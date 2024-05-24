Phishing kit deployment durations—how long the attack was active before getting taken down by hosting services or the attacker that deployed the kit—are down slightly, while the median number of victims impacted has risen significantly in the past three years.

Half of the deployments lasted less than 3.2 days in 2023, which is a small drop from 3.7 days in 2022. A lower deployment duration might indicate a faster detection rate of these phishing attacks at different levels such as emails blocked by an email service provider, a server shutdown by a hosting service or a URL blocked by a browser. However, the duration of a phishing kit deployment should not be confused with the lifespan of a phishing campaign, which can last for weeks or months. Why? Because a “phishing kit” can be redeployed over and over again on different servers. While every deployment may last only a few days, attackers typically launch many deployments over the lifespan of a single phishing campaign.

In 2023, half of all reported phishing kit deployments impacted fewer than 160 potential victims, showing an increase from the previous year (93 potential victims in 2022) and the year before that (75 in 2021). The significance here is that more potential victims could equate to more successful compromises. We anticipate this number to continue to rise, especially as attackers potentially employ AI to sift through stolen data to identify additional potential victims.

In terms of categories of data targeted in each kit, only credit card data was sought in a higher percentage of kits in 2023 relative to the previous year. The top three categories of data sought by phishing kits analyzed were the same as in 2022—names (85% of kits), emails (66%) and addresses (62%). Landing in fourth place, passwords were sought in half the kits. With the use of valid credentials observed in a third of cases that X-Force responded to last year, it is no surprise to see emails and passwords high on the list of data that was targeted by phishing kits.