Phishers test the water with shorter hooks

Posted by Ralf Iffert on November 30, 2007 at 12:38 PM EST.

Over the last few months our Kassel based X-Force analysts have been observing host names within fraudulent phishing URL’s consistently arrive with lengths of between 30 and 37 characters. Last weeks phishing statistics noted a significant change as we observed that these phishing host names have now shrunk to an average of only 17 characters in length.

A consequence of this shortening is that there is less variation in host names.

In the past we would typically observe URL’s of the following format:

hxxp://session-12345678.onlinebanking.login.domain.info/index.php

Today, we now see them as:

hxxp://banking.login.mio23.domain.net/user_module

However, the number of new domain names being used to seed the shortened host names did not decrease (it averages a several hundred per week).  Furthermore the percentage of spam mail with phishing intent similarly did not decrease, and continues to average between 0.2% and 1.6% of all spam mail volume.

Overall, the phishers did not reduce the volume of their attacks, but appear to have adopted shorter URLs to avoid the suspicion of their potential victims. This means that the probability of the Phisher reusing a particular host name in multiple phishing emails has increased considerably.

X-Force will continue to monitor this interesting change of phishing tactics.  It will be interesting to see whether this is a short-term experiment by the phishers as they trial new approaches and phishing kits, or whether this is a long-term shift in trying to bypass existing protection systems and fooling their potential victims. 

Either way, keep an eye on the X-Force blog to find out more as we monitor the situation.