One-third of phishing sites are active in less than a day, according to a new analysis, which finds that the first few hours a phishing site is online are the most dangerous to users.
In their study of the life cycle of phishing sites, Kaspersky researchers analyzed 5,307 examples of sites from July 19 to August 2, 2021. Of these, 1,784 were inactive after the first day of surveillance, and several ceased to exist in the first hours. A quarter were inactive within 13 hours of monitoring, and half lasted less than 94 hours, their research discovered.
The lifecycle of a phishing site depends on when it becomes visible to site administrators, who can then remove it. Even if cybercriminals install their own server on a domain they have purchased, registrars can remove the phishers’ right to host data on it if they suspect fraudulent activity.
A phishing site is added to more anti-phishing databases the longer it is active, which means it will attract fewer visitors over time. Given the short life cycle of the sites, the criminals behind them want to distribute links to them as soon as they are active to ensure wider reach. Often they will choose to create a new page instead of modifying an existing one; further, they can change the page during its life cycle so that they are not blocked.
This information is useful not only for updating databases, but for responding to incidents, says Egor Bubnov, security researcher at Kaspersky, in a statement. If a company is hit by a spam campaign that contains fraudulent links, it will know that it needs to fight that campaign within the first few hours because it is the most beneficial time for criminal activity. And when people receive a link they are unsure of, they will know they have to wait a few hours – during which time the page may cease to exist.
Read more details here.