Greg Aaron and Rod Rasmussen's biannual Global Phishing Survey for 1H 2013 has some interesting findings. For me, the most striking and worrisome include:
Shared Virtual Server compromises accounted for 27% of all phishing attacks. Attackers are targeting and compromising servers that hosts large numbers of domains. The attackers exploit the server configuration to install their phishing pages at every hostname (domain) that is being operated from that server. The efficiency of this form of attack is striking: by compromising 115 servers, attackers were able to launch 19,445 phishing attacks!
Phishers are attacking more brands, and attacking certain brands with startling frequency. In 2H2012, phishers targeted 611 brands but in 1H2013, they attacked 720. Half of the targeted brands were attacked multiple times, and the top 80 were attacked over 100 times each.
After "historic" lows in 2012, phish page up-times increased dramatically, from just over 26 hours in 2H2012 to over 44 hours in 1H2013.
The use of malicious registrations (domain name registrations made specifically for criminal purposes) doubled from 2H2012. Sixty-eight (68%) of malicious registrations were Chinese phishers targeting Chinese targets but mostly often using top level domains other than .CN. The authors report that,
"Almost 82 percent of the 12,173 malicious domain registrations were made in just three TLDs: .COM (6,477), .TK (2,801), and .INFO (655). The .COM registry has no anti-abuse program. The .TK registry offers free domain name registrations. It also gives accredited interveners the ability to directly suspend .TK domains in the registry. (These partners include Facebook, Internet Identity, and the Anti-Phishing Alliance of China.) While this speeds takedowns, it does not prevent phishing from occurring. The .INFO registry operator has an abuse response program, but the TLD remains inexpensive compared to others, a factor which has historically attracted abuse."
Asia-Pacific registrars dominate the top phishing registrars by malicious domain score. Four of the top five operate from China. The authors note,
"Chinese registrars continue having difficulty keeping miscreants from registering gTLD domains via their services. The use of Chinese registrars is disturbing, and the authors recommend that Chinese registrars implement the APWG’s “Anti-Phishing Best Practices Recommendations for Registrars."
I'd encourage these registrars to consider practices recommended in SAC 040, Measures to Protect Domain Registrations Against Exploitation or Misuse.
The Report contains many other interesting statistics that will help you understand the current state of global phishing. I encourage you to consider downloading and comparing prior biannual reports, also available at APWG, to see how phishing is evolving.
Comments
You can follow this conversation by subscribing to the comment feed for this post.