Phishers are constantly experimenting, looking for better ways to defraud Internet users and reap more money from their crimes. The second half of 2008 found phishers adopting new strategies and tactics. To combat phishing, we seek to better understand how they are using domain names, and why. Domain name usage is an important measure of the scope of the global phishing problem, and examination of domain name system trends can provide effective new anti-abuse tools.
This study from the Anti Phishing Working Group (APWG) describes their analysis of a comprehensive database of the phishing that took place in the second half of 2008, and is a follow-up to our earlier studies of data stretching back to January 2007.
Specifically, this new report examines all the phishing attacks detected between July 1, 2008 and December 31, 2008, as collected by the APWG and supplemented with data from several phishing feeds and private sources. The APWG phishing repository is the Internet’s most comprehensive archive of phishing and e-mail fraud activity.
New to this report is an analysis of how many domain names were registered by phishers, versus phish that appeared on compromised (hacked) domains. These different categories are important because they present different mitigation options for responders, and offer insights into how phishers commit their crimes.
Major findings include:
1. Phishers are increasingly using subdomain services to host and manage their phishing sites. Phishers use such services almost as often as they register domain names. And such attacks even account for the majority of phishing attacks in certain large TLDs. This trend shows phishers migrating to services that cannot be taken down by registrars or registry operators, thereby frustrating some takedowns and extending the uptimes of attacks.
2. Phishers continue to target specific TLDs and specific domain name registrars, and shift their preferences over time. The second half of 2008 demonstrated what can happen to registries and registrars who are not prepared to combat phishing with effective policies and procedures.
3. The amount of Internet names and numbers used for phishing has remained fairly steady over the past two years.
4. Anti-phishing programs implemented by domain name registries can have a remarkable effect on the up-times (durations) of phishing attacks.
5. There are decreases in phishing on IP addresses and the use of brand names in domain names to fool users. Phishers are not using IDNs (Internationalized Domain Names).
The complete survey is available here.