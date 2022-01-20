Phishing attacks are today the technique of theft of banking data most used by cybercriminals. Therefore, it is essential to know how the main tools work when carrying out this kind of attack: fake web pages‘ used to simulate legitimate sites.

To do this, researchers from the cybersecurity company Kaspersky have analyzed the life cycle of these pages, discovering that one in three phishing pages disappears within a day, before the various antiphishing engines can detect the malicious links and record them in their databases.





Over just three weeks (between July 19 and August 2, 2021), the study authors were able to collect a total of 5,307 examples of phishing pages, discovering that a large part of the links analyzed (1,784 ) they stopped being active after the first day —even after the first few hours— of monitoring.

In fact, a quarter of the links were no longer active within 13 hours of tracking, and half of the websites did not last more than 94 hours. According to Egor Bubnov, a security researcher at Kaspersky,

“It’s important for users to remember that when they get a link and have doubts about the legitimacy of the site, it’s wise to wait a few hours. During that time, you’ll not only increase the likelihood that the link will show up in antiphishing databases, but that the phishing page itself stops its activity”.

Data to take into account

Since the life cycle of this type of page is necessarily short (due to pressure from the aforementioned antiphishing engines), attackers look for ways to spread malicious links with as fast as possible, while the pages are still active.

Attackers typically choose to create a new page instead of modifying an existing one (although sometimes they may simply choose to change the brand used as bait).

And because economic motivation drives ingenuity, many attackers have developed methods based on randomly alter elements of the page code, invisible to the user, but prevent or delay detection by antiphishing engines.

With each hour of life of a new page, it appears in more antiphishing databases, which means that fewer potential victims will visit it

Kaspersky offers in the report two reminders that should be taken into account to avoid letting your guard down in these cases:

Cybercriminals can create their own public Wi-Fi networks with the aim of spoofing web page addresses and/or redirecting from a legitimate URL to a fake website.

Not even the HTTPS prefix is ​​always an indicator that the web connection is secure., as fraudsters can issue their own SSL certificate.

Peculiarities about hosting and domains of phishing websites

Phishing pages are usually hosted on well-known and old domains, for example .org and .com… but in recent times, the use of very low-cost .xyz domains has become very popular among cybercriminals, which makes them a good option to create these ‘ephemeral websites’. When the site is no longer needed, the owner just has to walk away and not renew the domain registration.

The presence of ‘hosted’ sites in the duckdns.org domain also stands out in the study., a dynamic domain name service, which allows the owner of any server to quickly and free link a domain name to its IP address.

Finally, let us not forget that, in many cases, these malicious websites are hosted in subdirectories or subdomains of previously attacked legitimate websites: Thus, many times they go offline even before cybercriminals expect it, when the administrators detect the irregular activity.