Wednesday, November 12, 2014

Phishing Success Rates and Google Phish

Last week a group of Google employees led by Elie Bursztein joined UCSD researchers Andreas Pitsillidis and Stefan Savage in presenting the findings of a study on phishing to the ACM Internet Measurement Conference in Vancouver, British Columbia. Their paper, Handcrafted Fraud and Extortion: Manual Account Hijacking in the Wild (12 page PDF) was picked up broadly in the press, and as usual, wildly misinterpreted.

At least 110 articles referring to the study were found in a simple Google News search with headlines ranging from the somewhat accurate:

  • Manual Phishing Gmail Attacks Found To Be Very Effective - Top Tech News, Nov 9, 2014
  • Google Study Finds Email Scams Are More Effective Than You'd Expect - Huffington Post, Nov 7, 2014
  • Old-time phishing scams are working just fine, Google finds - Naked Security, Nov 11, 2014
to the extreme bending of the facts for headline value such as these:
  • Phishing attacks on email accounts are successful 45 percent of the time - Firstpost, Nov 10, 2014
  • Phishing scams work 45% of the times: Google study - Times of India, Nov 10, 2014
  • Have You Been Scammed? Phishing Emails Successful 45% of the Time - Crave Online, Nov 11, 2014
  • A scary number of you are still falling for phishing scams, says Google - Nov 10, 2014

What did Google and UCSD Actual Say about Phishing?

First, the 45% quote. For the 100 Google/Gmail phishing sites that the researchers studied, they found that depending on the structure of the page, as few as 3% of the visitors filled out the phishing form and submitted their data. Overall 13% of the visitors to the webforms shared their personal data with the phishers, while in the most extreme example, 45% of the visitors to the phishing web page completed the form and submitted their personal data.

There were several interesting findings in the study. A few that I found interesting included:

  • 35% of phishing sites target victims' email
  • 21% of phishing sites target banking credentials
  • A growing number of phishing sites are targeting App Stores and Social networking credentials
  • Account takeovers are primarily Fast and Foreign:
    • 20% of compromised Google accounts were logged into within 30 minutes
    • The top countries of origin for hijackers were China, Ivory Coast, Malaysia, Nigeria, and South Africa
  • The easiest way to have your account restored is to have registered an SMS telephone number for out of band contact.

Manual Hijacking

The focus of this study was the process of Manually Hijacking accounts belonging to Google users. Because of that focus, it is not clear how broadly the observed behaviors can or should be projected onto other types of phishing. At Malcovery Security we observe 600 to 800 newly created phishing sites per day. This study focused primarily on Gmail/Google phish from January 2014, and for part of the study focused specifically on 100 Gmail phishing websites.

Google provided some statistics on how widely the problem of manual hijacking has been seen in the past. Over calendar 2012-2013, Google's security teams found that approximately 9 manual hijacking cases per day per million active users occurred. With over 500 million subscribers, Google is dealing with thousands of such account hijacks per day.

With Google participating in the research, researchers were able to determine that when an account is taken over, the criminals login to the account and search the email history and address books to determine how best to monetize the account. It seems that every week someone will make the comment in my presence "Yes, I have malware on my computer, but the worst that might happen is they get my email password!" But think about what is possible with that? How would you reset your password at your Bank? eBay? On most of those sites, clicking "I Forgot My Password" results in an email being sent with a "Reset My Password" link! If the criminal finds an email from your bank in your email history, they now know exactly which bank to visit to click the "I Forgot My Password!" The email account is the key to the entire balance of your account!

The researchers also found that the scam we first wrote about in 2009 in the post Traveler Scams: Email Phishers Newest Scam is still quite prevalent. In this scam, because the criminal has access to your recent sent emails and address book, they are able to contact your friends and family with news of a tragedy while traveling where they desperately need money wired overseas to help them through the crisis. I've met many individuals who have wired money to their friends before realizing it was a scam! They often have stories of how they KNEW the email was truly from their friend, because when they asked questions, their friend replied with details only the friend would know. Often these details made use of prior "private" conversations in the phishing victim's email sent items box!

Popular Email Phish from Malcovery's ThreatHQ System

In the past seven days, Malcovery Security confirmed 416 distinct phishing URLs related to Google and their properties. These URLs were hosted on 207 distinct domain names on 174 different IP addresses. By country, the United States is the most prominent host of phishing sites, not just for Google, but for nearly every brand that does business in the USA. Of those 174 IP addresses, 90 are in the United States.

Google phish locations: November 5-12, 2014

90United States of America
8Great Britain
2Hong Kong
2South Africa
This popular phish appeared on the domains,,,,,,, and many ohters.

Although this phishing site is PRIMARILY imitating DropBox, it still steals Gmail and other email credentials:
The domain hosting this phish was "".
This version brings in many cable-provider logos for email address choices, rather than relying on "Other Email" as some of the others do:
This version brings the logos of many Chinese language email providers into the mix:
One of the earlier forms of the phish:
These just a few examples of the "look and feel" of some of the 400+ Google-related phishing URLs we've seen in the past seven days at Malcovery security. Most of them were seen many times each!

1 comment:

  1. I was not aware of the number of phishing campaigns and manual hacking incidents with Gmail accounts. People, like myself, often take email security for granted. It's understandable to see the far reaching consequences once someone gains access to that account.


Trying a new setting. After turning on comments, I got about 20-30 comments per day that were all link spam. Sorry to require login, but the spam was too much.