Abstract
Efforts to combat phishing and fraud online often center around filtering the phishing messages and disabling phishing Web sites to prevent users from being deceived. A couple approaches can be taken to disable a phishing site: 1) eliminate the required DNS records to reach the site or 2) remove the site from the machine itself. While previous work has focused on DNS take-down efforts, we focus on determining how long a phishing site remains on a machine after the DNS records have been removed. We find that on the day a site is reported, as many as 56% of phishing sites remain present on the hosting machines even after the DNS records have been removed. While many of these sites are removed within a few days, the DNS caching behavior at ISP resolvers may preserve the phishing site accessibility until the phishing site itself is completely removed.