In this work we use URL shortener click analytics to compare the life cycle of phishing and malware attacks. We have collected over 7,000 malicious short URLs categorized as phishing or malware for the 2 year period covering 2016 and 2017, along with their reported date. We analyze the short URLs and find that phishing attacks are most active 4 hours before the reported date, while malware attacks are most active 4 days before the reported date. We find that phishing attacks have higher click through rate with shorter timespan. Conversely malware attacks have lower click through rate with longer timespan. We also show the comparisons of referrers and countries from which short URLs are accessed, showing in particular an increased use of social media to spread both kinds of attacks. We also find phishing clicks mainly come from USA and Brazil, while malware clicks mainly come from USA and Russia. Overall based on the observation that 50% of malware attacks are active for several years, while less than 50% of phishing attacks are active past 3 months, we conclude that the efforts against phishing attacks are stronger than the efforts against malware attacks.
