MIAMI—A new research report that examined 3,030 phishing attacks against a top 25 U.S. bank said it has been able to group phishing sites into three main clusters.
The report, from Easy Solutions, which calls itself the “total fraud protection company,” is titled “Know Your Enemy: Understanding Phishing Strategies.”
The company said its research team identified the three clusters based on how the sites were created, and where and how the site domains were registered. The report also found that the average number of potential targets per phishing attack was only 190 individuals.
“Given the large number of attacks, this indicates a willingness on the part of phishers to essentially ‘smash and grab,’ and set up unique sites that are likely to only be visited by a very small number of victims,” said easy Solutions.
Additional analysis on each group of phishing sites allowed Easy Solutions to further categorize the attackers. By using information such as the attacker’s location, the type of phishkit used and Whois information of the domain, the researchers identified 12 subgroups, which helped the team understand the attackers’ strategies, locations and motivations.
“These findings are important because they demonstrate that it is possible to effectively characterize a diverse attacker population that is persistently launching attacks against a brand,” said Daniel Ingevaldson, CTO of Easy Solutions. “When institutions can more effectively characterize their attackers, they can then more successfully combat phishing attacks – by tuning consumer education campaigns, changing web site countermeasures, or adjusting risk scoring during phishing campaigns. Only by studying how these criminals operate can we develop more effective countermeasures, to help financial institutions reduce the rate of successful phishing attempts on their brands.”
Easy Solutions provides cross-channel fraud protection across transactions performed on online and mobile platforms, as well as via ATMs, point-of-sale terminals, and interactive voice response systems.