{"id":1844,"date":"2006-01-01T00:00:00","date_gmt":"2006-01-01T00:00:00","guid":{"rendered":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/2006\/01\/01\/phishing-by-the-numbers-41000-blocked-sites-in-2005\/"},"modified":"2021-12-30T11:40:07","modified_gmt":"2021-12-30T11:40:07","slug":"phishing-by-the-numbers-41000-blocked-sites-in-2005","status":"publish","type":"post","link":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/2006\/01\/01\/phishing-by-the-numbers-41000-blocked-sites-in-2005\/","title":{"rendered":"Phishing By The Numbers: 41,000 Blocked Sites in 2005"},"content":{"rendered":"<p>With a year&#8217;s worth of data in hand, an analysis of attacks illustrates common patterns and practices in the operation of phishing scams.   Top Targets: eBay and Paypal: The eBay online auction site and its Paypal payment processing unit were the top target for phishing scams in 2005, comprising nearly 62 percent of all phishing URLs submitted to Netcraft.  Many of these were &#8220;insta-spoofs&#8221; served from free sites or cracked machines, often via a botnet.  While many of these scams are hosted on IP addresses, the filename often includes the name of the targeted brands or emulates aspects of their URLs.  More than 13,000 confirmed phishing sites used URLs that included either &#8220;paypal&#8221; or &#8220;ebay,&#8221; usually as a subdirectory or filename.  These domains included slight misspellings, substituting numbers for letters or using hyphenated phrases or third-level domains (paypal.mysite.com).  Nearly 4,700 phishing URLs contained the string &#8220;webscr,&#8221; mimicking the genuine Paypal cgi script.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Top Techniques for this activity include Phishing Hosting: Free web hosts continued to be favored location for hosting phishing sites, as seen on Netcraft&#8217;s Phishiest Hosters page.  Also ranking highly were several hosts that seem to offer scant policing of scams, including Romanian host Home.ro\/Go.ro, which was home to more than 760 phishing URLs in 2005.<\/p>\n<p>More than 600 phishing spoof sites were hosted on compromised forums and content management systems, offering a reminder that security problems with these programs extend beyond the site&#8217;s operators and users.<\/p>\n<p>The Geography of Phishing: A review of 5,000 of the most recently confirmed phishing URLs shows that .com continues to be the most popular top-level doman (TLD), with Russia and Romania being the only country-specific TLDs with more than 1 percent of URLs.  Romania has hosted 1,397 phishing sites in 2005, equivalent to about 3.3 percent of all hostnames in that country.<\/p>\n<p>The Netcraft Toolbar Community is digital neighborhood watch scheme, in which the most alert and expert members act to defend the larger community of users against phishing frauds.  Once the first recipients of a phishing mail have reported the target URL, it is blocked for toolbar users who subsequently access the URL.  Widely disseminated attacks (people constructing phishing attacks send literally millions of electronic mails in the expectation that some will reach customers of the bank) simply mean that the phishing attack will be reported and blocked sooner.<\/p>\n<p>http:\/\/news.netcraft.com\/archives\/2005\/12\/31\/phishing_by_the_numbers_41000_blocked_sites_in_2005.html<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[32],"tags":[],"class_list":["post-1844","post","type-post","status-publish","format-standard","hentry","category-statistics"],"_links":{"self":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts\/1844","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/comments?post=1844"}],"version-history":[{"count":1,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts\/1844\/revisions"}],"predecessor-version":[{"id":4331,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts\/1844\/revisions\/4331"}],"wp:attachment":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/media?parent=1844"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/categories?post=1844"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/tags?post=1844"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}