ThreatMetrix Labs Report May 2015: How Successful Are Targeted Phishing Attacks? A Real-World Example.

Posted June 2, 2015


The public version of the ThreatMetrix Labs report May 2015 is available here: “How Successful Are Targeted Phishing Attacks? A Real-World Example.”

For a private copy with all the information, please contact us at


Personal information is being lost everywhere.  Some called 2014 the year of the data breaches and 2015 the year of the mega data breaches. At the same time, we spend a lot of time looking at really sophisticated malware attacks, but how successful are phishing attacks in 2015?

Well, it turns out they are very successful by every measure. And phishing attacks are well and truly alive. They are certainly not these horrible looking and poorly worded websites anymore, and sophisticated Trojans such as the Dyre Trojan combine social engineering, sophisticated malware attacks and classical phishing attacks into one hell of an attack.

So what can a fraudster expect in 2015 when running a sophisticated phishing attack? How much personal information are people willing to provide – if convinced properly? How easy is it to enrich the data with other data sources (either public or private)?

This ThreatMetrix Labs report looks behind the scenes of one such phishing campaign[1] in detail, and the results are shocking.

Key Takeaways

This research confirms one of the best known secrets in the industry: Targeted attacks produce high quality results. This phishing attack wasn’t a poorly written website spammed out to millions of Internet users around the world. This phishing attack was very targeted and as such the quality of the data is very high.

Some key takeaways:

  • It is surprisingly easy to remove the fake phishing entries. In fact, just three simple rules eliminated 100 percent of the fake entries, but they still left 17 percent genuine and high-quality entries – which was far beyond our expectations.
    • We have found publicly available databases to confirm that the remaining good data is indeed valid in 92 percent of the cases!
  • It is very easy as a fraudster to “enrich” stolen data with other available data sources (either publicly available sources such as social media, or other data breach databases).
  • IP geolocation is surprisingly accurate. The average distance between the geolocation of the IP address and the geolocation of the mailing address is just 63 miles and in more than 50 percent of the cases, the distance is less than 10 miles.
  • The chosen passwords from the victims are a mess: More than 98 percent of the passwords used fall under the category of “shouldn’t be used for anything serious.”
  • Almost 25 percent of the victims responded to the phishing attack on their mobile phone – which is very high considering that the phishing attack forced the victims to respond to 22 questions!
close btn