Latest APWG Report On Phishing Attacks Finds Most BEC Attacks Mounted With Deceptive Domain Names Registered By Five Registrars

[news release] The Anti-Phishing Working Group’s (APWG) new Phishing Activity Trends Report reveals a rise in reported phishing since March of 2020. In August and September of 2020, the APWG logged 200,000 phishing sites per month — with more than 500 separate brands attacked by phishers each month in the quarter.

APWG contributor OpSec Security found that phishing that targeted webmail and Software-as-a-Service (SaaS) users continued to be the biggest category of phishing, with 31.4 percent of all attacks. Banks and other financial institutions were the targets of 19.2 percent of attacks, and payment processing systems such as PayPal and Square were targets for 13.4 percent of attacks. Phishing against the social media sector was 12.6 percent of attacks, primarily driven by attacks against Facebook and WhatsApp. APWG member Axur also noted that phishing in Brazil continues to trend upward, primarily attacking e-commerce and webmail services.

APWG contributor Agari continued to track “business email compromise” (BEC) attacks that focus on key personnel within targeted enterprises, one of the most damaging types of Internet crimes. BEC attacks that sought wire transfers from victim companies sought an average of $48,000. Agari also found that scammers requested funds in the form of gift cards in 71 percent of BEC attacks, which are easier to cash out. During the third quarter of 2020, the average amount of gift cards requested by BEC attackers was $1,205.

Agari’s research in the quarter revealed that about 16.3 percent of BEC attacks involved domain names registered by the scammers, domains that they used to send email to their intended victims. Most of these were registered at just five registrars: Namecheap, Public Domain Registry, Google, Tucows and NameSilo.

Phishers are also deploying encryption to fool users into thinking that phishing sites are legitimate and safe. APWG contributor PhishLabs found that in the third quarter of 2020, 80 percent of phishing sites had SSL encryption enabled. Encryption is deployed on phishing sites more often than on regular web sites: SSL is currently found on only 66.8 percent of all web sites across the Internet.

“Now, 80 percent of phishing sites have SSL encryption enabled – which surprisingly is even higher than web sites in general,” said John LaCour, CTO of PhishLabs. (According to a Q-Source survey, as of October 2020, only 66.8 percent of web sites used SSL by default.)

“Not surprisingly, most SSL certificates used by phishers were Domain-Validated (‘DV’), which is the weakest form of certificate validation,” said LaCour. PhishLabs looked at 53,189 certificates used on phishing sites, and found that 91.3 percent were DV, while 8.6 percent were OV (Organization Validation) certs, and just 0.1% were Extended Validation (EV).

Finally, separate studies developed by by RiskIQ and Interisle Consulting Group analyzed the use of domain names for phishing. They reveal that phishers continue to obtain domain names predominantly from certain registrars and in certain top-level domains, and the latter study found that phishers themselves registered about 60 percent of the domain names on which phishing occurs.

The full text of the report and an archive of earlier reports is available here:

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.