Evolutionary Study of Phishing

This paper studies the evolution of phishing email messages in a corpus of over 380,000 phishing messages collected from August 2006 to December 2007. The first result is a classification of phishing messages into two groups: flash attacks and non-flash attacks. Phishing message producers try to extend the usefulness of a phishing message by reusing the same message. In some cases this is done by sending a large volume of phishing messages over a short period of time (flash-attack) versus the same phishing message spread over a relatively longer period (non-flash attacks). The second result is a corresponding classification of phishing features into two groups: transitory features and pervasive features.