Phishing has always been one of the most common e-mail threats, but it has now become a fairly difficult threat to detect and block. As we noted earlier in the year, the content of phishing emails has become essentially identical to legitimate messages.
From the point of view of blocking and detecting email based on content, this is a serious issue. Because they are so similar to legitimate emails, any pattern likely to detect these phishing messages is also likely to detect many legitimate messages. This would raise the number of false positives to unacceptable levels.
Detecting phishing emails based on analyzing URLs also presents a challenge because phishing sites are going down very quickly after they go online. According to the Global Phishing Survey report for the first half of 2012 that was released by the Anti-Phishing Working Group, the average uptime of a phishing site is now down to below 24 hours, with the median uptime just below six hours. This means that there is now relatively limited time to analyze and detect malicious sites, potentially reducing the effectivity of URLs for detecting phishing messages.