You will find our report in French and in English. It details the suspicious URLs and confirmed phishing cases that were submitted to us during the last 6 months. We also analyse some trends noticed regarding phishing attacks against French-speaking Internet users.
The executive summary of this document can be found below:
In the framework of the European EU-PI project, the Phishing-Initiative France association was founded by Microsoft, PayPal and LEXSI in 2011. Over the past 6 months (August 2014 - January 2015), suspicious Web addresses have been gathered, verified and been blocked. These URLs have been sent by thousands of French Internet users, victims of phishing attempts, as well as from the main right holders whose identity is being misappropriated during these attacks.
More than 40,000 unique URLs have been submitted and confirmed as fraudulent by CERT-LEXSI experts. On average, this process was completed in less than 30 minutes.
After investigation, it has been confirmed that more than 60% of these suspicious addresses did actually pertain to phishing campaigns. They have been sent over to solution vendors in charge of operating the blacklists included by default in the major latest Web browsers (Internet Explorer, Chrome, Safari and Firefox). The SmartScreen Filter blacklist has then been activated by default in Internet Explorer version 8.
Over this period, more than 25,000 distinct addresses, active when our analysis was performed, have been detected. It however remains hard to assess the exact number of distinct phishing campaigns actually launched, considering different (upward but also downward) factors to be taken into account in the calculation method.
Most of the confirmed URLs were HTTP addresses, with only 3.5% HTTPS pages. In this case, half of the compromised websites were configured with an SSL certificate. Only a few dozen fraudulent certificates have effectively been identified.
5% of the URLs had no host name, but are directly contacted via an IP address. 13,000 different host names have however been identified and the resolution of these hosts sent back more than 7,000 different IP addresses used to host these contents. Half of these IP addresses were associated with address ranges mostly belonging to hosting service providers (essentially US-based). Less than 5% of the cases were hosted on an IP address declared as “French”.
Naturally, the most significant volumes of raw URLs are concentrated at the largest hosting providers. However, there are considerable discrepancies when the ratio of incriminated URLs is brought to the number of IP addresses announced by each service provider. The efficiency of the providers in fighting phishing may then widely vary.
The exploited domain names were also filed in 190 different extensions, yet, nearly half of the times, on a “.com” domain, way before “.fr” domains (7%). For now, New generic Top Level Domains (NgTLD) that have been authorised by the ICANN since October 2013 only account for a very small proportion of the domains used in detected addresses (roughly 1/1,000).
Identified fraudulent addresses were mainly using compromised legitimate websites, though the number of domains especially registered by fraudsters is increasing.
Internet user’s awareness of phishing issues remains insufficient: phishing attack still affect thousands of victims each year, and hackers are making changes to their strategies. Considering the part played by trust in the digital economy in France, and in the entire European Union, a need to mitigate the financial and social impact of phishing still prevails.
The European Commission supports our “EU-PI” initiative, promoting Internet users’ civic mobilisation and fast notification of suspicious content likely related to phishing schemes. This project also aims at streamlining coordination between different public and private organisations (software vendors and cybersecurity services providers, Internet Service Providers, right holders, law enforcement, etc.), able and willing to fight the phishing phenomenon.