Korea Phishing Activity Trends Report
June, 2006
Issued by KrCERT/CC,
Korea Internet Security Center
Korea Phishing Activity Trends Report analyzes phishing attacks reported to KrCERT/CC via
the
organization’s
website
at
http://www.krcert.or.kr
and
email
submission
[email protected], [email protected].
Highlights
• Number of active Phishing sites reported in June: 114
• Average monthly growth rate in Phishing sites July 2004 through June 2006: 13%
• Number of brands hijacked by Phishing campaigns in June: 20
• Number of brands comprising the top 80% of Phishing campaigns in June: 5
• Country which most hijacked brands belong to in June: United States
• Contain some form of target name in URL: 28 %
• Percentage of sites not using port 80: 16.6 %
(Figure 1) Active Reported Phishing Sites by week May 2006– June 2006
to
Phishing Site Trends1
In June, there were 114 unique phishing sites reported to the KrCERT/CC. There was 12%
decrease in number compared to that of the last month (130 in April). Compared with the
number of the same period last year(116 in June 2005), the number is similar, only the
difference of 2 cases in the number of reports.
The total number of phishing reported to KrCERT/CC in the first half of 2006 is 685 and the
average number is 114. Compared with the average number of phishing sites in 2005(the whole
year : 90.5, the second half : 103). From the fact that the recent average number of phishing
sites is gradually increasing, it can be inferred that the phishing sites cases or attempts targeting
for the financial objectives are increasing. The main stream of cyber attacks has evolved from
the fame within the community to the financial gain. The widespread of spam mails can be
explained with the same reason.
All Internet users should be more cautious about the possibility of financial loss by the Internet
fraud. In addition, many insecure servers are hacked and exploited as the phishing sites for
deceiving users who input their personal and financial information.
(Figure 2) Active Reported Phishing Sites by Month Jan 2005 – June 2006
1
Because most of phishing e-mails are written in English, Korean users usually delete the phishing emails
without reading phishing mails. Although the financial loss involved with phishing emails has not occurred yet,
many Korean websites are exploited as phishing sites.
Ports used in phishing data collection server
Most of the phishing attacks reported to KrCERT/CC used port 80. In June, 83.3% of phishing
sites use port 80, web service port. Since the phishing sites are also a sort of the web service
for obtaining financial information, they are using port 80, the port for WWW(World Wide Web).
The ratio of port 80 is slightly decreased, compared with that of last month(88.4%, refer to Fig
4.)
(Figure 3) Ports used in phishing data collection server in June 2006
(Figure 4) The ratio and number of Phishing Sites using Port 80 by Month Jan 2006 - June 2006
Brands hijacked as phishing sites
The most hijacked brands reported to KrCERT/CC are online marketplace company(ecommerce) and online payment gateway company(financial service) in June, 2006. These two
brands take over the half (69.2%) of all phishing report to KrCERT/CC. The ratio of phishing
sites for two brands in June were 35.9% and 33.3%. The rank of two brands changed and the
phishing sites for online marketplace company increased(4 more cases) and those for online
payment gateway company decreased(8 less cases). Although the number of two brands
decreased, the ratio of two brands increased. However, the ratio of two brands usually lies
between 50% and 60%; the two brands’ ratio in this month is 63.8%.
The total number of hijacked brands reported to KrCERT/CC in June 2006 is 20. The number of
brands comprising the top 80% of phishing reports in June is 5. One brand is in e-commerce
category and other four are in financial service category. Many brands are from United States.
Most-Targeted Industry Sectors
The most targeted industry sector for phishing attacks is financial services. This sector occupies
62.2% of all hijacked brands in June. The ratio for financial service decreased about 8 percents,
compared with that of last month. Among 20 hijacked brands in June, 18 brands are from
financial service sector, one from e-commerce sector and the other from the government. The
reason why so many brands in financial service sector are hijacked is that the information
collected from phishing sites can be used directly for financial fraud such as illegal bank account
withdrawal and credit card use.
(Figure 5) Hijacked Brands by Industry Sector June 2006
Countries in which hijacked brands belong to
United States, the country which most hijacked brands belong to, takes about 85% in June.
There are 8 countries in which hijacked brands belong to in June. Germany and Australia
occupy 4% each, and other countries 8%.
(Figure 6) Countries in which hijacked brands belong to
Economy
Industry Sector
# of Targeted
brand
# of reports
Financial
9
54
e-commerce
1
41
Government
1
2
Germany
Financial
2
4
Australia
Financial
2
4
Switzerland
Financial
1
2
Spain
Financial
1
2
United Kingdom
Financial
1
2
Hong Kong
Financial
1
2
Canada
Financial
1
1
8 countries
-
20 brands
114 cases
United States
97
[Annex] Phishing Handling Process of KrCERT/CC
Phishing handling is performed based on the following formal process;
1. Receive incident reports of Phishing sites to :
9
Email: [email protected], [email protected]
9
Web: www.krcert.or.kr
2. Phishing Handling
9
Find out the IP of the targeted site (from email contents and target system URL)
9
If the IP is from (Whois search)
¾
Domestic: Request appropriate measures to possibly compromised server after
identifying the organization
™
Phishing sites located on public and academic organizations (elementary,
middle,
high
school,
and
national
universities)
are
escalated
to
NCSC(National Cyber Security Center)
¾
Abroad: Request Phishing handling to the correspondent foreign CERT
™
Cases from abroad are included in KrCERT/CC’s Phishing handling database,
but excluded from the statistics
< Handling process according to IP search result >
IP search result
Handling process
Call and deliver the phishing incident information to the targeted
Acquired org.’s info.
organization, request to block the site immediately, and send an email
with the detail
Fail to acquire org.’s
info.
Send an email to ‘Abuse’ account of its ISP
9
Call domestic ISP for re-request if it is not blocked within a day
3. Assign a number and put it into database
9
Phishing sites reported to KrCERT/CC Æ Categorize the type and assign an incident
number (tickets) Æ put it into database
4. Phishing Handling Database
9
Build a database with acquired information by phone and email
™ Database fields: handling number, IP, reported time, time of shutdown, name of the
targeted brand, contact info, reporter’s info., port used, fraud website, phishing
URL, message delivery method, info. extorted by phishing, system OS, server
usage
5. Report daily statistics of Phishing site to KrCERT/CC
6. Write Phishing Statistics Report
9
Apply phishing database to monthly Phishing Activity Report, and use it to cooperate
with APWG (Anti-Phishing Working Group)