Akamai Uses CDN Logs to Gain Insight Into the Success of Phishing Attacks
A common feature of a malicious phishing site is to redirect the victim to the legitimate site once the user credentials have been gathered. The purpose is to reinforce trust and to hide or delay discovery of the data theft. If that legitimate site is part of a content delivery network (CDN), the redirect will go via the network operator and can be logged by the CDN.
The log will include the referring IP address and can be used to recognize — and indeed monitor — phishing sites. This was a research task the Akamai CDN set itself. Over four months, it found 1,221 active phishing domains that were not part of the Akamai ecosystem but which either consumed data from or redirected victims to Akamai customer sites.
“We were able to find unique and meaningful insights on several phishing attacks,” reports Akamai security researcher Or Katz. “More importantly, we got a clear understanding on the number of victims, and such visibility is rarely published.” Since he only used a sample dataset from the Akamai logs, he believes the true number of phishing sites using resources through Akamai is much higher. And of course, the overall number of phishing sites discovered is tiny in comparison to the full number of those that don’t get seen by Akamai.
Nevertheless, an analysis of more than 1,200 phishing sites, and the victims of those phishing sites, is enough to provide some meaningful information. Unsurprisingly, there was a spike towards the holiday season. Both the number of new phishing sites detected and the number of victims of phishing peaked in the week of Thanksgiving (about 380,000 victims). This was followed by a slight decline, before both rose again in the weeks immediately preceding Christmas. The total number of victims of these sites is estimated at 2.4 million, but the true number is thought to be higher.
The figures also show that the two most affected industries are media and ecommerce, with 759 and 403 sites detected respectively. These are figures that cannot be accurately related across the whole of the internet since media and ecommerce are important customers for content delivery services and will automatically provide a higher percentage of phishing sites. Nevertheless, it demonstrates the importance of the two sectors to phishers.
Katz also related the phishing sites he found to public threat intelligence resources, and found that 20% were not known to be malicious even days after their campaigns were activated. While concerning, he doesn’t find this surprising. “Phishing has a low barrier to entry for criminals, and there are whole turn-key businesses centered on this fact,” he comments. “This partly explains why so many phishing websites go undetected. Defenses are challenged, and sometimes overwhelmed with the volume of new phishing campaigns.”
New phishing sites are quite simply spun up faster than they can be detected.
While Akamai’s research cannot give an overall picture of the phishing threat, it does highlight one very disturbing figure that is absolute: there were more than 2 million victims of just 1,200 phishing sites over a period of only four months. This should be a red flag. “Phishing isn’t going away any time soon,” says Katz, “and the first and most fundamental step would be to better educate our peers, colleagues, and families to be suspicious and think twice before giving away sensitive information or downloading unknown files. The old saying applies; if something looks or feels too good to be true, then it is.”