2016 World’s Worst Year for Phishing. Ever! Says APWG. With Attacks on 195,000 Domain Names.

Phishing attacks increased by 65% in 2016 over 2015 to be the worst year for phishing in history according to APWG’s new Phishing Activity Trends Report [pdf]. According to the report the total number of phishing attacks in 2016 was 1,220,523.

The end of 2016 was also an opportunity to reflect how phishing has grown over the years. In the fourth quarter of 2004, the APWG saw 1,609 phishing attacks per month. In the fourth quarter of 2016, the APWG saw an average of 92,564 phishing attacks per month — an increase of 5,753 percent over 12 years. The growth in phishing attacks over the past ten years has generally increased each year, indicating a consistent trend. Forthcoming APWG reports will provide additional dimensions of data for more analysis.

“Phishing is an attack that relies primarily on fooling people, rather than highly sophisticated technical implementations,” said APWG Senior Research Fellow and iThreat VP Greg Aaron. “For that reason, phishing remains both popular and effective. Also, the APWG’s numbers for 2106 just measure broad-based attacks against consumer brands. The numbers don’t attempt to catalog spear-phishing, which is highly targeted phishing that targets only a few specific people within a company. Truly, phishing is more pervasive and harmful than at any point in the past.”

There were at least 255,065 unique phishing attacks worldwide, according to the report, an increase of over 10% from the 230,280 attacks identified in 2015. An attack is defined as a phishing site that targets a specific brand or entity. A single domain name can host several discrete phishing attacks against different banks, for example.

The attacks occurred on 195,475 unique domain names. This is the most APWG have recorded in any year since they began these reports in 2007. The number of domain names in the world grew from 287.3 million in December 2014 to 329.3 million in December 2016.

Of the 195,475 domains used for phishing, 95,424 domain names were believed to be registered maliciously by phishers. This is an all – time high, and almost three times as many as the number found in 2015. A little over half of these registrations were made by Chinese phishers. The other 100,051 domains were almost all hacked or compromised on vulnerable Web hosting. This means that nearly half of all domains that hosted phishing sites were maliciously registered.

Seventy – five percent of the malicious domain registrations were in just four TLDs : .COM (with 58% of the malicious domains, .CC (14%), .PW (3%), and .TK (3%) and more than 90% of malicious domains were found in just 14 TLDs. The TLDs in places 5 to 14 were .info, .net, .ga, .top, .cf, .ml, .cn, .gq, and .ve. And the registrars these domain names were registered with were dominated by Chinese registrars.

In addition, 6,373 attacks were detected on 5,378 unique IP addresses , rather than on domain names. (For example: There were no phish of any kind observed on IPv6 addresses.

The APWG counted 679 targeted brands. This dropped from 783 in 2015. Phishers are still creating kits dedicated to attacking both popular targets and new targets.

Phishing occurred in 454 top level domains (TLDs). 228 were new generic TLDs launched since 2013.

One – hundred and eighty – six of the 195,475 domain names were internationalised domain names (IDNs). None involved homographic attacks, but some displayed deceptive messages in the translated domain names.

Axur, a Brazilian company that concentrates on protecting companies and their users in Brazil, found that fraudsters in Brazil are using both traditional phishing and social media to defraud Internet users. They are also using technical tricks to make it harder for responders to stop theses scams and filter them before they reach end users. “Criminals are re-inventing themselves all the time,” said Fabio Ramos, CEO of Axur. “We’ve seen a decrease in the numbers of regular phishing attacks – and an increase in other methods of fraud, such as malware fake services advertised through social media platforms.”

APWG member RiskIQ examined how phishing victims are fooled by phishers – not by the address in the browser bar, but by hyperlinks (which must be hovered over to even see the destination domain), URL shorteners, which mask the destination domain, or brand names inserted elsewhere in the URL.

“A relatively low percentage of phishing websites targeting a brand attempt to spoof that brand in the domain name—whether at the second-level or in the fully-qualified domain name,” says Jonathan Matkowsky, VP for intellectual property & brand security at RiskIQ. This is evidence that phishers do not need to use deceptive domains names to fool Internet users into visiting their sites.

To download the APWG Phishing Activity Trends Report, see: