Phishing Attacks & the Art of Reading Data


In September, security company Symantec reported a 45% decrease in phishing attacks compared to the previous month. Several security companies rang into the debate with data both supporting and contradicting the claim. You can check out responses and similar studies from SPAMFighter, MarkMonitor and IBM.

Commtouch Labs examined phishing attack data from seven Commtouch Security Alliance members and the results indicate that the way in which data is analyzed directly determines the results. As depicted in the chart below, some companies showed spikes while others showed declines or much smaller increases.

Phish Feeds

*Click on the image to enlarge.

The chart above shows the absolute number of URLs or IP addresses that led to phishing sites, as recorded by seven different anti-phishing research organizations throughout the third quarter. There are obvious statistical differences between the results of each company, which can be attributed to two factors:

  1. Companies identify threats at different times. The fact that there is a spike on a specific date from one source might mean others will see this data at some other point in time (before or after), which will even out the peak.
  2. Each company has its own definition of what constitutes an attack. Based on the usage of the data, different groups analyze the attack at various granularity levels.


“You must have a common definition for a phishing attack. In particular, when fast-flux botnets host phishing, is a phishing attack counted for each bot IP address, each unique URL, or each domain name that is fluxing as part of the attack?” asked John LaCour, President of PhishLabs, a Commtouch Security Alliance partner. “What’s important is that definitions are explained, that they’re used consistently by the same reporting organization. Then you can make statements about trends as seen by that organization, but I don’t think you can make meaningful comparisons between different organizations.”

To read the rest of the Commtouch response to the phishing attack debate, or to find out more information about messaging and Web threat trends, download the Q3 2009 Internet Threat Trends Report.

Go back