.CN’s Tightened Registration Policy Sees Phishers Go To CO.CC And .TK

The tightening of registration policies for .CN domain names by CNNIC has seen a rapid decline in the number of phishers using .CN domain names and an increase in the use of other top level domains and services, and in particular the CO.CC sub-domain and .TK country code TLD.In a report from the Anti Phishing Working Group titled Global Phishing Survey 2H2010: Trends and Domain Name Use, the APWG found that millions of phishing URLs were reported in 2H2010, but the number of unique phishing attacks and domain names used to host them was much smaller.The .CC domain was used for 7.3 per cent of all phishing attacks in 2H2010 according to the report, the second highest proportion and vastly over-represented compared to other TLDs with six phishing domains per 100,000 domains. There are 4,030,709 .TK domain registrations. The largest TLD was .COM with 48 per cent of all attacks from domain names and 45 per cent of all domain registrations globally, and 2.1 phishing domains per 10,000.When looking at sub-domains, top of the list is co.cc with a total of 4803 attacks, a long way ahead of second place – t35.com with 642 attacks. T35.com dropped to second place due to the large increase in co.cc attacks.There were at least 67,677 phishing attacks worldwide according to the report, which was greater than the 48,244 observed in 1H2010, but significantly less than the record 126,697 observed in 2H2009 at the height of phishing on the Avalanche botnet.The attacks occurred on 42,624 unique domain names. This is a high in APWG reports going back to 2007, and the increase is due to new data about Chinese phishing. Of the 42,624 domains, 11,769 were believed to be registered maliciously, by the phishers (28%). Of those, 6,382 were registered to phish Chinese targets. The other 30,855 domains were hacked or compromised on vulnerable web hosting. Malicious registrations apparently took place in 56 TLDs.Of the phishing that was detected, it remains concentrated in certain namespaces. Sixty percent of attacks occurred in just four TLDs: .COM, .CC, .NET, and .ORG. And 89 percent of malicious domain registrations were made in four TLDs: .COM, .TK, .NET, and .INFO.Tightening of registration policies for .CN domain names was criticised for being restrictive and assisting censorship, new rules barred individuals from registering .CN domains, and required all potential registrants to present a paper application form with a copy of a company business license and a copy of the registrant’s personal identification.As a result, the number of .CN registrations fell from 13.5 million in late 2009 to just 3.4 million in March 2011. In the second half of 2009, APWG observed 2,826 phishing attacks on 228 .CN names. Through the first half of 2010, the numbers dropped to just 162 attacks on 120 domains. In 2H2010, the data shows 352 attacks on 278 .CN domains, with the increase due to CNNIC’s superior data contribution. Half of those domains were used to attack non-Chinese targets.Historically, about 80 per cent of phishing attacks have used the hacked web servers of innocent domain registrants. In contrast, the Chinese phishers prefer to register domain names and subdomains for their malicious work. In 2H2010 APWG counted 12,282 attacks on Chinese institutions, utilising 6,382 unique domain names plus a staggering 4,737 free CO.CC subdomains. Of the 6,382 domain names, just 487 looked hacked. And of the 2,429 .TK domains used for phishing in 2H2010, 2,001 were used to phish Chinese institutions.Top of the list, and top for the last 2.5 years, was .TH (Thailand) with 12.6 phishing domains per 10,000 registrations. But there were only 51,438 registrations in .TH with 65 unique domains used for phishing attacks.To download the 29 page PDF report from the Anti Phishing Working Group in full, go to: