Lisa Kelly and Brett McDowell here:
According to a recent external report from OpenDNS, PayPal has been deemed the most phished brand of 2010.
This recent report showcases the results from PhishTank’s database for the 2010 year, and concludes that PayPal was the most phished brand for this time period. It also states PayPal was “targeted nine times more frequently than the next most frequent target, Facebook”. This is a bold statement, and prompted many questions within our organization about the validity of this specific report.
In this blog post, we will share our concerns with the original PhishTank data report for 2010, and l outline our key methods of properly measuring and reporting the overall phishing threats. In looking at overall phishing statistics, it is important to understand that they can get distorted based on which organizations contribute their data and the manner in which they do so. We want to share our findings as well as outline the key areas to measure to accurately report the overall phishing attack landscape. When industry can confidently report phishing data, we can aggressively manage the negative impact phishing has caused in our internet ecosystem and continue the fight against this type of fraud.
First, a few thoughts on the original PhishTank report. In small font under the graph it is noted that this is a “sample of phishing sites” and overall they analyzed 117,102 phishing URLs to arrive at their conclusion. PayPal is the leading provider of known data to Phishtank.com, and knowingly we submitted all of our phish sites to this organization. PayPal currently manages a fraudcast which distributes our known sites to third parties in order to create awareness and help clean the ecosystem. In 2010, we sent over 46,000 phish alerts to this company which weighed heavily on the report that was distributed. By our data alone, we skewed the overall results to at least 40% of total volume. PhishTank’s data is dependent on external feeds (such as the one PayPal supplies), and this is important to note when reviewing their overall findings.
Another key item to address in this report is the way volume is outlined. Evaluating phishing attacks solely by volume of URLs is not an accurate measure of overall threats. Key areas to look at when evaluating the overall phishing threats are: 1) how many emails were actually delivered to the end user, 2) what types of trends are identified during the phishing attacks, 3) how quickly spoof URLs become deactivated and what other preventative measures are in place to decrease attacks. These are all key areas that PayPal closely monitors and executes strategy to ensure we are disrupting the attempts that fraudsters make to defraud our consumer base.
- Email delivery: we currently work with internet service providers and block phishing emails to end users by a technology called domain key identified mail (DKIM). We now cover 40% of our user base, and deliver only PayPal approved messages to the inbox.
- Trends: PayPal is a victim to what is known as the “rockphish” attack trend, regarding spoof URLs. This means that fraudsters can launch a large quantity of sub-domains from one root domain to increase the success rate of the phishing attack. Our current 2010 reports show that 36.5% of our volume was associated with this trend. When we see this attack occur, we deactivate the root domain which will in turn deactivate all sub domains.
- Deactivation: with every detected PayPal phishing site, we have a team that deactivates 100% of the known threats. Working around the clock, PayPal is able to deactivate these sites in a short amount of time, and supports worldwide take downs.
- Prevention: PayPal works closely with consumers and reviews all forwarded phishing emails from this source. We look at headers and evaluate any emails associated with phishing attacks and immediately report to ISPs. On average, we are able to eliminate the risk in 3 hours and stop further phishing attempts from that exact email.
In short, there are reasons why we may appear to be the most phished brand of 2010. In reality, because of all of our strides with our anti-phishing strategies, fraudsters have to create large quantities of spoof URLs in their attempts for a successful attack. When reviewing reports made by other organizations, it is important to understand the source of data as well as how they arrive at their conclusion.
OpenDNS/PhishTank has also posted a response to their 2010 overall phish findings. They have confirmed that PayPal has skewed the data by submitting a high number of phishing sites to their product. They have pulled the data based on API-based submissions and the numbers are considerably different:
HSBC Group 6.73%
World of Warcraft 5.35%
Internal Revenue Service 4.87%
Sulake Corporation 3.21%
Updated response from OpenDNS; http://blog.opendns.com/2011/02/28/phishing-paypal-and-the-challenges-of-reporting-accurate-data/