Many pages created to phish sensitive data out of unsuspecting users don’t survive much longer than a day, according to a report from Kaspersky, which states that a third of such pages die the same day they’re created.
That’s why, the researchers are saying, the first few hours of a phishing page are also the most effective ones for malware distribution and identity theft.
Kaspersky analyzed 5307 pages between July 19 and August 2 this year, and found 1784 became inactive after the first day of monitoring. A quarter died after 13 hours, while half were pushed offline after 94 hours.
Short-lived
It all depends on two things, Kaspersky further explains - the speed at which administrators spot phishing pages sitting on their servers, and the speed at which anti-phishing engines are able to add these pages to their database of dangerous content.
Even if malicious actors deploy their own servers on the purchased domain, the registrars may prevent them to host any data on it, the researchers further explained.
With the average phishing site’s lifecycle’s being so short, malicious actors usually work fast to distribute it to as many potential victims, as fast as possible. What’s more, instead of modifying an existing page, they’ll usually just create a new page. For example, if they use a certain brand to try and phish for data, they might change it to a different brand, but most pages are blocked before they’re able to make any changes.
Waiting the threat out
Another method that’s often used revolves around creating randomly generated code elements, invisible to the user, but great for evading anti-phishing engines and extending the lifecycle for at least a couple more hours.
A PUBG giveaway (a giveaway of content for the globally popular third-person shooter game PlayerUnknown’s Battlegrounds) is one of the most popular types of content that gets modified to avoid being blocked, Kaspersky says.
Malicious actors often shuffle the content around just in time for the game’s new season, hunting for as many unsuspecting gamers as possible.
All things considered, Kaspersky advises everyone who doubts the legitimacy of a page and doesn't want to risk compromising their endpoints, to wait a few hours and see if it’ll still be active.
“During that time, not only will the likelihood of getting the link in the anti-phishing databases increase, but the phishing page itself can stop its activity,” said Egor Bubnov, security researcher at Kaspersky.
- You might also want to check out our list of the best firewalls right now
