Tag Archives: APWG

APWG REPORT: Phishing Attacks Double in 2020 and October Shatters All-Time Monthly Records

[news release] The APWG’s new Phishing Activity Trends Report reveals that the number of phishing attacks observed by APWG members grew through 2020, fully doubling over the course of the year. Attacks peaked in October 2020, with a high of 225,304 new phishing sites appearing in that month alone, breaking all previous monthly records.

Continue reading APWG REPORT: Phishing Attacks Double in 2020 and October Shatters All-Time Monthly Records

Latest APWG Report On Phishing Attacks Finds Most BEC Attacks Mounted With Deceptive Domain Names Registered By Five Registrars

[news release] The Anti-Phishing Working Group’s (APWG) new Phishing Activity Trends Report reveals a rise in reported phishing since March of 2020. In August and September of 2020, the APWG logged 200,000 phishing sites per month — with more than 500 separate brands attacked by phishers each month in the quarter.

Continue reading Latest APWG Report On Phishing Attacks Finds Most BEC Attacks Mounted With Deceptive Domain Names Registered By Five Registrars

Repurposed ccTLDs Showing Higher Levels of Phishing: APWG

Some of the TLDs with the highest levels of domain names used for phishing are in “repurposed” ccTLDs – those where management rights have been granted to third parties who have then commercialised the TLDs, according to the latest Phishing Activity Trends Report for the third quarter of 2018 from the Anti Phishing Working Group. Among those with the highest levels are .tk, .ml, .ga, .cf and .gq who are all operated by a Dutch company that offers domain names in those TLD for free, while .pw is operated by a company based in India. But there are also ccTLDs with a higher than expected number of phishing domain names outside this description such as .br, .ru, .in and .au.

The TLD with the most phishing domain names was unsurprisingly .com which had 922 domain names (out of a total 137.6 million), followed by .org with 80 out of 10.3 million and then .net with 78 out of 14.1 million. They were followed by .pw with 53 phishing domain names, .info (43 out of 5.0 million) and .br (41 out of 4.0 million). The first new gTLD on the list, .xyz, was seventh with 30, .ml an d.ru (28), .in and .tk (24 out of 21.5 million), .ga and .uk (23 out of 11.9 million), .cf and .gq (22), .au and .top (20 out of 3.2 and 3.9 million respectively) while .business (17 out of 63,000) and .agency and .co (15 each out of 64,000 for .agency) rounded out the top 20.

“Sometimes it is easy to discount the total volume of abuse in a TLD if the TLD hasa large number of domains in it,” said Jonathan Matkowsky of RiskIQ. “We assigned a weighted score against the total number of domains in each zone, looking at TLDs where there were at least five unique domain names used for phishing, as a way of understanding the size of the zone and the phishing prevalence in it. After discounting the number of unique hosts by the relative size of those zones, .TOP and .XYZ were still the new gTLDs that scored highest.”

There has also been a growth in websites using web addresses with https, which is supposedly more secure. APWG notes that at the end of 2016, less than 5% of phishing sites were found on HTTPS infrastructure. In the third quarter of 2018, PhishLabs saw the number of phishing web sites using SSL/TLS encryption increase to 49.4%, up from 35.2% in the second quarter.

“This is likely a result of attackers obtaining certificates for use on their own infrastructure , and in general, as more legitimate Web sites obtain SSL certificates, some of those will naturally become compromised by phishers,” John LaCour , the Chief Technology Officer of PhishLabs noted. “As of July 2018, the Google Chrome browser began to warn users that plain HTTP sit es are ‘not secure ’, and that will drive more web site owners to use HTTPS . So over time we expect that most phishing sites will use SSL certificates . Certificate authorities that offer free certificates will be increasingly abused by phishers in the future.”

APWG and M3AAWG Survey Finds ICANN’s GDPR Response Impeding Cyber Investigations

APWG logoA joint APWG-M3AAWG survey of over 300 cybercrime responders and anti-abuse personnel indicates ICANN’s Temporary Specification, its response on how to deal with the European Union’s General Data Protection Regulation for domain name WHOIS data, has eliminated interventions that previously allowed investigators to stop new cybercrimes while still in the preparatory stages — and has markedly impeded routine mitigations for many kinds of cybercrimes.

With responses from 327 professionals, the survey revealed that losing the ability to attribute domain names to criminals or victims of abuse has irreparably eliminated their capacity to issue warnings about new abuses that known bad actors are perpetrating, even when the WHOIS registrant data is use a pseudonym, according to Peter Cassidy, Anti-Phishing Working Group (APWG) Secretary General.

According to survey respondents ICANN’s Temporary Specification for gTLD Registration Data, established in May in response to the GDPR, impedes investigations of cybercrime – from ransomware attacks to distribution of state-sponsored strategic disinformation. Analyses of responses from the survey reveal that:

  • Cyber-investigations and mitigations are impeded because investigators are unable to access complete domain name registration data.
  • Requests to access non-public WHOIS by legitimate investigators for legitimate purposes under the provisions of the Temp Spec are routinely refused.

“The biggest impact has been to determine who has registered a criminal/fraudulent domain, and the ability to use that information to find other domains registered by the same actor. That devastates our ability to find all of the fraudulent domains registered by the same entity,” one typical respondent wrote in the APWG-M3AAWG GDPR and WHOIS User Survey report.

APWG and the Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG) concluded their analysis with recommendations for ICANN to:

  • Establish a mechanism for WHOIS data access by accredited, vetted qualified security actors.
  • Restore redacted WHOIS data of legal entities.
  • Adopt a contact data access request specification for consistency across registrars and gTLD registries.
  • Establish a WHOIS data access scheme that does not introduce delays in collecting or processing and is not burdened by per-request authorizations.
  • Reassess the current redaction policy and consider replacing restricted personal data with secure hashes that can be used as a proxy for tracing criminal actors across data resources.
  • Publish point of contact email addresses to provide investigators with an effective means of identifying domains associated with a victim or person of interest in an investigation.

The survey was submitted to ICANN on Oct. 18 by the Anti-Phishing Working Group and the Messaging, Malware and Mobile Anti-Abuse Working Group.

The full survey can be found at www.m3aawg.org/WhoisSurvey2018-10 or docs.apwg.org/reports/ICANN_GDPR_WHOIS_Users_Survey_20181018.pdf.

SIDN Fighting Abuse in .NL

SIDN-logoAbuse is all too common in top level domains. In 2016 the Anti-Phishing Working Group reports phishing occurred in 454 TLDs, including in 228 new gTLDs. So that abuse occurs in any TLD is not surprising. But how the TLD goes about fighting it, or not, can be of interest.

Recently SIDN, the registry for .nl (Netherlands) published a blog post on abuse in .nl. “Abuse is a growing problem, according to Lilian van Mierlo, [SIDN’s] Registration & Service Manager. ‘There are some types of abuse that we used to get reports about maybe ten times a year, and now we’re getting a thousand reports about. Or more! It’s not just that there’s more abuse going on. The abuse is also becoming more sophisticated. Most phishing sites used to stand out a mile, with clumsy layouts and machine-translated text. Whereas a lot of them nowadays are hard to tell apart from the real thing.’”

SIDN works in partnership with registrars, hosting service providers, consumer organisations, government agencies and bodies such as the Fraud Help Desk and others where appropriate to fight abuse.

“In recent years, anti-abuse work has been taking up more and more of my department’s time,” Lilian continues. “It was easy to see that teaming up with others active in the field made sense. Collaboration is organised through Support4Abuse20 (“support for abuse to zero”). And it means we’re able to fight abuse on three fronts. We tackle phishing and malware through abuse204.nl, we act to get fake webshops taken down, and we respond to botnets via the Abuse Information Exchange.”

Explaining Abuse204.nl, the article explains:
“Abuse204.nl (abuse to zero for .nl) is an initiative designed to clamp down on phishing and malware. At the heart of the system is a feed provided by Netcraft, an international company that tracks malware and phishing. Netcraft collates abuse reports and checks their validity. A monitoring system then automatically e-mails the abuse reporting address of any domain linked to phishing or malware. If the domain doesn’t have a dedicated abuse reporting mailbox, all the contacts for the domain name are mailed. The aim being to get a message through the right person in the chain as soon as possible. R&S keeps watch over the system to see whether the automated e-mails trigger a response. In many cases, the registrar or hosting firm will intervene when they get an alert. If that doesn’t happen, we ask the registrars whether we can help. Where necessary we’ll follow that up with a reminder. Since we started abuse204.nl, we’ve managed to cut the average time-to-live of phishing and malware sites substantially.”

“Fake webshops have been around for years, but recently they’ve been getting more common. Even in the .nl domain, sadly. It’s a simple scam: offer attractive goods for sale, but never send them to the buyers, or only send fakes. Interestingly, sham webshops often use domain names that don’t match what they’re supposedly selling. So you might get shoes being sold using an address that looks as if it belongs to a housing advice service. The logic seems to be that a domain name that’s been in use before will feature higher in search results. The strategy is helped by the fact that other genuine sites often still have links to a previously used domain. And the more visitors the scammers can attract, the more they can earn. There isn’t a lot that we can do about fake webshops. But that doesn’t stop us doing what we can. We check the registration data of domain names used for suspect webshops, because it often turns out to be false. The registrant might be a non-existent person, for example. Or a real person who has nothing to do with the registration. Giving false information is against our terms and conditions, and that gives us leverage. We ask the registrant to provide valid details, and if they don’t we cancel the registration. So the fake webshop can’t make use of the name.”

The post also explains the Abuse Information Exhange that is used to fight botnets and how it’s vital to act quickly.

As a result, .nl is “one of the most secure internet domains in the world”.

“If we can keep it that way, all the effort’s worthwhile,” van Mierlo says. “But we have to be realistic: it’s impossible to eliminate abuse completely. Crooks are getting smarter all the time and we will always be one step behind. Cybercrime is even being marketed as a service these days. But none of that should deter us from doing all we can to make .nl less attractive to scammers.”

read the blog post in full on the SIDN website, see:

2016 World’s Worst Year for Phishing. Ever! Says APWG. With Attacks on 195,000 Domain Names.

Phishing attacks increased by 65% in 2016 over 2015 to be the worst year for phishing in history according to APWG’s new Phishing Activity Trends Report [pdf]. According to the report the total number of phishing attacks in 2016 was 1,220,523.

The end of 2016 was also an opportunity to reflect how phishing has grown over the years. In the fourth quarter of 2004, the APWG saw 1,609 phishing attacks per month. In the fourth quarter of 2016, the APWG saw an average of 92,564 phishing attacks per month — an increase of 5,753 percent over 12 years. The growth in phishing attacks over the past ten years has generally increased each year, indicating a consistent trend. Forthcoming APWG reports will provide additional dimensions of data for more analysis.

“Phishing is an attack that relies primarily on fooling people, rather than highly sophisticated technical implementations,” said APWG Senior Research Fellow and iThreat VP Greg Aaron. “For that reason, phishing remains both popular and effective. Also, the APWG’s numbers for 2106 just measure broad-based attacks against consumer brands. The numbers don’t attempt to catalog spear-phishing, which is highly targeted phishing that targets only a few specific people within a company. Truly, phishing is more pervasive and harmful than at any point in the past.”

There were at least 255,065 unique phishing attacks worldwide, according to the report, an increase of over 10% from the 230,280 attacks identified in 2015. An attack is defined as a phishing site that targets a specific brand or entity. A single domain name can host several discrete phishing attacks against different banks, for example.

The attacks occurred on 195,475 unique domain names. This is the most APWG have recorded in any year since they began these reports in 2007. The number of domain names in the world grew from 287.3 million in December 2014 to 329.3 million in December 2016.

Of the 195,475 domains used for phishing, 95,424 domain names were believed to be registered maliciously by phishers. This is an all – time high, and almost three times as many as the number found in 2015. A little over half of these registrations were made by Chinese phishers. The other 100,051 domains were almost all hacked or compromised on vulnerable Web hosting. This means that nearly half of all domains that hosted phishing sites were maliciously registered.

Seventy – five percent of the malicious domain registrations were in just four TLDs : .COM (with 58% of the malicious domains, .CC (14%), .PW (3%), and .TK (3%) and more than 90% of malicious domains were found in just 14 TLDs. The TLDs in places 5 to 14 were .info, .net, .ga, .top, .cf, .ml, .cn, .gq, and .ve. And the registrars these domain names were registered with were dominated by Chinese registrars.

In addition, 6,373 attacks were detected on 5,378 unique IP addresses , rather than on domain names. (For example: There were no phish of any kind observed on IPv6 addresses.

The APWG counted 679 targeted brands. This dropped from 783 in 2015. Phishers are still creating kits dedicated to attacking both popular targets and new targets.

Phishing occurred in 454 top level domains (TLDs). 228 were new generic TLDs launched since 2013.

One – hundred and eighty – six of the 195,475 domain names were internationalised domain names (IDNs). None involved homographic attacks, but some displayed deceptive messages in the translated domain names.

Axur, a Brazilian company that concentrates on protecting companies and their users in Brazil, found that fraudsters in Brazil are using both traditional phishing and social media to defraud Internet users. They are also using technical tricks to make it harder for responders to stop theses scams and filter them before they reach end users. “Criminals are re-inventing themselves all the time,” said Fabio Ramos, CEO of Axur. “We’ve seen a decrease in the numbers of regular phishing attacks – and an increase in other methods of fraud, such as malware fake services advertised through social media platforms.”

APWG member RiskIQ examined how phishing victims are fooled by phishers – not by the address in the browser bar, but by hyperlinks (which must be hovered over to even see the destination domain), URL shorteners, which mask the destination domain, or brand names inserted elsewhere in the URL.

“A relatively low percentage of phishing websites targeting a brand attempt to spoof that brand in the domain name—whether at the second-level or in the fully-qualified domain name,” says Jonathan Matkowsky, VP for intellectual property & brand security at RiskIQ. This is evidence that phishers do not need to use deceptive domains names to fool Internet users into visiting their sites.

To download the APWG Phishing Activity Trends Report, see:

DomainTools Launches New Cyber Threat Solution, PhishEye, to Stop Phishing Attacks Before They Occur

DomainTools logo[news release] DomainTools, the leader in domain name and DNS-based cyber threat intelligence, today announced the launch of PhishEye, a simple yet effective new security solution that helps to prevent phishing attacks before they happen.

Powered by DomainTools’ market-leading domain name discovery and profiling systems, PhishEye automates the process of identifying look-alike domains that spoof brand, product, or organization names. Security teams that use PhishEye can rely on DomainTools to identify potential domain-based threats and proactively defend networks against future phishing attacks.

Phishing activity is at an all-time high, causing significant financial and brand damage. In fact, fake website and phishing scams cost the average-sized organization nearly $4 million annually, noted in a recent report by the Ponemon Institute. What’s more, the Anti-Phishing Working Group (APWG) observed 466,065 unique phishing sites in the second quarter of 2016 alone, up 61 percent over the previous quarter and almost three times the number observed in the fourth quarter of 2015. With phishing attacks showing no signs of slowing down, proactive monitoring solutions which leverage DNS data have never been more necessary for organizations of all sizes and industries.

“Phishing campaigns are fundamentally trying to trick your employees or customers, and the ‘trick’ often involves a look-alike domain and website. To build an effective phishing prevention product it helps to have a very thorough mapping of domains in DNS today as well as highly effective and timely domain discovery systems, two things DomainTools is exceedingly good at,” said Tim Chen, CEO, DomainTools. “We created PhishEye for enterprises looking for a simple and effective way to automate the process of discovering phishing threats lurking on the internet well before they are activated.”

PhishEye’s highly intelligent typo and substring matching algorithm, working in concert with DomainTools’ proprietary Domain Reputation Engine, automates the discovery and notification of potentially nefarious domains very close to their actual registration time. These domains can then be entered into spam filters, firewalls, and other security systems to protect against phishing attacks on your network, or pushed into DomainTools Iris for further investigation and attribution.

To learn more about PhishEye and how DomainTools is protecting organizations from phishing attacks, or to request a demo, please visit: domaintools.com/products/phisheye.

About DomainTools
DomainTools helps security analysts turn threat data into threat intelligence. We take indicators from your network, including domains and IPs, and connect them with nearly every active domain on the Internet. Those connections inform risk assessments, help profile attackers, guide online fraud investigations, and map cyber activity to attacker infrastructure. Fortune 1000 companies, global government agencies, and leading security solution vendors use the DomainTools platform as a critical ingredient in their threat investigation and mitigation work. Learn more about how to connect the dots on malicious activity at domaintools.com or follow us on Twitter:@domaintools

This news release was sourced from:

Phishers Continue Targeting Companies, But Limited Interest in New gTLDs: APWG

New companies are constantly being targeted by phishers, with some phishers attacking targets where consumers may least expect it while the ten companies that are targeted most often by phishers are attacked constantly, sometimes more than 1,000 times per month. These are some of the findings of the Global Phishing Survey for Second Half of 2014, released by the Anti-Phishing Working Group (APWG) on Wednesday.The report found phishing occurred in 272 top level domains (TLDs) with 56 in new gTLDs. And the number of domain names used for phishing has reached an all-time high, but the interest in new gTLDs has so far been limited. However with the registration fees for some of the new gTLDs dropping to below .com prices, the APWG believes this will attract phishing and other kinds of abuse.However the report notes that tens of thousands of domains in the new gTLDs are being consumed by spammers and are being blocklisted by providers such as Spamhaus and SURBL. So while relatively few new gTLD domains have been used for phishing, the report notes the total number of them being used maliciously is much higher.Of the new gTLDs, the largest, .xyz, had the most phishing domains with 288. The .xyz gTLD became notorious as Network Solutions gave their .com registrants a .xyz domain. But only four of the .xyz domains were registered with Network Solutions. Most of the .xyz phishing registrations (298) were made at Xin Net and other Chinese registrars, and were used to attack Chinese targets. A lesson here, the report notes, is that when it comes to abuse, who can obtain domains in a TLD (and in what quantities) may be as important as the (low) price of the domain. .XYZ had a phishing-per-10,000-domains score of 3.6, which was just slightly above the average of 3.4 for all TLDs, and lower than .com’s score of 4.7. SinceBut there only 1.9 percent of all domain names that were used for phishing contained a brand name or variation thereof.According to the report, there were at least 123,972 unique phishing attacks worldwide during the six-month period. This was almost the same number as in the first half of 2014, and the most seen in a six-month period since the second half of 2009. The APWG defines an attack as a phishing site that targets a specific brand or entity. A single domain name can host several discrete phishing attacks against different banks, for example.These attacks occurred on 95,321 unique domain names, the most ever recorded in a half-year period. The number of domain names in the world grew from 279.5 million in April 2014 to 287.3 million in December 2014.Of the 95,321 phishing domains, the APWG identified, 27,253 are believed to have been registered maliciously by phishers. This is an all-time high, and much higher than the 22,629 identified in the first half of 2014. Most of these registrations were made by Chinese phishers. The other 68,303 domains were almost all hacked or compromised on vulnerable Web hosting.The registrations were concentrated in just five TLDs with seventy-five percent of the malicious domain registrations in .com, .tk, .pw, .cf and .net.In addition, 3,582 attacks were detected on 3,095 unique IP addresses, rather than on domain names. (For example: But none were observed on IPv6 addresses.There were also 569 targeted institutions, down significantly from the all-time high of 756 observed in the first half of 2014.The average uptime in the second half of 2014 was 29 hours and 51 minutes. The median uptime in the six-month period increased to 10 hours 6 minutes, meaning that half of all phishing attacks stay active for slightly more than 10 hours.

Freenom Relaunches Equatorial Guinea ccTLD With Free Domains. Will It Be A Future Phishing Target?

Following in the footsteps of .tk (Tokelau), .ml (Mali), .ga (Gabon) and .cf (Central African Republic), Freenom has taken on the role of registry for .gq (Equatorial Guinea) and the ccTLD is now its fifth ccTLD where domains are given away free.

The move to give away domains in ccTLDs from smaller countries has had some success, particularly with .tk, which is now the world’s second largest TLD behind .com and largest ccTLD with over 26.5 million registrations.

But the move to give away domains is not without problems. In the latest Anti-Phishing Working Group report, Global Phishing Survey 1H2014: Trends and Domain Name Use, it was noted that phishing occurred in 227 TLDs, but 90 percent of the malicious domain registrations (20,565) were in just five TLDs: .com, .tk, .pw, .cf. and .net.

And on a score of the number of phishing domains per 10,000 registered domains, .cf comes out way on top with a score of 320.8 followed by .ml with 118.9. The .ga TLD comes in fourth with 42.9.

In this latest venture Freenom has partnered with GETESA, the largest telecommunication operator in Equatorial Guinea and a joint venture with Orange, to relaunch .gq in various stages. Before .gq domains are available for free to the general public on 1 December, trademark holders and trademark agencies have their first pick in the .gq Sunrise Period that started on 1 October.

From 1 December onwards free GQ domains will be offered to all internet users in Equatorial Guinea and internationally. There will be no restrictions to registrations of free domains and anyone can claim their own .gq domain. Free .gq domains will work exactly like any other extension and can be renewed an unlimited number of times at no charge.

“The need for free domains continues to grow exponentially,” says Joost Zuurbier, CEO at Freenom. “Especially in countries like Brazil, Russia, Vietnam and China, we see the demand for new domains is growing and growing. We are happy to announce that we have opened up more domain space to fulfil these needs.”

Freenom has already partnered with four nations and has become the largest country code domain registry operator worldwide with more than 28 million active domains under management.

Following the success of .TK, Freenom has opened its model to other nations eager to develop their top level domain and looking for an alternative to the unprofitable pay-per-year model. By leapfrogging the traditional approach and offering free domains, they are able to create an immediate impact on their digital landscape and empower their internet users to build an online identity at no cost.

“Free domains make a lot of sense in countries where the banking penetration is in the single digit range,” continues Joost Zuurbier. “The demand for free domains is enormous because people in those nations may not have a credit card to buy domains, but they do have a profound need to communicate and build their presence online. Free domains are an important catalyst that directly enable local content creation and internet entrepreneurship.”

To support its African partners, Freenom opened an office in Dakar in 2013 and will continue to grow its operations in Senegal. Most African countries have been traditionally very weak in the domain name space, but its increasing technology-savvy population and modernizing digital landscape make it the perfect place for the free domain model. Just as free SIM cards and prepaid phones have revolutionized communications, free domains can dramatically change how African internet users are represented online.

In Equatorial Guinea, GETESA sees free .GQ domains as an opportunity to empower young internet users and help them embrace their digital flag. Through GQ free domains they will be able to create websites and learn about technology.

Freenom’s experience and technology will directly benefit the local internet community of Equatorial Guinea, who will be able to enjoy a modern platform and unlimited domains at no cost. Together with GETESA and in line with ICANN’s bottom-up multi-stakeholder model, the partnership will ensure that the .GQ extension is accessible to all internet users.

Malicious Phishing Domains Grow Globally As Phishers Abuse Free TLDs: APWG Report

Incidences of phishing continued to explode in China in the second half of 2013, where Chinese phishers are victimising the country’s growing online population the Anti-Phishing Working Group’s Global Phishing Survey for Second Half of 2013 found.The report found Chinese phishers were responsible for 85 percent of the domain names that were registered for phishing. But it wasn’t all bad news on the phishing front with the average uptimes of phishing attacks declining and close to historic lows, pointing to some success by anti-phishing responders.Additionally, the companies (brands) targeted by phishing targets were diverse, with many new targets, indicating that e-criminals are looking for new opportunities in new places. The report also found mass hackings of vulnerable shared hosting providers led to 18 percent of all phishing attacks.While the number of phishing URLs reported in the second half of 2013 numbered in the millions, the number of unique phishing attacks and domain names used to host them was much smaller. In the six month period there were at least 115,565 unique phishing attacks worldwide, nearly a 60 percent increase over the 72,758 seen the first half of 2013, but less than the 123,486 attacks we observed in the second half of 2012.Most of the growth in attacks came, according to the APWG report, from phishing that used maliciously registered domains and subdomains. An attack is defined as a phishing site that targets a specific brand or entity. A single domain name can host several discrete phishing attacks against different banks, for example.The phishing attacks occurred on 82,163 unique domain names. Again, this is up from the 53,685 domains used in the first half of 2013. The growth was much larger than the increase in the number of domain names in the world that grew from 261 million in April 2013 to 271.5 million in November 2013.Of the 82,163 phishing domains, the report identified 22,831 domain names that the APWG believes were registered maliciously by phishers, the highest number in the seven years the APWG has been counting, 19,348 (85%) were registered to phish Chinese targets. This is significantly higher than the 12,175 found in the first half of 2013, and the 5,835 found in the second half of 2012.And of these 22,831 registered maliciously, they were registered in 39 different TLDs at registrars in China, the US, and Europe and hosted in China, the US, and elsewhere. The registrations clustered around ten TLDs including the .TK, .CF, .GA, and .ML registries that are all run by Freenom, a Netherlands-based company that offers free domain name registrations. The company makes money through monetising the traffic to the expired domains.As the report notes, Freenom has operated .TK under the free model for several years, and added .CF, .GA, and .ML to its programme during the second half of 2013. Freenom gives accredited interveners access to directly suspend domains in the .TK registry . (These partners include Facebook, Internet Identity, and the Anti-Phishing Alliance of China.) However, the mitigation of the malicious registrations lagged in Freenom’s new spaces — .CF, .GA. and .ML all had uptimes that were above the global average and median.Brands were, as usual, a target, with 681 unique target institutions during the six month period, down slightly from the 720 found in the second half of 2012. Of the 681 targets that were phished in the second half of 2013, almost half of them — 324 to be precise — were not phished in the first half of 2013. This, the report notes, is an unusual amount of “churn” or turnover and shows phishers trying out new targets. They appear to be looking for companies that are newly popular, have vulnerable user bases, and/or are not ready to defend themselves against phishing.Overall, the TLD with the most phishing attacks for the six months was .com with 46.4 percent (and 42.4% of global domain registrations) followed by .net (5.5%) and .tk (Tokelau – 4.5%). The .tk TLD is one of the free domains the report noted. Following was .br (Brazil – 3.2%), IP-based attacks (2.1%), .pn (Pitcairn Island – 1.9%), .me (Montenegro – 1.8%), .info (1.6%) and .ru (Russia – 1.5%). The remaining 27.3 percent came from 201 TLDs.But the TLDs with the most phishing domains per domains registered was .np (Nepal) with 27.1 phishing domains per 10,000 registrations and 32,500 registrations. In the top ten, those TLDs with more than 100,000 registrations were .pw (Palau) with a phishing per 10,000 domains score of 26.4 who came in second, .cl (Chile – 18.2) was fourth, .gr (Greece – 10.2) was sixth, .id (Indonesia – 10.2) and .br (Brazil – 9.1).For registrars, the top nine with domains used for phishing on a registrations per 10,000 domains are located in China. This is due, the report notes, to the fact that Chinese phishers tend to register domain names for their phishing, and use Chinese registrars regularly. Domains registered at the Chinese registrars were often used to phish Chinese targets such as Alibaba, Taobao.com, and CCTV, but were also used to occasionally phish outside targets such as Facebook and PayPal.For more information, check out the 30 page APWG report available for download from:
There is also a Phishing Activity Trends Report for the 4th Quarter 2013 titled Unifying the Global Response To Cybercrime available from: