Phun Phacts About Phishing (and Spam)

According to CipherTrust, a company that makes its money protecting computers from viruses and spam, all the phishing attacks in the world are issued by a mere five “zombie” networks. Even more interesting is the fact that their targets are just as concentrated. Here, from CipherTrust’s page of spam statistics, are the top 5 targets and the percentage of phishing attacks they represent:

CitiBank ………………………..54.16%
Smith Barney ………………..13.48%
SunTrust ………………………10.02%
Paypal ……………………………..7.57%
Wells Fargo ……………………..5.42%

CipherTrust has also analyzed the effectiveness of various kinds of spam. It turns out that pornography is far and away the most effective spam, with a click-through rate of 5.6%. The next-best click-through rate? Pharmaceuticals, at 0.02%. (I couldn’t find these numbers on the CipherTrust website, but the N.Y. Times ran this short piece the other day.) Imagine the blockbuster just waiting to happen: when Citibank starts offering online pornography.

Leave A Comment

Comments are moderated and generally will be posted if they are on-topic and not abusive.

 

COMMENTS: 8

View All Comments »
  1. stiennon says:

    After almost three years of CitiBank phishing attacks you would think Citi would respond in some way more contructive than customer education and providing free or low-cost software defenses. The fact the Citi is still high on th elist indicates that the phishers are successful in phishing their customers. Citi should look to its own business practices to curtail phishing. Strong authentication is *the* answer.

    Stiennon (IT Security Analyst)

    Thumb up 0 Thumb down 0
  2. stiennon says:

    After almost three years of CitiBank phishing attacks you would think Citi would respond in some way more contructive than customer education and providing free or low-cost software defenses. The fact the Citi is still high on th elist indicates that the phishers are successful in phishing their customers. Citi should look to its own business practices to curtail phishing. Strong authentication is *the* answer.

    Stiennon (IT Security Analyst)

    Thumb up 0 Thumb down 0
  3. xerxex says:

    Stiennon, isn’t human behavior the largest and least changeable component of any security threat? Maybe Citibank is the largest target because it is the largest (or one of the largest) bank.

    The higher the hurdle that Citibank comes up with, ingenious people (phishers) will come up with ways of getting around it, and gullible customers will find ways of believing that they have to divulge private information.

    Thumb up 0 Thumb down 0
  4. xerxex says:

    Stiennon, isn’t human behavior the largest and least changeable component of any security threat? Maybe Citibank is the largest target because it is the largest (or one of the largest) bank.

    The higher the hurdle that Citibank comes up with, ingenious people (phishers) will come up with ways of getting around it, and gullible customers will find ways of believing that they have to divulge private information.

    Thumb up 0 Thumb down 0
  5. synapticmisfires says:

    Not to be a complete corporate shill but based on my experience Bank of America has a simple, but multilayered authentication approach. Basically you type in one password, and then if they recogonize your computer, they respond with a code of words and a picture. Only after they prove their identity do you type in the final password. It’s simultaneously mindblowingly easy and not likely to be faked successfully.

    For Citibank to be so attractive phor phishing, they must be lacking this.

    Thumb up 0 Thumb down 0
  6. synapticmisfires says:

    Not to be a complete corporate shill but based on my experience Bank of America has a simple, but multilayered authentication approach. Basically you type in one password, and then if they recogonize your computer, they respond with a code of words and a picture. Only after they prove their identity do you type in the final password. It’s simultaneously mindblowingly easy and not likely to be faked successfully.

    For Citibank to be so attractive phor phishing, they must be lacking this.

    Thumb up 0 Thumb down 0
  7. edwardmking says:

    I just wanted to point out that CitiBank and Smith Barney are both subsidiaries of CitiGroup. CitiGroup is the largest corporation in the world, with assets of 1.4-1.5 trillion dollars.

    CitiBank is not the largest bank in the U.S., but it is probably the most international bank. With clients spread across the globe, its understandable that they would have such a big phishing problem.

    I would’ve thought these banks could get in the habit of never sending emails with links in them. Whenever a new user signs up for online banking, they should try to make it stupidly clear that they will never, ever send you an email with a link in it, so you should never, ever click on a link in an email from them. In order to access thier web site, you should have to type citibank.com into the address bar. Also, and perhaps more importantly, this would make it that much easier for filters to catch phishing attacks.

    Thumb up 0 Thumb down 0
  8. edwardmking says:

    I just wanted to point out that CitiBank and Smith Barney are both subsidiaries of CitiGroup. CitiGroup is the largest corporation in the world, with assets of 1.4-1.5 trillion dollars.

    CitiBank is not the largest bank in the U.S., but it is probably the most international bank. With clients spread across the globe, its understandable that they would have such a big phishing problem.

    I would’ve thought these banks could get in the habit of never sending emails with links in them. Whenever a new user signs up for online banking, they should try to make it stupidly clear that they will never, ever send you an email with a link in it, so you should never, ever click on a link in an email from them. In order to access thier web site, you should have to type citibank.com into the address bar. Also, and perhaps more importantly, this would make it that much easier for filters to catch phishing attacks.

    Thumb up 0 Thumb down 0