APWG logo

Phishers Take Advantage Of Lax Domain Sellers With .COM, .TK And .INFO Accounting For 4 Out Of 5 Of Phishing Domains

APWG logoInattentive or indifferent domain name registries, registrars and resellers are contributing to the problem of phishing according to the latest Domain Name Use and Trends 1H2013 report from the Anti Phishing Working Group.

Additionally, vulnerable hosting providers are inadvertently contributing to phishing with mass compromises leading to 27 percent of all phishing attacks.

The report notes there has also been an explosive growth in phishing in China where the expanding middle class is using e-commerce more often.

And the number of phishing targets (brands) is up, although only about 2.3 percent of all domain names were used for phishing targeted brand names or variations thereof. 78 domains were internationalised domain names.

According to the report released last week, millions of phishing URLS were reported in the first half of 2013 but the number of unique phishing attacks used to host them was much smaller.

Overall there were at least 72,578 unique phishing attacks worldwide in the six month period, far below the 123,486 attacks reported in the previous six months. These attacks occurred on 53,685 unique domain names, which is also down on the number for the second half of 2012 when 89,748 domain names were used. This is in contrast to the number of domain names globally growing from 258 million in November 2012 to 261 million in 2013.

However there was a growth in attacks on IP addresses, with the number growing from 1,626 to 1,972.

The majority of the domain names used for phishing though are used inadvertently with the APWG believing 12,173 domain names were registered maliciously by phishers. This number is double the 5,835 found in the previous six months and was due to an increase in domain name registrations by Chinese phishers.

Phishers were indiscriminate in that they utilised 195 TLDs, however they concentrated their activities in three TLDs with 82 percent of all malicious domain name registrations coming from .com, .tk and .info. The .tk (Tokelau) TLD is notable in that its domain names are given away for free, and with the registry operator also taking over the .ml (Mali) and .ga (Gabon) TLDs it will be interesting to follow the phishing activities for these. Early indications are not good though with a Netcraft report noting .ml “now has the most phishy [TLD] of any country in the world.

The phishiest TLD though was .pw (Palau) with 19.8 phishing domains per 10,000 registrations. However there were only 55,000 registrations for the TLD as of April 2013 and the high number of phishing domains is explained by its relaunch in March 2013 and phishers and spammers testing out the new space. This, the report notes, “highlights the need for any new, generally available TLD to have adequate abuse monitoring in place.” Once the .pw registry operator implemented anti-abuse measures, abuse decreased sharply.

Other TLDs to rank highly were .np (Nepal), .th (Thailand) and .si (Slovenia) with 19.7, 19.1 and 18.1 phishing domains per 10,000 out of a total of 32,500, 65,350 and 101,800 registered domains respectively.

The full anti Phishing Working Group 29 page report titled Domain Name Use and Trends 1H2013 is available from docs.apwg.org/reports/APWG_GlobalPhishingSurvey_1H2013.pdf.