Tag Archives: APWG

APWG Q2 Cybercrime Report: Phishing Sustains Elevated ‘New Normal’ Attack Volume Into the Middle of 2021

[news release] The APWG’s new Phishing Activity Trends Report reveals that phishing sustained near-record levels through the first half of 2021, after doubling over the course of 2020. APWG saw 222,127 attacks in June 2021, which was the third-worst month in APWG’s reporting history.

Continue reading APWG Q2 Cybercrime Report: Phishing Sustains Elevated ‘New Normal’ Attack Volume Into the Middle of 2021

M3AAWG/APWG Report Finds GDPR Impact on WHOIS Impedes Criminal Investigations

The Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG) and The Anti-Phishing Working Group (APWG) have again collaborated to conduct a survey of cyber investigators and anti-abuse service providers to understand how ICANN’s application of the European Union’s General Data Protection Regulation (GDPR) has impacted on the distributed WHOIS service and anti-abuse work. The resulting report, published in June, discusses the effect of the Temporary Specification on anti-abuse actors’ access and usage of domain name registration information, which is central for various types of investigations.

Continue reading M3AAWG/APWG Report Finds GDPR Impact on WHOIS Impedes Criminal Investigations

APWG REPORT: Phishing Attacks Double in 2020 and October Shatters All-Time Monthly Records

[news release] The APWG’s new Phishing Activity Trends Report reveals that the number of phishing attacks observed by APWG members grew through 2020, fully doubling over the course of the year. Attacks peaked in October 2020, with a high of 225,304 new phishing sites appearing in that month alone, breaking all previous monthly records.

Continue reading APWG REPORT: Phishing Attacks Double in 2020 and October Shatters All-Time Monthly Records

Latest APWG Report On Phishing Attacks Finds Most BEC Attacks Mounted With Deceptive Domain Names Registered By Five Registrars

[news release] The Anti-Phishing Working Group’s (APWG) new Phishing Activity Trends Report reveals a rise in reported phishing since March of 2020. In August and September of 2020, the APWG logged 200,000 phishing sites per month — with more than 500 separate brands attacked by phishers each month in the quarter.

Continue reading Latest APWG Report On Phishing Attacks Finds Most BEC Attacks Mounted With Deceptive Domain Names Registered By Five Registrars

Repurposed ccTLDs Showing Higher Levels of Phishing: APWG

Some of the TLDs with the highest levels of domain names used for phishing are in “repurposed” ccTLDs – those where management rights have been granted to third parties who have then commercialised the TLDs, according to the latest Phishing Activity Trends Report for the third quarter of 2018 from the Anti Phishing Working Group. Among those with the highest levels are .tk, .ml, .ga, .cf and .gq who are all operated by a Dutch company that offers domain names in those TLD for free, while .pw is operated by a company based in India. But there are also ccTLDs with a higher than expected number of phishing domain names outside this description such as .br, .ru, .in and .au.

The TLD with the most phishing domain names was unsurprisingly .com which had 922 domain names (out of a total 137.6 million), followed by .org with 80 out of 10.3 million and then .net with 78 out of 14.1 million. They were followed by .pw with 53 phishing domain names, .info (43 out of 5.0 million) and .br (41 out of 4.0 million). The first new gTLD on the list, .xyz, was seventh with 30, .ml an d.ru (28), .in and .tk (24 out of 21.5 million), .ga and .uk (23 out of 11.9 million), .cf and .gq (22), .au and .top (20 out of 3.2 and 3.9 million respectively) while .business (17 out of 63,000) and .agency and .co (15 each out of 64,000 for .agency) rounded out the top 20.

“Sometimes it is easy to discount the total volume of abuse in a TLD if the TLD hasa large number of domains in it,” said Jonathan Matkowsky of RiskIQ. “We assigned a weighted score against the total number of domains in each zone, looking at TLDs where there were at least five unique domain names used for phishing, as a way of understanding the size of the zone and the phishing prevalence in it. After discounting the number of unique hosts by the relative size of those zones, .TOP and .XYZ were still the new gTLDs that scored highest.”

There has also been a growth in websites using web addresses with https, which is supposedly more secure. APWG notes that at the end of 2016, less than 5% of phishing sites were found on HTTPS infrastructure. In the third quarter of 2018, PhishLabs saw the number of phishing web sites using SSL/TLS encryption increase to 49.4%, up from 35.2% in the second quarter.

“This is likely a result of attackers obtaining certificates for use on their own infrastructure , and in general, as more legitimate Web sites obtain SSL certificates, some of those will naturally become compromised by phishers,” John LaCour , the Chief Technology Officer of PhishLabs noted. “As of July 2018, the Google Chrome browser began to warn users that plain HTTP sit es are ‘not secure ’, and that will drive more web site owners to use HTTPS . So over time we expect that most phishing sites will use SSL certificates . Certificate authorities that offer free certificates will be increasingly abused by phishers in the future.”

APWG and M3AAWG Survey Finds ICANN’s GDPR Response Impeding Cyber Investigations

APWG logoA joint APWG-M3AAWG survey of over 300 cybercrime responders and anti-abuse personnel indicates ICANN’s Temporary Specification, its response on how to deal with the European Union’s General Data Protection Regulation for domain name WHOIS data, has eliminated interventions that previously allowed investigators to stop new cybercrimes while still in the preparatory stages — and has markedly impeded routine mitigations for many kinds of cybercrimes.

With responses from 327 professionals, the survey revealed that losing the ability to attribute domain names to criminals or victims of abuse has irreparably eliminated their capacity to issue warnings about new abuses that known bad actors are perpetrating, even when the WHOIS registrant data is use a pseudonym, according to Peter Cassidy, Anti-Phishing Working Group (APWG) Secretary General.

According to survey respondents ICANN’s Temporary Specification for gTLD Registration Data, established in May in response to the GDPR, impedes investigations of cybercrime – from ransomware attacks to distribution of state-sponsored strategic disinformation. Analyses of responses from the survey reveal that:

  • Cyber-investigations and mitigations are impeded because investigators are unable to access complete domain name registration data.
  • Requests to access non-public WHOIS by legitimate investigators for legitimate purposes under the provisions of the Temp Spec are routinely refused.

“The biggest impact has been to determine who has registered a criminal/fraudulent domain, and the ability to use that information to find other domains registered by the same actor. That devastates our ability to find all of the fraudulent domains registered by the same entity,” one typical respondent wrote in the APWG-M3AAWG GDPR and WHOIS User Survey report.

APWG and the Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG) concluded their analysis with recommendations for ICANN to:

  • Establish a mechanism for WHOIS data access by accredited, vetted qualified security actors.
  • Restore redacted WHOIS data of legal entities.
  • Adopt a contact data access request specification for consistency across registrars and gTLD registries.
  • Establish a WHOIS data access scheme that does not introduce delays in collecting or processing and is not burdened by per-request authorizations.
  • Reassess the current redaction policy and consider replacing restricted personal data with secure hashes that can be used as a proxy for tracing criminal actors across data resources.
  • Publish point of contact email addresses to provide investigators with an effective means of identifying domains associated with a victim or person of interest in an investigation.

The survey was submitted to ICANN on Oct. 18 by the Anti-Phishing Working Group and the Messaging, Malware and Mobile Anti-Abuse Working Group.

The full survey can be found at www.m3aawg.org/WhoisSurvey2018-10 or docs.apwg.org/reports/ICANN_GDPR_WHOIS_Users_Survey_20181018.pdf.

SIDN Fighting Abuse in .NL

SIDN-logoAbuse is all too common in top level domains. In 2016 the Anti-Phishing Working Group reports phishing occurred in 454 TLDs, including in 228 new gTLDs. So that abuse occurs in any TLD is not surprising. But how the TLD goes about fighting it, or not, can be of interest.

Recently SIDN, the registry for .nl (Netherlands) published a blog post on abuse in .nl. “Abuse is a growing problem, according to Lilian van Mierlo, [SIDN’s] Registration & Service Manager. ‘There are some types of abuse that we used to get reports about maybe ten times a year, and now we’re getting a thousand reports about. Or more! It’s not just that there’s more abuse going on. The abuse is also becoming more sophisticated. Most phishing sites used to stand out a mile, with clumsy layouts and machine-translated text. Whereas a lot of them nowadays are hard to tell apart from the real thing.’”

SIDN works in partnership with registrars, hosting service providers, consumer organisations, government agencies and bodies such as the Fraud Help Desk and others where appropriate to fight abuse.

“In recent years, anti-abuse work has been taking up more and more of my department’s time,” Lilian continues. “It was easy to see that teaming up with others active in the field made sense. Collaboration is organised through Support4Abuse20 (“support for abuse to zero”). And it means we’re able to fight abuse on three fronts. We tackle phishing and malware through abuse204.nl, we act to get fake webshops taken down, and we respond to botnets via the Abuse Information Exchange.”

Explaining Abuse204.nl, the article explains:
“Abuse204.nl (abuse to zero for .nl) is an initiative designed to clamp down on phishing and malware. At the heart of the system is a feed provided by Netcraft, an international company that tracks malware and phishing. Netcraft collates abuse reports and checks their validity. A monitoring system then automatically e-mails the abuse reporting address of any domain linked to phishing or malware. If the domain doesn’t have a dedicated abuse reporting mailbox, all the contacts for the domain name are mailed. The aim being to get a message through the right person in the chain as soon as possible. R&S keeps watch over the system to see whether the automated e-mails trigger a response. In many cases, the registrar or hosting firm will intervene when they get an alert. If that doesn’t happen, we ask the registrars whether we can help. Where necessary we’ll follow that up with a reminder. Since we started abuse204.nl, we’ve managed to cut the average time-to-live of phishing and malware sites substantially.”

“Fake webshops have been around for years, but recently they’ve been getting more common. Even in the .nl domain, sadly. It’s a simple scam: offer attractive goods for sale, but never send them to the buyers, or only send fakes. Interestingly, sham webshops often use domain names that don’t match what they’re supposedly selling. So you might get shoes being sold using an address that looks as if it belongs to a housing advice service. The logic seems to be that a domain name that’s been in use before will feature higher in search results. The strategy is helped by the fact that other genuine sites often still have links to a previously used domain. And the more visitors the scammers can attract, the more they can earn. There isn’t a lot that we can do about fake webshops. But that doesn’t stop us doing what we can. We check the registration data of domain names used for suspect webshops, because it often turns out to be false. The registrant might be a non-existent person, for example. Or a real person who has nothing to do with the registration. Giving false information is against our terms and conditions, and that gives us leverage. We ask the registrant to provide valid details, and if they don’t we cancel the registration. So the fake webshop can’t make use of the name.”

The post also explains the Abuse Information Exhange that is used to fight botnets and how it’s vital to act quickly.

As a result, .nl is “one of the most secure internet domains in the world”.

“If we can keep it that way, all the effort’s worthwhile,” van Mierlo says. “But we have to be realistic: it’s impossible to eliminate abuse completely. Crooks are getting smarter all the time and we will always be one step behind. Cybercrime is even being marketed as a service these days. But none of that should deter us from doing all we can to make .nl less attractive to scammers.”

read the blog post in full on the SIDN website, see:

2016 World’s Worst Year for Phishing. Ever! Says APWG. With Attacks on 195,000 Domain Names.

Phishing attacks increased by 65% in 2016 over 2015 to be the worst year for phishing in history according to APWG’s new Phishing Activity Trends Report [pdf]. According to the report the total number of phishing attacks in 2016 was 1,220,523.

The end of 2016 was also an opportunity to reflect how phishing has grown over the years. In the fourth quarter of 2004, the APWG saw 1,609 phishing attacks per month. In the fourth quarter of 2016, the APWG saw an average of 92,564 phishing attacks per month — an increase of 5,753 percent over 12 years. The growth in phishing attacks over the past ten years has generally increased each year, indicating a consistent trend. Forthcoming APWG reports will provide additional dimensions of data for more analysis.

“Phishing is an attack that relies primarily on fooling people, rather than highly sophisticated technical implementations,” said APWG Senior Research Fellow and iThreat VP Greg Aaron. “For that reason, phishing remains both popular and effective. Also, the APWG’s numbers for 2106 just measure broad-based attacks against consumer brands. The numbers don’t attempt to catalog spear-phishing, which is highly targeted phishing that targets only a few specific people within a company. Truly, phishing is more pervasive and harmful than at any point in the past.”

There were at least 255,065 unique phishing attacks worldwide, according to the report, an increase of over 10% from the 230,280 attacks identified in 2015. An attack is defined as a phishing site that targets a specific brand or entity. A single domain name can host several discrete phishing attacks against different banks, for example.

The attacks occurred on 195,475 unique domain names. This is the most APWG have recorded in any year since they began these reports in 2007. The number of domain names in the world grew from 287.3 million in December 2014 to 329.3 million in December 2016.

Of the 195,475 domains used for phishing, 95,424 domain names were believed to be registered maliciously by phishers. This is an all – time high, and almost three times as many as the number found in 2015. A little over half of these registrations were made by Chinese phishers. The other 100,051 domains were almost all hacked or compromised on vulnerable Web hosting. This means that nearly half of all domains that hosted phishing sites were maliciously registered.

Seventy – five percent of the malicious domain registrations were in just four TLDs : .COM (with 58% of the malicious domains, .CC (14%), .PW (3%), and .TK (3%) and more than 90% of malicious domains were found in just 14 TLDs. The TLDs in places 5 to 14 were .info, .net, .ga, .top, .cf, .ml, .cn, .gq, and .ve. And the registrars these domain names were registered with were dominated by Chinese registrars.

In addition, 6,373 attacks were detected on 5,378 unique IP addresses , rather than on domain names. (For example: There were no phish of any kind observed on IPv6 addresses.

The APWG counted 679 targeted brands. This dropped from 783 in 2015. Phishers are still creating kits dedicated to attacking both popular targets and new targets.

Phishing occurred in 454 top level domains (TLDs). 228 were new generic TLDs launched since 2013.

One – hundred and eighty – six of the 195,475 domain names were internationalised domain names (IDNs). None involved homographic attacks, but some displayed deceptive messages in the translated domain names.

Axur, a Brazilian company that concentrates on protecting companies and their users in Brazil, found that fraudsters in Brazil are using both traditional phishing and social media to defraud Internet users. They are also using technical tricks to make it harder for responders to stop theses scams and filter them before they reach end users. “Criminals are re-inventing themselves all the time,” said Fabio Ramos, CEO of Axur. “We’ve seen a decrease in the numbers of regular phishing attacks – and an increase in other methods of fraud, such as malware fake services advertised through social media platforms.”

APWG member RiskIQ examined how phishing victims are fooled by phishers – not by the address in the browser bar, but by hyperlinks (which must be hovered over to even see the destination domain), URL shorteners, which mask the destination domain, or brand names inserted elsewhere in the URL.

“A relatively low percentage of phishing websites targeting a brand attempt to spoof that brand in the domain name—whether at the second-level or in the fully-qualified domain name,” says Jonathan Matkowsky, VP for intellectual property & brand security at RiskIQ. This is evidence that phishers do not need to use deceptive domains names to fool Internet users into visiting their sites.

To download the APWG Phishing Activity Trends Report, see:

DomainTools Launches New Cyber Threat Solution, PhishEye, to Stop Phishing Attacks Before They Occur

DomainTools logo[news release] DomainTools, the leader in domain name and DNS-based cyber threat intelligence, today announced the launch of PhishEye, a simple yet effective new security solution that helps to prevent phishing attacks before they happen.

Powered by DomainTools’ market-leading domain name discovery and profiling systems, PhishEye automates the process of identifying look-alike domains that spoof brand, product, or organization names. Security teams that use PhishEye can rely on DomainTools to identify potential domain-based threats and proactively defend networks against future phishing attacks.

Phishing activity is at an all-time high, causing significant financial and brand damage. In fact, fake website and phishing scams cost the average-sized organization nearly $4 million annually, noted in a recent report by the Ponemon Institute. What’s more, the Anti-Phishing Working Group (APWG) observed 466,065 unique phishing sites in the second quarter of 2016 alone, up 61 percent over the previous quarter and almost three times the number observed in the fourth quarter of 2015. With phishing attacks showing no signs of slowing down, proactive monitoring solutions which leverage DNS data have never been more necessary for organizations of all sizes and industries.

“Phishing campaigns are fundamentally trying to trick your employees or customers, and the ‘trick’ often involves a look-alike domain and website. To build an effective phishing prevention product it helps to have a very thorough mapping of domains in DNS today as well as highly effective and timely domain discovery systems, two things DomainTools is exceedingly good at,” said Tim Chen, CEO, DomainTools. “We created PhishEye for enterprises looking for a simple and effective way to automate the process of discovering phishing threats lurking on the internet well before they are activated.”

PhishEye’s highly intelligent typo and substring matching algorithm, working in concert with DomainTools’ proprietary Domain Reputation Engine, automates the discovery and notification of potentially nefarious domains very close to their actual registration time. These domains can then be entered into spam filters, firewalls, and other security systems to protect against phishing attacks on your network, or pushed into DomainTools Iris for further investigation and attribution.

To learn more about PhishEye and how DomainTools is protecting organizations from phishing attacks, or to request a demo, please visit: domaintools.com/products/phisheye.

About DomainTools
DomainTools helps security analysts turn threat data into threat intelligence. We take indicators from your network, including domains and IPs, and connect them with nearly every active domain on the Internet. Those connections inform risk assessments, help profile attackers, guide online fraud investigations, and map cyber activity to attacker infrastructure. Fortune 1000 companies, global government agencies, and leading security solution vendors use the DomainTools platform as a critical ingredient in their threat investigation and mitigation work. Learn more about how to connect the dots on malicious activity at domaintools.com or follow us on Twitter:@domaintools

This news release was sourced from:

Phishers Continue Targeting Companies, But Limited Interest in New gTLDs: APWG

New companies are constantly being targeted by phishers, with some phishers attacking targets where consumers may least expect it while the ten companies that are targeted most often by phishers are attacked constantly, sometimes more than 1,000 times per month. These are some of the findings of the Global Phishing Survey for Second Half of 2014, released by the Anti-Phishing Working Group (APWG) on Wednesday.The report found phishing occurred in 272 top level domains (TLDs) with 56 in new gTLDs. And the number of domain names used for phishing has reached an all-time high, but the interest in new gTLDs has so far been limited. However with the registration fees for some of the new gTLDs dropping to below .com prices, the APWG believes this will attract phishing and other kinds of abuse.However the report notes that tens of thousands of domains in the new gTLDs are being consumed by spammers and are being blocklisted by providers such as Spamhaus and SURBL. So while relatively few new gTLD domains have been used for phishing, the report notes the total number of them being used maliciously is much higher.Of the new gTLDs, the largest, .xyz, had the most phishing domains with 288. The .xyz gTLD became notorious as Network Solutions gave their .com registrants a .xyz domain. But only four of the .xyz domains were registered with Network Solutions. Most of the .xyz phishing registrations (298) were made at Xin Net and other Chinese registrars, and were used to attack Chinese targets. A lesson here, the report notes, is that when it comes to abuse, who can obtain domains in a TLD (and in what quantities) may be as important as the (low) price of the domain. .XYZ had a phishing-per-10,000-domains score of 3.6, which was just slightly above the average of 3.4 for all TLDs, and lower than .com’s score of 4.7. SinceBut there only 1.9 percent of all domain names that were used for phishing contained a brand name or variation thereof.According to the report, there were at least 123,972 unique phishing attacks worldwide during the six-month period. This was almost the same number as in the first half of 2014, and the most seen in a six-month period since the second half of 2009. The APWG defines an attack as a phishing site that targets a specific brand or entity. A single domain name can host several discrete phishing attacks against different banks, for example.These attacks occurred on 95,321 unique domain names, the most ever recorded in a half-year period. The number of domain names in the world grew from 279.5 million in April 2014 to 287.3 million in December 2014.Of the 95,321 phishing domains, the APWG identified, 27,253 are believed to have been registered maliciously by phishers. This is an all-time high, and much higher than the 22,629 identified in the first half of 2014. Most of these registrations were made by Chinese phishers. The other 68,303 domains were almost all hacked or compromised on vulnerable Web hosting.The registrations were concentrated in just five TLDs with seventy-five percent of the malicious domain registrations in .com, .tk, .pw, .cf and .net.In addition, 3,582 attacks were detected on 3,095 unique IP addresses, rather than on domain names. (For example: But none were observed on IPv6 addresses.There were also 569 targeted institutions, down significantly from the all-time high of 756 observed in the first half of 2014.The average uptime in the second half of 2014 was 29 hours and 51 minutes. The median uptime in the six-month period increased to 10 hours 6 minutes, meaning that half of all phishing attacks stay active for slightly more than 10 hours.