Webroot Quarterly Threat Update: 84% of Phishing Sites Exist for Less Than 24 hours

BROOMFIELD, CO – December 6, 2016

According to the latest Webroot Quarterly Threat Trends Update, 84 percent of phishing sites exist for less than 24 hours, with an average life cycle of under 15 hours. The data collected by Webroot, the market leader in next-generation endpoint security and threat intelligence, shows that today’s phishing attacks have become increasingly sophisticated and carefully crafted in order to obtain sensitive information from specific organizations and people.

“Our data shows that a phishing site can last for as little as 15 minutes,” said Hal Lonas, chief technology officer for Webroot. “In years past, these sites could endure for several weeks or months, giving organizations plenty of time to block the method of attack and prevent more victims from falling prey. Now, phishing sites appear and disappear in the span of a coffee break, leaving every organization, no matter its size, at an immediate and serious risk from phishing attacks.”

Notable findings from Webroot’s Quarterly Threat Update include:

  • During 2016, an average of over 400,000 phishing sites has been observed each month – To keep up with the incredibly short phishing life cycles and sheer volume of phishing sites and URLs, old techniques that use static or crowdsourced blacklists of bad domains and URLs must be abandoned. With over 13,000 new phishing sites per day and 84% only lasting 24 hours (11,000 sites), these lists become obsolete within moments of being published.
  • Nearly all of today’s phishing URLs are hidden within benign domains – The practice of phishing attacks using dedicated domains has disappeared. URLs now must be checked each time they are requested because a page that was nonthreatening just seconds ago may have since been compromised.
  • Google, PayPal, Yahoo and Apple are heavily targeted for phishing attacks – Webroot took a closer look at the companies for which impersonation would likely cause the largest negative impact. Of these Google was the most heavily targeted of these “high-risk” organizations, with 21 percent of all phishing sites between January and September 2016 impersonating the company.

Cybercriminals are constantly developing new methods and approaches to obtain sensitive data. In order to successfully discover and block today’s polymorphic malware, ransomware, phishing attacks, and other advanced and targeted threats, billions of events must be analyzed daily. Cloud-based machine learning is the only way to keep up with the volume and identify modern attack methods, such as polymorphic behaviors.

The contextualization provided by cloud-based machine learning threat intelligence sheds light on the ways known bad and known good objects communicate online. The ability to analyze billions of associations across the diverse object types, combined with historical knowledge on how millions of objects have behaved over time, results in the predictive nature of threat intelligence driven by advanced machine learning.

When it comes to finding the richest and most highly differentiated source of input for cloud-based machine learning driven security, nothing beats real-world endpoint and web sensor data. Organizations that incorporate real-world data from millions of endpoint sensors are better positioned to identify never-before-seen and zero-day threats the moment they emerge, anywhere in the world.

The figures presented in the Quarterly Threat Update are based on the latest data collected, tracked, and analyzed by the Webroot® Threat Intelligence Platform, the BrightCloud® Real-Time Anti-Phishing Service, and other Webroot capabilities.

For more information, please visit: Webroot.com/ThreatTrends