bank is doing a survey concerning the financial crisis – additionally those emails promise money for taking the survey.

Phishing-mails promise money for taking a survey - which is nothing less than a scam trying to phish the user data.

That survey is of course a fake, trying to phish the user data. Don’t follow the link in these emails, but delete such mails!

Dirk Knop
Technical Editor

Phishing, spam and malware have a couple of things in common: they have become a major problem for the users, for the banks and for online businesses. They are delivered either as attachments or via URLs contained in the emails. The AV industry is trying to protect its customers as good as it can by gathering and analysing the emails with dangerous attachments and by blocking the URLs to phishing and malware websites.

Because the emails are so well crafted, sometimes it is not possible to mark them as SPAM, thus reaching users’ inboxes. Some of these spam emails are spreading malware. Not only malware is nowadays a threat for the users but also phishing emails and websites which sell faked products which can be potentially dangerous as well (pharmaceutilcals).

The only solution to block access to the malware is to block the target URL in a generic way, without knowing for sure from the beginning the reason for which it is blocked. Such a powerful and dynamic system needs a very good control and monitoring center in order to be maintainable.

Avira developed a system in order to manage from a single point the malware and phishing URLs gathered from multiple sources, track the URLs in order to see that they are taken down, generate statics for detecting outbreaks and generate information to prevent companies when they are targeted by some phishing attacks.

Fig. 1: Architecture

The system is created having in mind that we can add at any time a new source of URLs.(represented by the gray source with a „?“)

Fig. 2: Categories of URLs

As we can see, most of the URLs we block are pointing to malware and only about a quarter are pointing to phishing websites. These URLs are used to create updates for several web filtering products of Avira like Webguard, a module of the „Avira Premium Security Suite“ product.

Features

One of the most important features of the system is the ability to find the registrar which is hosting the phishing or the malware page. Once we find the registrar, we can find its location and create a world map of the sites which host malware and phishing.

Fig. 3: World distribution of malware and phishing

As we can see in the Figure, most of the threats are hosted in U.S.A., followed by Europe. Another interesting statistic generated by the system is the top of the most attacked brands and the top of the providers which host most of the files.

Fig. 4: Attacked brands (from September 2008)

On the first place in the top of the most attacked brands is eBay with 3277 unique phishing websites. On the second place is PayPal with 2606 websites and on the third place, very close to American Express with 2464 websites.

Fig. 5: Number of threats

Challenges

Since end of September 2008 when the system was started, we encountered many challenges while creating this system. The challenges were caused by the differences between the sources we used: the URLs detected by our own Antiphishing product, Phishtank, LCheck (an internal system dealing only with Malware URLs) and Clean-MX ( a system that deals with both phishing and malware URLs). The only thing these sources have in common is the fact that they have an URL which should be blocked. Other challenges we faced are the errors and special situations these services produced: invalid data, lack of availability and false positives.

The system started to record about 100 new URLs at the beginning, which was not a great challenge for our hardware. The situation completely changed when we had to deal with almost 1000 unique URLs per day. These unique URLs are gathered from more than 20000 URLs which have to be verified and sorted. The server has to deal with these special situations and must also check the validity of the URLs by downloading each file in order to analyse and scan it.

A real challenge was removing non relevant URLs like those pointing to no longer existing websites and malware files. Usually, when a web resource is no longer available, a webserver is returning a special error (404). In order to become more user friendly, many websites are no longer returning this error but redirect to a special webpage informing the visitor that the requested resource is no longer there. Since the websites are very often hosted in non English speaking countries, it is not really a solution to parse the webpage and look for some known content.

Fig. 6: Answers provided by various websites

Fortunately, by analysing some of these websites, we figured out that they use some common “keywords” and “key sentences” explaining what is happening. Many of these are international words. We filter about 60% of the pages with this empiric technique.

More details about various techniques for reaching the real content of a page are explained in the article „Delivering reliable phishing protection“, published in Virus Bulletin Magazine, May 2008.

Sorin Mustaca
Manager International Software Development