Phishing attacks have grown steadily in recent years, becoming a highly profitable attack for cyber criminals. In ESET Latin America’s Laboratory, we are used to finding and informing about phishing attack outbreaks in our region. A few days ago, we found a new case of phishing, for which we investigated the effectiveness of the attack.

In this case, it was a classic attack: it started with an email on behalf of a famous Latin American bank, with the subject "WARNING – INACTIVE CREDIT CARD!" that, through classic social engineering techniques lured the victim into clicking and be linked to a web page where they had to provide their bank account data. It is noticeable that this phishing form in particular was very poorly designed, with no major graphical innovations or care for a better user deception.

Once the victim enters the required information, he is directed to another web page where he is informed that the alleged account activation was successful.

Upon the analysis of the directories, we found that the data files with the victim’s information were recorded on the same phishing server, along with data such as IP address, date and time of the access. In the following image you can see the phishing form and how data was recorded in a text file:

Phishing attack

After detecting the case, we alerted the bank about the attack. Finally, five hours later, the site was shut down. Now, how effective is a phishing attack that lasts for five hours? Let's find out...

Analyzing the text file with the data of the victims, we found that:

  • The first access to the site was on January 20 at 10:01 pm (as seen in picture). The latest registered access was on the same date at 15:24 pm. Therefore, the attack actively lasted just over five hours.
  • During those hours, 164 people accessed the phishing site, which indicates an average of about 30 people per hour; therefore, there is a potential victim every two minutes.
  • Out of the 164 participants, 35 entered valid credit card data, which indicates an effectiveness of 21%: one out of every five people who accessed the web site provided their sensitive data.

As it turns out, phishing is still a very effective form of attack. Even through the creation of simple and precarious sites and having short life cycles for the attacks, cyber criminals manage to get enough data from users to monetize their attacks (just multiply the number of credit cards for 10 bucks and get close to a month’s worth of salary in only five hours). These attacks will continue to emerge and the growth is in part due to the user’s lack of caution. Thus, users must be aware of phishing to avoid being victims to these deceptions, to which sooner or later they will surely be exposed.

Sebastian Bortnik
Awareness & Research Coordinator
ESET Latinoamerica