Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

12:30 PM

Blacklists Miss 21% of Phishing Attacks, Internet Traffic Reveals

Visibility into phishing attacks by content delivery networks and security firms shows many domains fail to be classified as malicious.

More than 20% of the sites used for phishing are not detected by current blacklists as malicious, even days after the start of an attack, according to new research published by internet-services firm Akamai.

The result is that at least 2.4 million visitors to those websites have encountered a potentially malicious attack in a four-month period starting last October, including a spike around Black Friday of nearly 400,000 victims, Akamai concluded. The phishing pages mimicked the legitimate sites of more than 20 different brands using graphics and resources stolen from those sites, the company said.

That the infrastructure of a fifth of phishing attacks is not detected for some time underscores the dangers that phishing continues to pose, says Or Katz, a security researcher at Akamai.

"The fact that we are still seeing a lot of phishing attacks, and we don't see coverage for those 20% of those malicious URLs, limits our ability to defend against phishing," he says. "At the end of the day, a lot of these scams are highly effective."

Phishing continues to be a popular — and effective — technique for attackers. In 2019, nearly a third of all breaches involved a phishing attack, making it the top threat action used in successful breaches, according to Verizon's "2019 Data Breach Investigations Report" (DBR). While that report showed click rates on links in simulated phishing attacks have declined significantly — down to 3% in 2018, from nearly 25% in 2012 — the incidence of phishing remains high.

Phishing e-mail messages, for example, accounted for almost 90% of all high-risk e-mail blocked by security firm Trend Micro, and 44% of those phishing attacks attempted to convince users to part with their credentials, up from only 9% in 2018, the company said in its "Cloud App Security 2019 Report," published on March 10.

The reason is clear: Attackers are attempting to escape detection and collect credentials to use against other cloud services, the company said.

"Perhaps the simplest possible reason for this increase is that threat actors have been busy updating their phishing websites to reflect a new set of links to avoid detection by antivirus software," the company stated. "It's also possible that a number of new groups have begun launching campaigns with their own batch of URLs, hence the massive increase in the detection of unknown URLs."

The most convincing phishing attacks use content stolen from branded sites as camouflage to fool the victim. More than 1,300 URLs were used for phishing in the four months Akamai collected data, Akamai stated in its analysis.

The majority of the victims of the attacks appear to be from South America, while 28% were from South Asia, Akamai stated. While the company tallied at least 2.4 million potential victims based on visitors requesting resources from its network, that is a conservative estimate and is likely much higher, Akamai stated.

Akamai detected phishing domains and URLs by watching for sites that request resources from known legitimate websites, such as images, cascading style sheets (CSS), or legitimate libraries and services. After gathering information from a victim, many phishing sites will send the user back to the legitimate site to assuage suspicions. 

"This works when criminals create a website that looks similar, or identical, to the brand being abused, giving victims a false sense of security," the company said. "With that sense of security and trust established, victims often end up giving away personal or sensitive information."

The Akamai data did not indicate whether the victims were mobile users, but the Verizon 2019 DBIR found that an increasing number of those who click on phishing links — 18% in 2018 — were mobile users. Mobile devices have less capability to convey information that could tip users off to malicious sites, Verizon stated in the report.

"[O]n the one hand, the hardware and software on mobile devices restrict the quality of information that is available, while on the other they make it easier for users to make snap decisions," the Verizon report stated.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "Keys to Hiring Cybersecurity Pros When Certification Can't Help."


Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 5/28/2020
Stay-at-Home Orders Coincide With Massive DNS Surge
Robert Lemos, Contributing Writer,  5/27/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Can you smell me now?
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-05-29
There is an Incorrect Authorization vulnerability in Micro Focus Service Management Automation (SMA) product affecting version 2018.05 to 2020.02. The vulnerability could be exploited to provide unauthorized access to the Container Deployment Foundation.
PUBLISHED: 2020-05-29
A Denial of Service vulnerability in MuleSoft Mule CE/EE 3.8.x, 3.9.x, and 4.x released before April 7, 2020, could allow remote attackers to submit data which can lead to resource exhaustion.
PUBLISHED: 2020-05-29
All versions of snyk-broker before 4.72.2 are vulnerable to Arbitrary File Read. It allows arbitrary file reads for users who have access to Snyk's internal network by appending the URL with a fragment identifier and a whitelisted path e.g. `#package.json`
PUBLISHED: 2020-05-29
All versions of snyk-broker after 4.72.0 including and before 4.73.1 are vulnerable to Arbitrary File Read. It allows arbitrary file reads to users with access to Snyk's internal network of any files ending in the following extensions: yaml, yml or json.
PUBLISHED: 2020-05-29
All versions of snyk-broker before 4.73.1 are vulnerable to Information Exposure. It logs private keys if logging level is set to DEBUG.