APWG logo

Malicious Phishing Domains Grow Globally As Phishers Abuse Free TLDs: APWG Report

Incidences of phishing continued to explode in China in the second half of 2013, where Chinese phishers are victimising the country’s growing online population the Anti-Phishing Working Group’s Global Phishing Survey for Second Half of 2013 found.The report found Chinese phishers were responsible for 85 percent of the domain names that were registered for phishing. But it wasn’t all bad news on the phishing front with the average uptimes of phishing attacks declining and close to historic lows, pointing to some success by anti-phishing responders.Additionally, the companies (brands) targeted by phishing targets were diverse, with many new targets, indicating that e-criminals are looking for new opportunities in new places. The report also found mass hackings of vulnerable shared hosting providers led to 18 percent of all phishing attacks.While the number of phishing URLs reported in the second half of 2013 numbered in the millions, the number of unique phishing attacks and domain names used to host them was much smaller. In the six month period there were at least 115,565 unique phishing attacks worldwide, nearly a 60 percent increase over the 72,758 seen the first half of 2013, but less than the 123,486 attacks we observed in the second half of 2012.Most of the growth in attacks came, according to the APWG report, from phishing that used maliciously registered domains and subdomains. An attack is defined as a phishing site that targets a specific brand or entity. A single domain name can host several discrete phishing attacks against different banks, for example.The phishing attacks occurred on 82,163 unique domain names. Again, this is up from the 53,685 domains used in the first half of 2013. The growth was much larger than the increase in the number of domain names in the world that grew from 261 million in April 2013 to 271.5 million in November 2013.Of the 82,163 phishing domains, the report identified 22,831 domain names that the APWG believes were registered maliciously by phishers, the highest number in the seven years the APWG has been counting, 19,348 (85%) were registered to phish Chinese targets. This is significantly higher than the 12,175 found in the first half of 2013, and the 5,835 found in the second half of 2012.And of these 22,831 registered maliciously, they were registered in 39 different TLDs at registrars in China, the US, and Europe and hosted in China, the US, and elsewhere. The registrations clustered around ten TLDs including the .TK, .CF, .GA, and .ML registries that are all run by Freenom, a Netherlands-based company that offers free domain name registrations. The company makes money through monetising the traffic to the expired domains.As the report notes, Freenom has operated .TK under the free model for several years, and added .CF, .GA, and .ML to its programme during the second half of 2013. Freenom gives accredited interveners access to directly suspend domains in the .TK registry . (These partners include Facebook, Internet Identity, and the Anti-Phishing Alliance of China.) However, the mitigation of the malicious registrations lagged in Freenom’s new spaces — .CF, .GA. and .ML all had uptimes that were above the global average and median.Brands were, as usual, a target, with 681 unique target institutions during the six month period, down slightly from the 720 found in the second half of 2012. Of the 681 targets that were phished in the second half of 2013, almost half of them — 324 to be precise — were not phished in the first half of 2013. This, the report notes, is an unusual amount of “churn” or turnover and shows phishers trying out new targets. They appear to be looking for companies that are newly popular, have vulnerable user bases, and/or are not ready to defend themselves against phishing.Overall, the TLD with the most phishing attacks for the six months was .com with 46.4 percent (and 42.4% of global domain registrations) followed by .net (5.5%) and .tk (Tokelau – 4.5%). The .tk TLD is one of the free domains the report noted. Following was .br (Brazil – 3.2%), IP-based attacks (2.1%), .pn (Pitcairn Island – 1.9%), .me (Montenegro – 1.8%), .info (1.6%) and .ru (Russia – 1.5%). The remaining 27.3 percent came from 201 TLDs.But the TLDs with the most phishing domains per domains registered was .np (Nepal) with 27.1 phishing domains per 10,000 registrations and 32,500 registrations. In the top ten, those TLDs with more than 100,000 registrations were .pw (Palau) with a phishing per 10,000 domains score of 26.4 who came in second, .cl (Chile – 18.2) was fourth, .gr (Greece – 10.2) was sixth, .id (Indonesia – 10.2) and .br (Brazil – 9.1).For registrars, the top nine with domains used for phishing on a registrations per 10,000 domains are located in China. This is due, the report notes, to the fact that Chinese phishers tend to register domain names for their phishing, and use Chinese registrars regularly. Domains registered at the Chinese registrars were often used to phish Chinese targets such as Alibaba, Taobao.com, and CCTV, but were also used to occasionally phish outside targets such as Facebook and PayPal.For more information, check out the 30 page APWG report available for download from:
There is also a Phishing Activity Trends Report for the 4th Quarter 2013 titled Unifying the Global Response To Cybercrime available from: