Over 400,000 phishing sites have been observed each month during 2016

84 percent of phishing sites observed in 2016 existed for less than 24 hours, with an average life cycle of under 15 hours. The data collected by Webroot shows that today’s phishing attacks have become increasingly sophisticated and carefully crafted in order to obtain sensitive information from specific organizations and people.

phishing sites observed

84% of phishing sites last less than 24 hours

“Our data shows that a phishing site can last for as little as 15 minutes,” said Hal Lonas, CTO for Webroot. “In years past, these sites could endure for several weeks or months, giving organizations plenty of time to block the method of attack and prevent more victims from falling prey. Now, phishing sites appear and disappear in the span of a coffee break, leaving every organization, no matter its size, at an immediate and serious risk from phishing attacks.”

During 2016, an average of over 400,000 phishing sites has been observed each month – To keep up with the incredibly short phishing life cycles and sheer volume of phishing sites and URLs, old techniques that use static or crowdsourced blacklists of bad domains and URLs must be abandoned. With over 13,000 new phishing sites per day and 84 percent only lasting 24 hours (11,000 sites), these lists become obsolete within moments of being published.

Nearly all of today’s phishing URLs are hidden within benign domains – The practice of phishing attacks using dedicated domains has disappeared. URLs now must be checked each time they are requested because a page that was nonthreatening just seconds ago may have since been compromised.

Google, PayPal, Yahoo and Apple are heavily targeted for phishing attacks – Webroot took a closer look at the companies for which impersonation would likely cause the largest negative impact. Of these Google was the most heavily targeted of these “high-risk” organizations, with 21 percent of all phishing sites between January and September 2016 impersonating the company.

Cybercriminals are constantly developing new methods and approaches to obtain sensitive data. In order to successfully discover and block today’s polymorphic malware, ransomware, phishing attacks and other advanced and targeted threats, billions of events must be analyzed daily. Cloud-based machine learning is the only way to keep up with the volume and identify modern attack methods, such as polymorphic behaviors.

phishing sites observed

Relative share of phishing sites for highest-risk companies

The contextualization provided by cloud-based machine learning threat intelligence sheds light on the ways known bad and known good objects communicate online. The ability to analyze billions of associations across the diverse object types, combined with historical knowledge on how millions of objects have behaved over time, results in the predictive nature of threat intelligence driven by advanced machine learning.

When it comes to finding the richest and most highly differentiated source of input for cloud-based machine learning driven security, nothing beats real-world endpoint and web sensor data. Organizations that incorporate real-world data from millions of endpoint sensors are better positioned to identify never-before-seen and zero-day threats the moment they emerge, anywhere in the world.

Don't miss