Global phishing trends and domain name use

A new survey by the Anti-Phishing Working Group (APWG) reveals that phishing attacks perpetrated against Chinese e-commerce and banking sites soared by 44 percent in the first half of 2011. Some 70 percent of all maliciously registered domain names in the world were established by Chinese cybercriminals for use against Chinese brands and enterprises.

The majority of Chinese phishing appears to be perpetrated by Chinese criminals attacking Chinese companies, with 88% of such attacks targeting a single service:

APWG correspondent researchers found that phishing attacks in the first half of 2011 rose to 17,693, up from the 12,282 attacks recorded in the second half of 2010.

Chinese cybercriminals established 11,192 unique domain names and 3,629 .CC subdomains for these attacks, up from the 6,382 unique domain names plus 4,737 CO.CC subdomains deployed for such attacks in the second half of 2010.

Unlike most phishers, Chinese phishers do not use many hacked domains. Instead, they continue to register new domains, on which they set up their phishing pages.

“The majority of Chinese phishing appears to be perpetrated by Chinese criminals attacking Chinese companies, with 88% of such attacks targeting a single service:,” said Greg Aaron, a co-author of the report for Afilias. “With .CN domains difficult for criminals to obtain these days, these phishers had a major impact on other TLDs, where domains and subdomains are often easier and cheaper to obtain.”

Cybercrime gangs in the first half of 2011 also optimized a previously obscure tactic, taking over a virtual shared server and leveraging every website on it, massively multiplying the number of landing domains available for phishing attacks.

“By utilizing hundreds of sites on a web server with a single compromise, phishers can greatly leverage stolen resources to create a wide web of phishing sites,” said Rod Rasmussen, President and CTO of Internet Identity and co-author of the report. “This also allows them to spam lures using a wider variety of ‘good reputation’ domain names which can help evade anti-spam systems. Fortunately, these sites last shorter than others given the level of compromise, so in the end the technique is of dubious efficacy.”

The researchers reported that counting 42,448 unique attacks that utilized this tactic, each using a different domain name, representing 37 percent of all phishing attacks worldwide. This large number of domain names accounts for much of the increase in phishing seen versus the second half of 2010.

Though the report found cybercrime gangs advancing on a number of technical fronts, some metrics indicated that cybercrime was being partly suppressed by a number of preventative measures and the application of routinized responses to cybercrime events by industry.

After reaching highs in 2H2010, the average and median uptimes of phishing attacks dropped notably in 1H2011. The average uptime in 1H2011 was 54 hours and 37 minutes, compared to 73 hours in 2H2010—a decrease of more than 25 percent from half to half. The median uptime in 1H2011 was 10 hours and 44 minutes, the lowest median recorded in four years.

“We are happy to see that phishing times came down over the first half of the year due to a variety of factors,” said Greg Aaron. “This means that criminals must work harder to keep their attacks in front of potential victims. Raising the cost that criminals incur is a goal that all anti-abuse forces share.”

Other highlights of the report include:

  • There were at least 112,472 unique phishing attacks worldwide, in 200 top-level domains (TLDs). This is far greater than the 42,624 attacks observed in 2H2010, but less than the record 126,697 observed in 2H2009 at the height of the phishing onslaught being propelled by the Avalanche botnet. The increase in 1H2011 consists largely of phishing attacks on Chinese targets and attacks that leverage shared virtual servers to infect multiple domains at once.
  • The attacks used 79,753 unique domain names. This is a high for reports going back to 2007, and the increase is primarily due to the same two factors cited above.
  • In addition, 2,960 attacks were detected on 2,385 unique IP addresses, rather than on domain names. This is the highest number since early 2009.
  • The researchers counted phishing attacks against 520 target institutions. These included banks, e-commerce sites, social networking services, ISPs, lotteries, government tax bureaus, postal services, and securities companies.
  • Some 93 percent of the malicious domain registrations were made in just four TLDs: .TK, .INFO, .COM, and .NET.

Don't miss