Tag Archives: Anti-Phishing Working Group

Phishers Continue Targeting Companies, But Limited Interest in New gTLDs: APWG

New companies are constantly being targeted by phishers, with some phishers attacking targets where consumers may least expect it while the ten companies that are targeted most often by phishers are attacked constantly, sometimes more than 1,000 times per month. These are some of the findings of the Global Phishing Survey for Second Half of 2014, released by the Anti-Phishing Working Group (APWG) on Wednesday.The report found phishing occurred in 272 top level domains (TLDs) with 56 in new gTLDs. And the number of domain names used for phishing has reached an all-time high, but the interest in new gTLDs has so far been limited. However with the registration fees for some of the new gTLDs dropping to below .com prices, the APWG believes this will attract phishing and other kinds of abuse.However the report notes that tens of thousands of domains in the new gTLDs are being consumed by spammers and are being blocklisted by providers such as Spamhaus and SURBL. So while relatively few new gTLD domains have been used for phishing, the report notes the total number of them being used maliciously is much higher.Of the new gTLDs, the largest, .xyz, had the most phishing domains with 288. The .xyz gTLD became notorious as Network Solutions gave their .com registrants a .xyz domain. But only four of the .xyz domains were registered with Network Solutions. Most of the .xyz phishing registrations (298) were made at Xin Net and other Chinese registrars, and were used to attack Chinese targets. A lesson here, the report notes, is that when it comes to abuse, who can obtain domains in a TLD (and in what quantities) may be as important as the (low) price of the domain. .XYZ had a phishing-per-10,000-domains score of 3.6, which was just slightly above the average of 3.4 for all TLDs, and lower than .com’s score of 4.7. SinceBut there only 1.9 percent of all domain names that were used for phishing contained a brand name or variation thereof.According to the report, there were at least 123,972 unique phishing attacks worldwide during the six-month period. This was almost the same number as in the first half of 2014, and the most seen in a six-month period since the second half of 2009. The APWG defines an attack as a phishing site that targets a specific brand or entity. A single domain name can host several discrete phishing attacks against different banks, for example.These attacks occurred on 95,321 unique domain names, the most ever recorded in a half-year period. The number of domain names in the world grew from 279.5 million in April 2014 to 287.3 million in December 2014.Of the 95,321 phishing domains, the APWG identified, 27,253 are believed to have been registered maliciously by phishers. This is an all-time high, and much higher than the 22,629 identified in the first half of 2014. Most of these registrations were made by Chinese phishers. The other 68,303 domains were almost all hacked or compromised on vulnerable Web hosting.The registrations were concentrated in just five TLDs with seventy-five percent of the malicious domain registrations in .com, .tk, .pw, .cf and .net.In addition, 3,582 attacks were detected on 3,095 unique IP addresses, rather than on domain names. (For example: http://77.101.56.126/FB/) But none were observed on IPv6 addresses.There were also 569 targeted institutions, down significantly from the all-time high of 756 observed in the first half of 2014.The average uptime in the second half of 2014 was 29 hours and 51 minutes. The median uptime in the six-month period increased to 10 hours 6 minutes, meaning that half of all phishing attacks stay active for slightly more than 10 hours.

Freenom Relaunches Equatorial Guinea ccTLD With Free Domains. Will It Be A Future Phishing Target?

Following in the footsteps of .tk (Tokelau), .ml (Mali), .ga (Gabon) and .cf (Central African Republic), Freenom has taken on the role of registry for .gq (Equatorial Guinea) and the ccTLD is now its fifth ccTLD where domains are given away free.

The move to give away domains in ccTLDs from smaller countries has had some success, particularly with .tk, which is now the world’s second largest TLD behind .com and largest ccTLD with over 26.5 million registrations.

But the move to give away domains is not without problems. In the latest Anti-Phishing Working Group report, Global Phishing Survey 1H2014: Trends and Domain Name Use, it was noted that phishing occurred in 227 TLDs, but 90 percent of the malicious domain registrations (20,565) were in just five TLDs: .com, .tk, .pw, .cf. and .net.

And on a score of the number of phishing domains per 10,000 registered domains, .cf comes out way on top with a score of 320.8 followed by .ml with 118.9. The .ga TLD comes in fourth with 42.9.

In this latest venture Freenom has partnered with GETESA, the largest telecommunication operator in Equatorial Guinea and a joint venture with Orange, to relaunch .gq in various stages. Before .gq domains are available for free to the general public on 1 December, trademark holders and trademark agencies have their first pick in the .gq Sunrise Period that started on 1 October.

From 1 December onwards free GQ domains will be offered to all internet users in Equatorial Guinea and internationally. There will be no restrictions to registrations of free domains and anyone can claim their own .gq domain. Free .gq domains will work exactly like any other extension and can be renewed an unlimited number of times at no charge.

“The need for free domains continues to grow exponentially,” says Joost Zuurbier, CEO at Freenom. “Especially in countries like Brazil, Russia, Vietnam and China, we see the demand for new domains is growing and growing. We are happy to announce that we have opened up more domain space to fulfil these needs.”

Freenom has already partnered with four nations and has become the largest country code domain registry operator worldwide with more than 28 million active domains under management.

Following the success of .TK, Freenom has opened its model to other nations eager to develop their top level domain and looking for an alternative to the unprofitable pay-per-year model. By leapfrogging the traditional approach and offering free domains, they are able to create an immediate impact on their digital landscape and empower their internet users to build an online identity at no cost.

“Free domains make a lot of sense in countries where the banking penetration is in the single digit range,” continues Joost Zuurbier. “The demand for free domains is enormous because people in those nations may not have a credit card to buy domains, but they do have a profound need to communicate and build their presence online. Free domains are an important catalyst that directly enable local content creation and internet entrepreneurship.”

To support its African partners, Freenom opened an office in Dakar in 2013 and will continue to grow its operations in Senegal. Most African countries have been traditionally very weak in the domain name space, but its increasing technology-savvy population and modernizing digital landscape make it the perfect place for the free domain model. Just as free SIM cards and prepaid phones have revolutionized communications, free domains can dramatically change how African internet users are represented online.

In Equatorial Guinea, GETESA sees free .GQ domains as an opportunity to empower young internet users and help them embrace their digital flag. Through GQ free domains they will be able to create websites and learn about technology.

Freenom’s experience and technology will directly benefit the local internet community of Equatorial Guinea, who will be able to enjoy a modern platform and unlimited domains at no cost. Together with GETESA and in line with ICANN’s bottom-up multi-stakeholder model, the partnership will ensure that the .GQ extension is accessible to all internet users.

Malicious Phishing Domains Grow Globally As Phishers Abuse Free TLDs: APWG Report

Incidences of phishing continued to explode in China in the second half of 2013, where Chinese phishers are victimising the country’s growing online population the Anti-Phishing Working Group’s Global Phishing Survey for Second Half of 2013 found.The report found Chinese phishers were responsible for 85 percent of the domain names that were registered for phishing. But it wasn’t all bad news on the phishing front with the average uptimes of phishing attacks declining and close to historic lows, pointing to some success by anti-phishing responders.Additionally, the companies (brands) targeted by phishing targets were diverse, with many new targets, indicating that e-criminals are looking for new opportunities in new places. The report also found mass hackings of vulnerable shared hosting providers led to 18 percent of all phishing attacks.While the number of phishing URLs reported in the second half of 2013 numbered in the millions, the number of unique phishing attacks and domain names used to host them was much smaller. In the six month period there were at least 115,565 unique phishing attacks worldwide, nearly a 60 percent increase over the 72,758 seen the first half of 2013, but less than the 123,486 attacks we observed in the second half of 2012.Most of the growth in attacks came, according to the APWG report, from phishing that used maliciously registered domains and subdomains. An attack is defined as a phishing site that targets a specific brand or entity. A single domain name can host several discrete phishing attacks against different banks, for example.The phishing attacks occurred on 82,163 unique domain names. Again, this is up from the 53,685 domains used in the first half of 2013. The growth was much larger than the increase in the number of domain names in the world that grew from 261 million in April 2013 to 271.5 million in November 2013.Of the 82,163 phishing domains, the report identified 22,831 domain names that the APWG believes were registered maliciously by phishers, the highest number in the seven years the APWG has been counting, 19,348 (85%) were registered to phish Chinese targets. This is significantly higher than the 12,175 found in the first half of 2013, and the 5,835 found in the second half of 2012.And of these 22,831 registered maliciously, they were registered in 39 different TLDs at registrars in China, the US, and Europe and hosted in China, the US, and elsewhere. The registrations clustered around ten TLDs including the .TK, .CF, .GA, and .ML registries that are all run by Freenom, a Netherlands-based company that offers free domain name registrations. The company makes money through monetising the traffic to the expired domains.As the report notes, Freenom has operated .TK under the free model for several years, and added .CF, .GA, and .ML to its programme during the second half of 2013. Freenom gives accredited interveners access to directly suspend domains in the .TK registry . (These partners include Facebook, Internet Identity, and the Anti-Phishing Alliance of China.) However, the mitigation of the malicious registrations lagged in Freenom’s new spaces — .CF, .GA. and .ML all had uptimes that were above the global average and median.Brands were, as usual, a target, with 681 unique target institutions during the six month period, down slightly from the 720 found in the second half of 2012. Of the 681 targets that were phished in the second half of 2013, almost half of them — 324 to be precise — were not phished in the first half of 2013. This, the report notes, is an unusual amount of “churn” or turnover and shows phishers trying out new targets. They appear to be looking for companies that are newly popular, have vulnerable user bases, and/or are not ready to defend themselves against phishing.Overall, the TLD with the most phishing attacks for the six months was .com with 46.4 percent (and 42.4% of global domain registrations) followed by .net (5.5%) and .tk (Tokelau – 4.5%). The .tk TLD is one of the free domains the report noted. Following was .br (Brazil – 3.2%), IP-based attacks (2.1%), .pn (Pitcairn Island – 1.9%), .me (Montenegro – 1.8%), .info (1.6%) and .ru (Russia – 1.5%). The remaining 27.3 percent came from 201 TLDs.But the TLDs with the most phishing domains per domains registered was .np (Nepal) with 27.1 phishing domains per 10,000 registrations and 32,500 registrations. In the top ten, those TLDs with more than 100,000 registrations were .pw (Palau) with a phishing per 10,000 domains score of 26.4 who came in second, .cl (Chile – 18.2) was fourth, .gr (Greece – 10.2) was sixth, .id (Indonesia – 10.2) and .br (Brazil – 9.1).For registrars, the top nine with domains used for phishing on a registrations per 10,000 domains are located in China. This is due, the report notes, to the fact that Chinese phishers tend to register domain names for their phishing, and use Chinese registrars regularly. Domains registered at the Chinese registrars were often used to phish Chinese targets such as Alibaba, Taobao.com, and CCTV, but were also used to occasionally phish outside targets such as Facebook and PayPal.For more information, check out the 30 page APWG report available for download from:
docs.apwg.org/reports/APWG_GlobalPhishingSurvey_2H2013.pdf.
There is also a Phishing Activity Trends Report for the 4th Quarter 2013 titled Unifying the Global Response To Cybercrime available from:
docs.apwg.org/reports/apwg_trends_report_q4_2013.pdf.

Phishers Take Advantage Of Lax Domain Sellers With .COM, .TK And .INFO Accounting For 4 Out Of 5 Of Phishing Domains

APWG logoInattentive or indifferent domain name registries, registrars and resellers are contributing to the problem of phishing according to the latest Domain Name Use and Trends 1H2013 report from the Anti Phishing Working Group.

Additionally, vulnerable hosting providers are inadvertently contributing to phishing with mass compromises leading to 27 percent of all phishing attacks.

The report notes there has also been an explosive growth in phishing in China where the expanding middle class is using e-commerce more often.

And the number of phishing targets (brands) is up, although only about 2.3 percent of all domain names were used for phishing targeted brand names or variations thereof. 78 domains were internationalised domain names.

According to the report released last week, millions of phishing URLS were reported in the first half of 2013 but the number of unique phishing attacks used to host them was much smaller.

Overall there were at least 72,578 unique phishing attacks worldwide in the six month period, far below the 123,486 attacks reported in the previous six months. These attacks occurred on 53,685 unique domain names, which is also down on the number for the second half of 2012 when 89,748 domain names were used. This is in contrast to the number of domain names globally growing from 258 million in November 2012 to 261 million in 2013.

However there was a growth in attacks on IP addresses, with the number growing from 1,626 to 1,972.

The majority of the domain names used for phishing though are used inadvertently with the APWG believing 12,173 domain names were registered maliciously by phishers. This number is double the 5,835 found in the previous six months and was due to an increase in domain name registrations by Chinese phishers.

Phishers were indiscriminate in that they utilised 195 TLDs, however they concentrated their activities in three TLDs with 82 percent of all malicious domain name registrations coming from .com, .tk and .info. The .tk (Tokelau) TLD is notable in that its domain names are given away for free, and with the registry operator also taking over the .ml (Mali) and .ga (Gabon) TLDs it will be interesting to follow the phishing activities for these. Early indications are not good though with a Netcraft report noting .ml “now has the most phishy [TLD] of any country in the world.

The phishiest TLD though was .pw (Palau) with 19.8 phishing domains per 10,000 registrations. However there were only 55,000 registrations for the TLD as of April 2013 and the high number of phishing domains is explained by its relaunch in March 2013 and phishers and spammers testing out the new space. This, the report notes, “highlights the need for any new, generally available TLD to have adequate abuse monitoring in place.” Once the .pw registry operator implemented anti-abuse measures, abuse decreased sharply.

Other TLDs to rank highly were .np (Nepal), .th (Thailand) and .si (Slovenia) with 19.7, 19.1 and 18.1 phishing domains per 10,000 out of a total of 32,500, 65,350 and 101,800 registered domains respectively.

The full anti Phishing Working Group 29 page report titled Domain Name Use and Trends 1H2013 is available from docs.apwg.org/reports/APWG_GlobalPhishingSurvey_1H2013.pdf.

ICANN: DNS Security, Stability, and Resiliency Update Added to APWG eCrime 2013 Agenda

ICANN logoThe Antiphishing Working Group (APWG) will host its 10th anniversary meeting 16-19 September in San Francisco. The working agenda for eCrime 2013 continues a trend of focusing greater attention on abuses or misuses of DNS and registration services. During the two-day eCrime Congress, members and attendees will consider the evolution of crimeware, behavioral vulnerabilities and human factors that faciliate eCrime, the roles of Registrars, Registries and DNS in managing phishing attacks, public health approaches to managing eCrime, and reports of current counter-eCrime efforts and successes.

On 19 September, ICANN‘s Security Team will host a DNS Security, Stability, and Resiliency Update on policies and discussion topics of particular interest to the APWG members, including a review of the 2013 Registration Accreditation Agreement (RAA), a presentation on Abuse Recidivism in Domain Registrations, a report on the recommendations [PDF, 92 KB] from the ICANN Expert Working Group on Whois, and a progress report on the IETF working group that is developing a successor Whois protocol (WEIRDS).

Registration and further information can be found here.

This ICANN announcement was sourced from:
www.icann.org/en/news/announcements/announcement-22aug13-en.htm

APWG Report: Phishing Attack Numbers Drop 20 Percent from Historical Highs

APWG logo[news release] The APWG reports in its Q1 2013 Phishing Activity Trends Report that phishing attack frequency declined 20 percent from Q4 2012 to Q1 2013, due to a precipitous drop in virtual server phishing attacks. Statistics indicate that phishing levels are returning to the levels seen prior to the record-setting highs of 2012.

Phishing attack numbers dropped from Q4 2012 to Q1 2013, from 46,066 in January to 36,983 in March. The number of unique phishing reports submitted to APWG each month also saw a massive decrease during the quarter, dropping 31 percent from January to March. January’s total of 28,850 was 29 percent lower than the all-time high of 40,621 reports, recorded in August 2009.

The Q1 2013 drop in phishing attacks was precipitated by a steep decline in virtual server phishing attacks. A virtual server phishing attack is an incident wherein a cybercriminal breaks into a single web server that hosts a large number of domains – and then creates and hosts phishing pages on each one of those domains. This method can efficiently yield a large number of attacks. “The drastic decrease likely indicates that cybercriminals are utilizing the servers they compromise not for phishing attacks, but rather for more malware or distributed denial of service attacks,” said Rod Rasmussen, CTO of Internet Identity and a Trends Report contributor.

Another set of statistics also demonstrated criminals seeking out compromised servers they could use to distribute malware. During March, the percentage of phishing-based Trojans and downloader malware hosted in the USA dropped from 37 percent to less than 20 percent. “While tracking the decrease in US-hosted phishing websites we noticed a corresponding increase in phishing sites hosted in Canada,” said Carl Leonard of Websense. “Canadian-hosted phishing decreased in 2012, so we may seeing the beginning of a trend reversal in Q1 2013.”

Trojans continue to account for about three-quarters of all newly detected crimeware threats.

The full text of the report is available here: docs.apwg.org/reports/apwg_trends_report_q1_2013.pdf

About the APWG

The APWG, founded in 2003 as the Anti-Phishing Working Group, is the global industry, law enforcement, and government coalition focused on unifying the global response to electronic crime. Membership is open to qualified financial institutions, online retailers, ISPs and Telcos, the law enforcement community, solutions providers, multi-lateral treaty organizations, research centers, trade associations and government agencies. There are more than 2,000 companies, government agencies and NGOs participating in the APWG worldwide. The APWG’s www.apwg.org and education.apwg.org websites offer the public, industry and government agencies practical information about phishing and electronically mediated fraud as well as pointers to pragmatic technical solutions that provide immediate protection. The APWG is co-founder and co-manager of the Stop. Think. Connect. Messaging Convention, the global online safety public awareness collaborative www.stopthinkconnect.org and founder/curator of the eCrime Researchers Summit, the world’s only peer-reviewed conference dedicated specifically to electronic crime studies www.ecrimeresearch.org.

Among APWG’s corporate sponsors are as follows: Afilias Ltd., AhnLab, AT&T(T), Avast!, AVG Technologies, BBN Technologies, Barracuda Networks, BillMeLater, Bkav, Booz Allen Hamilton, Blue Coat, BrandMail, BrandProtect, Bsecure Technologies, CSC Digital Brand Services, Check Point Software Technologies, Comcast, CSIRTBANELCO, Cyber Defender, Cyveillance, DigiCert, Domain Tools, Donuts.co, Easy Solutions, eBay/PayPal (EBAY), eCert, EC Cert, ESET, EST Soft, Facebook, Fortinet, FraudWatch International, F-Secure, GlobalSign, GoDaddy, Google, GroupIB, Hauri, Hitachi Systems, Ltd., Huawei Symantec, ICANN, Iconix, IID, IronPort, ING Bank, Intuit, Internet.bs, IT Matrix, Kindsight, LaCaixa, Lenos Software, MailShell, Malcovery, MarkMonitor, M86Security, McAfee (MFE), Melbourne IT, MessageLevel, Microsoft (MSFT), MicroWorld, Mirapoint, NHN, MyPW, nProtect Online Security, Netcraft, Network Solutions, NeuStar, Nominet, Nominum, Public Interest Registry, Panda Software, Phishlabs, Phishme.com, Phorm, Planty.net, Prevx, Proofpoint, QinetiQ, Return Path, RSA Security (EMC), RuleSpace, SAIC (From Science to Solutions), SalesForce, SecureBrain, S21sec, SIDN, SiteLock, SoftForum, SoftLayer, SoftSecurity, SOPHOS, SunTrust, SurfControl, Symantec (SYMC), Tagged, TDS Telecom, Telefonica (TEF), TransCreditBank, Trend Micro (TMIC), Trustwave, Vasco (VDSI), VeriSign (VRSN), Websense Inc. (WBSN), Wombat Security Technologies, Yahoo! (YHOO), zvelo and ZYNGA.

APWG Report: Cybercriminals Perfect Mass Attacks on Server Farms to Mount Phishing Blitzkriegs

APWG logo[news release] A new phishing survey released by the Anti-Phishing Working Group (APWG) at its conference this week reveals that phishers are breaking into hosting providers with unprecedented success, using these facilities to launch mass phishing attacks.

Using this method, a phisher hacks into a web server that hosts a large number of domains – a “shared virtual server” – and plants phishing attacks on every domain name on the server. This allows the phisher to subvert hundreds or even thousands of Web sites at a time. The number of phishing attacks worldwide rose due to these break-ins, with attacks involving shared virtual servers representing 47 percent of all phishing attacks recorded worldwide in the second half of 2012.

“Breaking into hosting facilities is a high-yield activity for phishers,” said Rod Rasmussen, President & CTO of IID, and a co-author of the study. “This activity is part of a larger trend — we also see criminals hacking into shared hosting and using those servers for other malicious activities, such as launching denial-of-service attacks, infecting the computers of the legitimate website visitors via exploit code, and creating botnets.”

Also according to the study, the average and median uptimes of phishing attacks remained lower than the historical average, averaging 26 hours and 13 minutes in 2H2012, compared to the all-time low of 23 hours and 10 minutes recorded in 1H2012.

Another key finding was that when phishers register domain names for their scams, a small number of domain name registrars were abused more prevalently than others, relative to their overall domain registration portfolios and their industry peers. Eight of those registrars are located in China.

“Chinese phishers tend to make malicious domain registrations more often than other phishers, and use registrars inside and outside of China,” said Greg Aaron, President of Illumintel Inc., and a co-author of the study. “The report highlights how phishers take advantage of certain domain name registrars and registries, and how a lot of the activity is concentrated in certain places online. Those companies need to be actively involved in monitoring for and mitigating abuse in the spaces they control.”

The 2H2012 data set also yielded the following statistics:

  • There were at least 123,486 unique phishing attacks worldwide during the study period, found on 89,748 different domain names. Of those domains, the authors reported that 5,835 domain names appeared to be registered maliciously by the phishers. The number of maliciously-registered phishing domains has been in steady decline — down significantly from 7,712 in 1H2012, 12,895 in 2H2011, and 14,650 in 1H2011.
  • The overall use of subdomain services – registration schemes that give customers a subdomain beneath a common domain name – for phishing fell from 14 percent to 8 percent of all attacks.
  • Phishing occurred in 207 top-level domains (TLDs), but 82 percent of the malicious domain registrations were in just three TLDs: .COM, .TK, and .INFO.
  • Phishers targeted 611 target institutions, up from 486 in the first half of 2012. Targets include the users of banks, e-commerce sites, social networking services, ISPs, government tax bureaus, online gaming sites, and financial securities companies. PayPal was the most-targeted institution.
  • Only about 1.4 percent of all domain names that were used for phishing contained a brand name or variation thereof.

The full report can be found here: docs.apwg.org/reports/APWG_GlobalPhishingSurvey_2H2012.pdf

About the APWG

The APWG, founded in 2003 as the Anti-Phishing Working Group, is the global industry, law enforcement, and government coalition focused on unifying the global response to electronic crime. Membership is open to qualified financial institutions, online retailers, ISPs and Telcos, the law enforcement community, solutions providers, multi-lateral treaty organizations, research centers, trade associations and government agencies. There are more than 2,000 companies, government agencies and NGOs participating in the APWG worldwide. The APWG’s www.apwg.org and education.apwg.org websites offer the public, industry and government agencies practical information about phishing and electronically mediated fraud as well as pointers to pragmatic technical solutions that provide immediate protection. The APWG is co-founder and co-manager of the Stop. Think. Connect. Messaging Convention, the global online safety public awareness collaborative www.stopthinkconnect.org and founder/curator of the eCrime Researchers Summit, the world’s only peer-reviewed conference dedicated specifically to electronic crime studies www.ecrimeresearch.org.

Among APWG’s corporate sponsors are as follows: Afilias Ltd., AhnLab, AT&T(T), Avast!, AVG Technologies, BBN Technologies, Barracuda Networks, BillMeLater, Bkav, Booz Allen Hamilton, Blue Coat, BrandMail, BrandProtect, Bsecure Technologies, Check Point Software Technologies, Comcast, CSIRTBANELCO, Cyber Defender, Cyveillance, Domain Tools, Donuts.co, Easy Solutions, eBay/PayPal (EBAY), eCert, EC Cert, ESET, EST Soft, Facebook, Fortinet, FraudWatch International, F-Secure, GlobalSign, GoDaddy, Google, GroupIB, Hauri, Hitachi Systems, Ltd., Huawei Symantec, ICANN, Iconix, IID, IronPort, ING Bank, Intuit, IT Matrix, Kindsight, LaCaixa, Lenos Software, MailShell, MarkMonitor, M86Security, McAfee (MFE), Melbourne IT, MessageLevel, Microsoft (MSFT), MicroWorld, Mirapoint, MyPW, nProtect Online Security, Netcraft, Network Solutions, NeuStar, Nominet, Nominum, Public Interest Registry, Panda Software, Phishlabs, Phishme.com, Phorm, Planty.net, Prevx, Proofpoint, QinetiQ, Return Path, RSA Security (EMC), RuleSpace, SAIC (From Science to Solutions), SalesForce, SecureBrain, S21sec, SIDN, SoftForum, SoftLayer, SoftSecurity, SOPHOS, SunTrust, SurfControl, Symantec (SYMC), Tagged, TDS Telecom, Telefonica (TEF), TransCreditBank, Trend Micro (TMIC), Vasco (VDSI), VeriSign (VRSN), Websense Inc. (WBSN), Wombat Security Technologies, Yahoo! (YHOO), zvelo and ZYNGA.

Maliciously Registered Domains Decline As 4 in 5 Phishing Domains In .COM, .TK and .INFO

[news release] A new phishing survey released by the Anti-Phishing Working Group (APWG) at its conference in Buenos Aires this week reveals that phishers are breaking into hosting providers with unprecedented success, using these facilities to launch mass phishing attacks.“The report highlights how phishers take advantage of certain domain name registrars and registries, and how a lot of the activity is concentrated in certain places online. Those companies need to be actively involved in monitoring for and mitigating abuse in the spaces they control.”Using this method, a phisher hacks into a web server that hosts a large number of domains – a “shared virtual server” – and plants phishing attacks on every domain name on the server. This allows the phisher to subvert hundreds or even thousands of Web sites at a time. The number of phishing attacks worldwide rose due to these break-ins, with attacks involving shared virtual servers representing 47 percent of all phishing attacks recorded worldwide in the second half of 2012.”Breaking into hosting facilities is a high-yield activity for phishers,” said Rod Rasmussen, President & CTO of IID, and a co-author of the study. “This activity is part of a larger trend — we also see criminals hacking into shared hosting and using those servers for other malicious activities, such as launching denial-of-service attacks, infecting the computers of the legitimate website visitors via exploit code, and creating botnets.”Also according to the study, the average and median uptimes of phishing attacks remained lower than the historical average, averaging 26 hours and 13 minutes in 2H2012, compared to the all-time low of 23 hours and 10 minutes recorded in 1H2012.Another key finding was that when phishers register domain names for their scams, a small number of domain name registrars were abused more prevalently than others, relative to their overall domain registration portfolios and their industry peers. Eight of those registrars are located in China.”Chinese phishers tend to make malicious domain registrations more often than other phishers, and use registrars inside and outside of China,” said Greg Aaron, President of Illumintel Inc., and a co-author of the study. “The report highlights how phishers take advantage of certain domain name registrars and registries, and how a lot of the activity is concentrated in certain places online. Those companies need to be actively involved in monitoring for and mitigating abuse in the spaces they control.”The 2H2012 data set also yielded the following statistics:

  • There were at least 123,486 unique phishing attacks worldwide during the study period, found on 89,748 different domain names. Of those domains, the authors reported that 5,835 domain names appeared to be registered maliciously by the phishers. The number of maliciously-registered phishing domains has been in steady decline — down significantly from 7,712 in 1H2012, 12,895 in 2H2011, and 14,650 in 1H2011.
  • The overall use of subdomain services – registration schemes that give customers a subdomain beneath a common domain name – for phishing fell from 14 percent to 8 percent of all attacks.
  • Phishing occurred in 207 top-level domains (TLDs), but 82 percent of the malicious domain registrations were in just three TLDs: .COM, .TK, and .INFO.
  • Phishers targeted 611 target institutions, up from 486 in the first half of 2012. Targets include the users of banks, e-commerce sites, social networking services, ISPs, government tax bureaus, online gaming sites, and financial securities companies. PayPal was the most-targeted institution.
  • Only about 1.4 percent of all domain names that were used for phishing contained a brand name or variation thereof.

The full report can be found here: docs.apwg.org/reports/APWG_GlobalPhishingSurvey_2H2012.pdf

APWG Cybercrime Fighters, University Researchers and ICANN Unite to Set Global Cybercrime Fighting Agenda

APWG logo[news release] The Anti-Phishing Working Group’s Fall conference week in Puerto Rico this October will unite industrial and police cybercrime investigators, university researchers and security experts with ICANN in an unprecedented alignment of global thought-leaders and cybercrime responders.

“We witness in this fall’s conference an even deeper coordination of cybercrime investigators and managers, infrastructure management authorities, pioneering researchers from industry, academia and government, all finding common purpose in bringing cybercrime under control as a predictable, and manageable, threat.”

APWG Secretary General Peter Cassidy said, “We witness in this fall’s conference an even deeper coordination of cybercrime investigators and managers, infrastructure management authorities, pioneering researchers from industry, academia and government, all finding common purpose in bringing cybercrime under control as a predictable, and manageable, threat.”

The conference week programming will include the APWG’s own Members Meeting on Oct. 22 covering trends in cybercrime and remedial approaches for countering them; the eCrime Researchers Summit (eCRS) on Oct 23 and 24 to present the latest in university and industry-based research in cybercrime forensics and containment; and participants in ICANN’s DNS Security, Stability and Resiliency Symposium on October 25 will consider DNS abuse and other operational matters.

“Domain Name System Security is an important component in the ecrime toolkit,” said Dave Piscitello, Senior Security Technologist at ICANN. “eCrime 2012 offers a unique opportunity to bring security, law enforcement, and DNS operations communities together to consider how to improve detection of and mitigate DNS abuse.”

Presentations for the General Members Meeting and eCrime Researchers Summit will come from APWG members, experts from industry, government, law enforcement and academic and industrial research centers. eCRS presenters come largely from academic institutions, thought the review panel is a mix of cybercrime experts from industry, academia and the NGO sector. eCRS covers technology, forensic approaches as well as behavioural and sociological aspects in its research purview.

The working agenda for the four full days of conference week programming is here: apwg.org/events/2012_ecrime.html#agenda

The APWG IEEE eCrime Fighter Scholarship Program will help subsidize the travel of researchers whose papers have been accepted by the eCRS review committee. The top three scoring papers will be awarded cash prizes of $1500, $1000 and $500 respectively. Full paper and Research-in-Progress submissions are due August 10, 2012 and notifications will be announced on September 3. The eCRS CFP can be found here: www.ecrimeresearch.org/2012/cfp.html

About the APWG

The APWG, founded in 2003 as the Anti-Phishing Working Group, is the global industry, law enforcement, and government coalition focused on unifying the global response to electronic crime. Membership is open to qualified financial institutions, online retailers, ISPs and Telcos, the law enforcement community, solutions providers, multi-lateral treaty organizations, research centers, trade associations and government agencies. There are more than 2,000 companies, government agencies and NGOs participating in the APWG worldwide. The APWG’s www.apwg.org and education.apwg.org websites offer the public, industry and government agencies practical information about phishing and electronically mediated fraud as well as pointers to pragmatic technical solutions that provide immediate protection. The APWG is co-founder and co-manager of the Stop. Think. Connect. Messaging Convention, the global online safety public awareness collaborative www.stopthinkconnect.organd founder/curator of the eCrime Researchers Summit, the world’s only peer-reviewed conference dedicated exclusively to electronic crime studies www.ecrimeresearch.org.

Among APWG’s corporate sponsors are as follows: Afilias Ltd., AhnLab, AT&T, Avast!, AVG Technologies, BBN Technologies, Barracuda Networks, BillMeLater, Bkav, Booz Allen Hamilton, Blue Coat, BrandMail, BrandProtect, Bsecure Technologies, Check Point Software Technologies, Comcast, CSIRTBANELCO, Cyber Defender, Cyveillance, Domain Tools, Easy Solutions, eBay/PayPal, eCert, EC Cert, ESET, EST Soft, Facebook, Fortinet, FraudWatch International, F-Secure, GlobalSign, GoDaddy, Google, GroupIB, Hauri, Hitachi Systems, Ltd., Huawei Symantec, ICANN, Iconix, IID, IronPort, ING Bank, Intuit, IT Matrix, Kindsight, LaCaixa, Lenos Software, MailShell, MarkMonitor, M86Security, McAfee, Melbourne IT, MessageLevel, Microsoft, MicroWorld, Mirapoint, MyPW, nProtect Online Security, Netcraft, Network Solutions, NeuStar, Nominet, Nominum, Public Interest Registry, Panda Software, Phishlabs, Phishme.com, Phorm, Planty.net, Prevx, Proofpoint, QinetiQ, Return Path, RSA Security, RuleSpace, SAIC (From Science to Solutions), SalesForce, SecureBrain, S21sec, SIDN, SoftForum, SoftLayer, SoftSecurity, SOPHOS, SunTrust, SurfControl, Symantec, Tagged, TDS Telecom, Telefonica, TransCreditBank, Trend Micro, Vasco, VeriSign, Websense Inc., Wombat Security Technologies, Yahoo!, zvelo and ZYNGA.

.CN’s Tightened Registration Policy Sees Phishers Go To CO.CC And .TK

The tightening of registration policies for .CN domain names by CNNIC has seen a rapid decline in the number of phishers using .CN domain names and an increase in the use of other top level domains and services, and in particular the CO.CC sub-domain and .TK country code TLD.In a report from the Anti Phishing Working Group titled Global Phishing Survey 2H2010: Trends and Domain Name Use, the APWG found that millions of phishing URLs were reported in 2H2010, but the number of unique phishing attacks and domain names used to host them was much smaller.The .CC domain was used for 7.3 per cent of all phishing attacks in 2H2010 according to the report, the second highest proportion and vastly over-represented compared to other TLDs with six phishing domains per 100,000 domains. There are 4,030,709 .TK domain registrations. The largest TLD was .COM with 48 per cent of all attacks from domain names and 45 per cent of all domain registrations globally, and 2.1 phishing domains per 10,000.When looking at sub-domains, top of the list is co.cc with a total of 4803 attacks, a long way ahead of second place – t35.com with 642 attacks. T35.com dropped to second place due to the large increase in co.cc attacks.There were at least 67,677 phishing attacks worldwide according to the report, which was greater than the 48,244 observed in 1H2010, but significantly less than the record 126,697 observed in 2H2009 at the height of phishing on the Avalanche botnet.The attacks occurred on 42,624 unique domain names. This is a high in APWG reports going back to 2007, and the increase is due to new data about Chinese phishing. Of the 42,624 domains, 11,769 were believed to be registered maliciously, by the phishers (28%). Of those, 6,382 were registered to phish Chinese targets. The other 30,855 domains were hacked or compromised on vulnerable web hosting. Malicious registrations apparently took place in 56 TLDs.Of the phishing that was detected, it remains concentrated in certain namespaces. Sixty percent of attacks occurred in just four TLDs: .COM, .CC, .NET, and .ORG. And 89 percent of malicious domain registrations were made in four TLDs: .COM, .TK, .NET, and .INFO.Tightening of registration policies for .CN domain names was criticised for being restrictive and assisting censorship, new rules barred individuals from registering .CN domains, and required all potential registrants to present a paper application form with a copy of a company business license and a copy of the registrant’s personal identification.As a result, the number of .CN registrations fell from 13.5 million in late 2009 to just 3.4 million in March 2011. In the second half of 2009, APWG observed 2,826 phishing attacks on 228 .CN names. Through the first half of 2010, the numbers dropped to just 162 attacks on 120 domains. In 2H2010, the data shows 352 attacks on 278 .CN domains, with the increase due to CNNIC’s superior data contribution. Half of those domains were used to attack non-Chinese targets.Historically, about 80 per cent of phishing attacks have used the hacked web servers of innocent domain registrants. In contrast, the Chinese phishers prefer to register domain names and subdomains for their malicious work. In 2H2010 APWG counted 12,282 attacks on Chinese institutions, utilising 6,382 unique domain names plus a staggering 4,737 free CO.CC subdomains. Of the 6,382 domain names, just 487 looked hacked. And of the 2,429 .TK domains used for phishing in 2H2010, 2,001 were used to phish Chinese institutions.Top of the list, and top for the last 2.5 years, was .TH (Thailand) with 12.6 phishing domains per 10,000 registrations. But there were only 51,438 registrations in .TH with 65 unique domains used for phishing attacks.To download the 29 page PDF report from the Anti Phishing Working Group in full, go to:
www.antiphishing.org/reports/APWG_GlobalPhishingSurvey_2H2010.pdf