Google has teamed up with the University of California in San Diego to publish surprising new research about phishing websites, how effective it is and how scammers work their phishing operations.
The study found, amongst a few startling revelations, that effective phishing websites (specifically one that looks legitimate and realistically like the expected website) will have a 45% success rate at harvesting data. This drops to 14% for an average looking imitation, and all the way down to 3% for a more obviously fake version.
The Huffington Post reports that the study was done by looking at 100 phishing emails from a random sample self-reported by Gmail users, and 100 more filtered via Google's Safe Browsing system. All of these websites used Google Forms, which is "how researchers were able to access the data."
Just as interesting was how cybercriminals would interact with the data once it had been compromised. They moved fast, with Engadget noting that 20% of leaked account data was used within half an hour of the information being stolen.
With one attacker potentially "responsible for millions of phishing emails", they have to work at speed, with the cybercriminal quickly assessing whether or not the compromised account is worth their time, and The Huffington Post reports that they leave if it doesn't seem "valuable enough." On average, they spend just three minutes doing this, using the search functionality of the compromised email account to look for valuable key-phrases such as 'bank' or 'wire transfer'.
The hacker will then often try and manipulate the victim's contacts into paying extra money by sending fake emails out, using tried and tested stories about 'getting mugged' abroad or similar. Otherwise, they may just send out more links to capture more victims' data. This is a sensible strategy for the criminals: Google reported that people approached with fake links via a trusted friend were "36 times more likely to be hijacked themselves."
The study found that the majority of the cybercriminals operating phishing websites and emails were located in China, the Ivory Coast, Malaysia, Nigeria and South Africa.
