Of all domains registered for phishing in the second half of 2013, 85 percent were registered by Chinese phishers, according to a report by the Anti-Phishing Work Group (APWG). The overall number of phishing attacks worldwide greatly increased in the second half of 2013 over the first half, but was lower than the second half of 2012.
The “Global Phishing Survey: Trends and Domain Name Use in 2H2013” was authored by Greg Aaron of Illumintel and Rod Rasmussen of Internet Identity. It delves into phishing uptime, domains and registrars used, and tactics used. It has been published semi-annually since 2007.
The survey found over 82,000 domains used for phishing. Just under 23,000 (27 percent) were maliciously registered by phishers, the largest number ever found. The remaining domains were mostly “hacked or compromised on vulnerable web hosting.”
Of maliciously registered domains, 85 percent were registered to phish targets among China’s rapidly growing online community. Chinese phishers use maliciously registered domains rather than compromised ones much more often than those in other countries.
The average and median uptimes of phishing operations decreased from the first half of 2013 to the second half and were near the historic lows reached in the first half of 2012. This suggests some responses are proving effective.
The APWG cites a number of national TLDs as particularly vulnerable, showing similar results to Netcraft’s September 2013 phishing report. Netcraft found Mail to have a huge fishing problem after offering free .ml domains. APWG will also closely watch the rollout of new TLDs, although .com is still the extension of over 46 percent of phishing sites.
Among registrars, GoDaddy is singled out in the survey for holding nearly half of the gTLD market yet sponsoring only 7 percent of malicious gTLD phishing registrations. The top 9 registrars for malicious domains are Chinese companies, led by Ninhand Networks at 47 malicious domains per 10,000.
The survey also points out that almost 21,000, or 18 percent of all phishing attacks worldwide originated from only 178 mass break-ins. These attacks were shared virtual server hacks, in which each domain on a web server hosting a large number of domains is updated with phishing content at the same time. The survey also notes the similarity of the underlying vulnerabilities to those which are exploited in some large scale DDoS attacks.
Subdomain registrations accounted for 15 percent of attacks during the survey period.
Phishing targets are often banks, such as ICBC, but phishing received a spike in media attention following reports of the use of fake LinkedIn and Slashdot pages by GCHQ during the survey period.