APWG Global Phishing Survey – Registered malicious domains increased in H2 2014

Pierluigi Paganini June 03, 2015

The APWG Global Phishing Survey 2H2014 seeks to understand what the phishers are doing, and how, by quantifying the scope of the global phishing problem.

The Anti-Phishing Working Group (APWG) has published the “Global Phishing Survey 2H2014“, a report that comes with some interesting numbers on phishing activities. The Global Phishing Survey 2H2014 report states that in the second half of 2014 the domain names used for phishing broke a record, at least 123,972 unique attacks were observed all over the world, reaching the amazing figure of 95.321 unique domain names.

“Of the 95,321 phishing domains, we identified 27,253 domain names that we believe were registered maliciously, by phishers,”.”This is an all-time high, and much higher than the 22,629 we identified in 1H2014. Most of these registrations were made by Chinese phishers. The other 68,303 domains were almost all hacked or compromised on vulnerable Web hosting.”

Below the key findings of the Global Phishing Survey 2H2014 report:

  • We identified 27,253 domain names that we believe were registered maliciously, by phishers. This is an all-time high, and much higher than the 22,629 we identified in 1H2014. Most of these registrations were made by Chinese phishers. The other 68,303 domains were almost all hacked or compromised on the vulnerable Web hosting.
  • Seventy-five percent of the malicious domain registrations were in just five TLDs: .COM, .TK, .PW, .CF, and .NET.
  • In addition, 3,582 attacks were detected on 3,095 unique IP addresses, rather than on domain names. (For example: http://77.101.56.126/FB/) We did not observe phish of any kind on IPv6 addresses.
  • We counted 569 targeted institutions. This is down significantly from the all-time high of 756 we observed in 1H2014
  • The average uptime in 2H2014 was 29 hours and 51 minutes. The median uptime in 2H2014 increased to 10 hours 6 minutes, meaning that half of all phishing attacks stay active for slightly more than 10 hours.
  • Phishing occurred in 272 top-level domains (TLDs). Fifty-six of them were new top-level domains.
  • Only 1.9 percent of all domain names that were used for phishing contained a brand name or variation thereof. (See “Compromised Domains vs. Malicious Registrations”

To give you an idea of the record numbers in the second half of 2014, the Global Phishing Survey 2H2014 includes a table comparing malicious activities over the years:

APWG Global Phishing Survey 2H2014 phishing activities

“Phishers continued to attack Apple, PayPal, and Taobao.com heavily. Each of these three e-commerce giants suffered over 20,000 phishing attacks against their respective services and brands. Together, these top three were the targets of nearly 54 percent of the world’s phishing attacks. The next seven brands were targeted for a combined 23 percent of all phishing attacks — meaning the top 10 targets accounted for over three quarters of all phishing attacks observed worldwide. The number of times that the targets were attacked follows a long tail. Half of the targets were attacked four or fewer times during the six-month period (up from three times in 1H2014). One hundred and fifty-eight targets were attacked only once each in the period.”

Other interesting trends highlighted in the Global Phishing Survey 2H2014 report are:

  • New companies are constantly being targeted by phishers. Some phishers are attacking targets where consumers may least expect it.
  • The ten companies that are targeted most often by phishers are attacked constantly, sometimes more than 1,000 times per month. Together the top ten targets suffered more than three-quarters of all the phishing attacks observed worldwide.
  • The number of domain names used for phishing reached an all-time high.
  • Phishing in the new top-level domains started slowly. We expect to see phishing levels in them rise as time goes on.
  • Chinese phishers were responsible for 85% of the domain names that were registered for phishing. These phishers started using .CN domains more frequently.
  • Phishing attacks were not mitigated as quickly. The median uptime of phishing attacks increased to 10 hours 6 minutes — up from 8 hours and 42 minutes in 1H2014. This means that phishing attacks were not being shut down as efficiently in the critical first hours, when most victims fall prey.
  • If attacks are divided by Industry, we can clearly see that the  makerts involving money are the ones more targeted like it can be seen the in the next chart:

APWG Global Phishing Survey 2H2014 attacks by Industry

That proves that “These show criminals seeking the credentials of consumers in places where consumers may least expect it. Phishers target wide-ranging targets for several reasons. One is to perform credit card theft, and hitting new targets may lull consumers into a false sense of security. The phishers can also monetize stolen data through reshipping fraud, a tactic that remains popular. Phishers also steal usernames and passwords from one site in order to try those credential on other sites. Many consumers re-use usernames and passwords, and this poor habit can be costly. If a site is getting phished for the first time, it may have been targeted by a more sophisticated phisher, who had the skill to design a new phishing template.”

You can check the full Global Phishing Survey 2H2014 report here:

http://apwg.org/download/document/245/APWG_Global_Phishing_Report_2H_2014.pdf

About the Author Elsio Pinto

Elsio Pinto (@high54security) is at the moment the Lead Mcafee Security Engineer at Swiss Re, but he also as knowledge in the areas of malware research, forensics, ethical hacking. He had previous experiences in major institutions being the European Parliament one of them. He is a security enthusiast and tries his best to pass his knowledge. He also owns his own blog Mcafee Security Engineer at Swiss Re, but he also as knowledge in the areas of malware research, forensics, ethical hacking. He had previous experiences in major institutions being the European Parliament one of them. He is a security enthusiast and tries his best to pass his knowledge. He also owns his own blog http://high54security.blogspot.com/

Edited by Pierluigi Paganini

(Security Affairs – APWG Global Phishing Survey 2H2014 ,  phishing)



you might also like

leave a comment