Most phishing links disappear within a day of going online


Here today, gone tomorrow – literally.

In a world of cyber risks, falling victim to phishing attacks remains one of the most significant things that can befall someone. But how those attacks are planned and launched is largely unknown. Until now.

A new study by Kaspersky analysed how long phishing pages survive as well as the signs they show when they become inactive, giving an insight into the way that cybercriminals launch and plan their attacks. The analysis looked at 5,310 links between July and August 2021, captured by Kaspersky’s anti-phishing engine. Over a 30-day period from the moment a “phishing” verdict was assigned to a page, the analysis program checked each link every two hours and saved the response code issued by the server as well as the text of the retrieved HTML page.

The goal was to see how long phishing pages existed in the wild, and how they changed over time to adapt to people’s attitudes to them. From that information, it’s possible to see the lifecycle of phishing pages, and to understand how quick a moving target the attackers using phishing are utilising.

Online for just hours

Of the 5,310 links analysed throughout the process, 1,784 disappeared or were inactive, based on the analysis, within the first day of being found by the program. That may make it seem like you have a matter of days, rather than hours, in which to react to potential phishing attacks and try to take them offline. But it’s even more rapid than that.

“In the majority of cases, the page was already inactive within the first few hours of its life,” Kaspersky write.

In just 30 days, 3,791 (71.4%) of the pages stopped showing signs of phishing activity.

Moreover, a quarter of all the pages were already inactive just 13 hours after they began to be monitored, while half of the pages survived for no more than 94 hours.

Most of the sites that were used ended up timing out when they were requested, while others had a domain name resolution error. What was most telling about such pages was that they rarely changed while they were online: they existed in a binary life of being online or offline.

PUBG and dating sites the main targets

In terms of what the phishing sites were trying to mimic in order to ensnare their victims, the majority – 77% of those that did change what they looked like – were sites that tried to pass themselves off as similar to PUBG, a popular video game. A further 10% were echoing dating sites in their attempt to hoodwink their victims, while a further 5% were webmail lookalikes.

“This could have something to do with the fact that PUBG runs alternating temporary events,” says Kaspersky. “Given that cybercriminals want to make their phishing pages convincing and therefore as topical as possible, they periodically change the content of pages to keep up with the new season.”

Criminals, perhaps sensing the potential bounties if they manage to trick their victims, weren’t afraid to spend cash on domains designed to hoodwink people.

Phishing pages most frequently use established well-known domains such as .org and .com.

However, the .xyz domain is also popular, possibly because you can register a new domain at a low cost or for free, making it convenient for creating one-day websites.

It’s therefore vital, if you’re a business or a regular internet browser, to be cautious about which links you click, and to be aware that whatever you see today online may well disappear tomorrow. Take care out there, and make sure you’re double-checking everything before giving away private information.