Nearly a year ago I asserted in a Dark Reading interview that phishers were using Google and other search engines to find vulnerable web sites which they used to launch their scams. By a simple analysis of the web hosts and URLs used in phishing, I estimated that the vast majority of phishing web sites were hosted on exploited otherwise legitimate web sites. Today, Richard Clayton and Tyler Moore have published a paper about “Evil Searches” and phishing at this week’s Financial Cryptography conference.
I encourage anyone who is interested in understanding how phishing really works to read the paper, but here are a few of the key takeaways:
- Over 75% of phishing sites are hosted on hacked web sites
- Despite legend to the contrary, there is no data to support the notion that phishers use phish URL blacklists (like PhishTank) to find vulnerable web sites
- About 9% of phishing web sites are hacked again and another phish added within 4 weeks