Phishing Victims From a CDN's Point of View

Being a Content Delivery Network (CDN) platform, sometimes you can see fractions of attacks on the wire. In this blog, we will focus on phishing websites that, while not being delivered by the Akamai platform, are referring to or redirecting victims to pages that are on Akamai's platform.

Using Akamai CDN logs, we were able to identify 1,221 domains (1,381 URLs) that, while not directly associated with Akamai's customers, still consume or use resources from them. According to public threat intelligence resources, 20% of the URLs are not known to be malicious, even days after the phishing campaigns were activated.

Based on global visibility, we estimate that there were more than 2.4 million victims over a 4 month period. However, we suspect the numbers are in fact much higher.

In addition to our insight into victim traffic, we were able to see that more than 20 different brands were abused as part of these phishing attacks. The majority of those brands are from the Media and E-commerce industries.

There are three major reasons traffic associated with phishing website will be seen on a CDN platform:

• The phishing website is using original or abused brand pages. This is a very common technique. This works when criminals create a website that looks similar, or identical, to the brand being abused, giving victims a false sense of security. With that sense of security and trust established, victims often end up giving away personal or sensitive information. In order to create this illusion, the phishing website may utilize some of the original website's resources, such as images and Cascading Style Sheets (CSS) pages.

• Phishing websites are using legitimate libraries and services. A phishing website can use all kinds of services, such as page analytics or javascript libraries that are part of the phishing kit's functionality. If those libraries and services are being delivered via a CDN platform, once a victim renders the malicious domain on their browser, it will consume those services from the CDN.

• The phishing website's redirection to original or abused brand pages. A well known technique that is used by phishing websites is to redirect victims at one point of the scam to the original or abused website. Doing so helps give victims a sense of safety, with a feeling that everything is okay. 

So how can we correlate traffic seen on the CDN platform to a phishing website?

Once website 'A' consumes web pages on site 'B', and once the request to site 'B' is initiated by the user's browser, the request to site 'B' will include an HTTP header called a 'referrer' and its header value includes the name of the referring website.

Once those three steps happen and content is requested from the CDN platform, the request for that content contains the name of the phishing website.

As part of our research, we evaluated only a small portion of the referring websites to Akamai's platform, and we were able to find unique and meaningful insights on several phishing attacks. More importantly, we got a clear understanding on the number of victims, and such visibility is rarely published.   

Our research discovered 1,221 active phishing domains (1,381 URLs). Again, these domains are not associated directly to Akamai's customers, but they'll still consume or use resources from our customers, as part of the phishing scam. Since the research only used a sample dataset, we suspect the number of phishing websites using resources throughout Akamai is much larger.

Looking into the number of phishing URLs that were detected each week (Figure 1), we can see a strong momentum towards the holiday season, with a significant upward swing the week of Thanksgiving. This peak is also noticeable when looking at the number of victims (Figure 3).  

Most of the phishing URLs we observed were abusing Media and Ecommerce brands, accounting for 84% of the URLs. The rest of the URLs are from the Financial, High Tech, and Dating industries. 

The number of victims is estimated to be more than 2.4 Million, and there is additional evidence suggesting the numbers are actually much higher.

The data we used was limited, but we sampled findings from across the globe. The numbers show that the majority of phishing victims were from South America, and 28% of the victims were from South Asia. While the data did not give complete visibility into the victims, we still see disturbing numbers that demonstrate how phishing is  an effective tool in a cyber criminal's arsenal.

Once again, we can see that during the holiday season, particularly Black Friday and Cyber Monday, criminals didn't slow down, and took advantage of the public awareness and hype around these events to engage more victims. 

For many reasons, the numbers presented in this research are considered to be the tip of the iceberg. 

• Many phishing websites are using proprietary content and not consuming third-party resources; therefore, we weren't able to see them on Akamai's platform. 

• Our research only considered phishing campaigns consuming resources or redirecting through Akamai's platform.

• We had limited visibility, since we are constrained to results using only Akamai's data; thus, we assume the actual numbers are much more significant.

• We only sampled and validated a small portion of referring websites; once more, we assume there are more that remained undiscovered

While phishing is a known and frequently reported threat, the numbers associated with the potential victims are not always widely known. The data presented in this research should be used as a red flag, leading us into action. Phishing isn't going away any time soon, and the first and most fundamental step would be to better educate our peers, colleagues, and families to be suspicious and think twice before giving away sensitive information or downloading unknown files. The old saying applies; if something looks or feels too good to be true, then it is.