Busy Week for Phishing Kits

Posted by Gunter Ollmann on June 18, 2007 at 10:57 AM EDT.

A couple of weeks ago I blogged about the new advances being made by our X-Force team over in Kassel, Germany, and how they were now differentiating phishing websites (and their associated URL’s) as being ‘manual’ (one-of-a-kind) or having coming from an automated kit technology.

Well, it would seem that the Phishers were pretty busy last week – clocking up over 100,000 new phishing sites.

That’s right, the Kassel X-Force content research team identified, studied and classified 114,013 brand new phishing sites last week (in the period 11th June to 18th June).  I’m not sure if that’s a record for a single week – it sounds like it could be to me – but it certainly blows away any monthly totals I’ve seen in publications from the Anti-Phishing Working Group.

Diving a little deeper in to last weeks phishing site data, we see that 99.8% of all these sites came from automated phishing kits.  Only 158 (0.2%) of the sites identified did not appear to follow an automated deployment strategy for their phishing attack.

On the site registration side, we see that the phishing kits trace back to just 111 domain registrations – corresponding to an average of around 1000 sites hosted per malicious domain.  And, just like my posting a couple of weeks ago, X-Force observed Hong Kong (.hk) registrations being most popular – constituting 33% of domains – followed by Taiwan (.tw) with 14% and then China (.cn) with 8%.

Intense Focus

Upon examining which organizations were being targeted in last weeks phishing scams, one bank stands out by a long shot.  Regions Bank was targeted in 85% of all the automated phishing kit deployments observed by X-Force last week.

This intense focus upon Regions Bank obviously had a major effect upon the total volume of sites detected and classified last week.