APWG Global Phishing Survey – Registered malicious domains increased in H2 2014

The APWG Global Phishing Survey 2H2014 seeks to understand what the phishers are doing, and how, by quantifying the scope of the global phishing problem.

The Anti-Phishing Working Group (APWG) has published the “Global Phishing Survey 2H2014“, a report that comes with some interesting numbers on phishing activities. The Global Phishing Survey 2H2014 report states that in the second half of 2014 the domain names used for phishing broke a record, at least 123,972 unique attacks were observed all over the world, reaching the amazing figure of 95.321 unique domain names.

“Of the 95,321 phishing domains, we identified 27,253 domain names that we believe were registered maliciously, by phishers,”.”This is an all-time high, and much higher than the 22,629 we identified in 1H2014. Most of these registrations were made by Chinese phishers. The other 68,303 domains were almost all hacked or compromised on vulnerable Web hosting.”

Below the key findings of the Global Phishing Survey 2H2014 report:

  • We identified 27,253 domain names that we believe were registered maliciously, by phishers. This is an all-time high, and much higher than the 22,629 we identified in 1H2014. Most of these registrations were made by Chinese phishers. The other 68,303 domains were almost all hacked or compromised on the vulnerable Web hosting.
  • Seventy-five percent of the malicious domain registrations were in just five TLDs: .COM, .TK, .PW, .CF, and .NET.
  • In addition, 3,582 attacks were detected on 3,095 unique IP addresses, rather than on domain names. (For example: http://77.101.56.126/FB/) We did not observe phish of any kind on IPv6 addresses.
  • We counted 569 targeted institutions. This is down significantly from the all-time high of 756 we observed in 1H2014
  • The average uptime in 2H2014 was 29 hours and 51 minutes. The median uptime in 2H2014 increased to 10 hours 6 minutes, meaning that half of all phishing attacks stay active for slightly more than 10 hours.
  • Phishing occurred in 272 top-level domains (TLDs). Fifty-six of them were new top-level domains.
  • Only 1.9 percent of all domain names that were used for phishing contained a brand name or variation thereof. (See “Compromised Domains vs. Malicious Registrations”

To give you an idea of the record numbers in the second half of 2014, the Global Phishing Survey 2H2014 includes a table comparing malicious activities over the years:

“Phishers continued to attack Apple, PayPal, and Taobao.com heavily. Each of these three e-commerce giants suffered over 20,000 phishing attacks against their respective services and brands. Together, these top three were the targets of nearly 54 percent of the world’s phishing attacks. The next seven brands were targeted for a combined 23 percent of all phishing attacks — meaning the top 10 targets accounted for over three quarters of all phishing attacks observed worldwide. The number of times that the targets were attacked follows a long tail. Half of the targets were attacked four or fewer times during the six-month period (up from three times in 1H2014). One hundred and fifty-eight targets were attacked only once each in the period.”

Other interesting trends highlighted in the Global Phishing Survey 2H2014 report are:

  • New companies are constantly being targeted by phishers. Some phishers are attacking targets where consumers may least expect it.
  • The ten companies that are targeted most often by phishers are attacked constantly, sometimes more than 1,000 times per month. Together the top ten targets suffered more than three-quarters of all the phishing attacks observed worldwide.
  • The number of domain names used for phishing reached an all-time high.
  • Phishing in the new top-level domains started slowly. We expect to see phishing levels in them rise as time goes on.
  • Chinese phishers were responsible for 85% of the domain names that were registered for phishing. These phishers started using .CN domains more frequently.
  • Phishing attacks were not mitigated as quickly. The median uptime of phishing attacks increased to 10 hours 6 minutes — up from 8 hours and 42 minutes in 1H2014. This means that phishing attacks were not being shut down as efficiently in the critical first hours, when most victims fall prey.
  • If attacks are divided by Industry, we can clearly see that the  makerts involving money are the ones more targeted like it can be seen the in the next chart:

That proves that “These show criminals seeking the credentials of consumers in places where consumers may least expect it. Phishers target wide-ranging targets for several reasons. One is to perform credit card theft, and hitting new targets may lull consumers into a false sense of security. The phishers can also monetize stolen data through reshipping fraud, a tactic that remains popular. Phishers also steal usernames and passwords from one site in order to try those credential on other sites. Many consumers re-use usernames and passwords, and this poor habit can be costly. If a site is getting phished for the first time, it may have been targeted by a more sophisticated phisher, who had the skill to design a new phishing template.”

You can check the full Global Phishing Survey 2H2014 report here:

http://apwg.org/download/document/245/APWG_Global_Phishing_Report_2H_2014.pdf

About the Author Elsio Pinto

Elsio Pinto (@high54security) is at the moment the Lead Mcafee Security Engineer at Swiss Re, but he also as knowledge in the areas of malware research, forensics, ethical hacking. He had previous experiences in major institutions being the European Parliament one of them. He is a security enthusiast and tries his best to pass his knowledge. He also owns his own blog Mcafee Security Engineer at Swiss Re, but he also as knowledge in the areas of malware research, forensics, ethical hacking. He had previous experiences in major institutions being the European Parliament one of them. He is a security enthusiast and tries his best to pass his knowledge. He also owns his own blog http://high54security.blogspot.com/

Edited by Pierluigi Paganini

(Security Affairs – APWG Global Phishing Survey 2H2014 ,  phishing)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

10 hours ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

14 hours ago

CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint vulnerability disclosed at the…

19 hours ago

The DDR Advantage: Real-Time Data Defense

This is the advantage of Data Detection and Response (DDR) for organizations aiming to build…

22 hours ago

Finnish police linked APT31 to the 2021 parliament attack

The Finnish Police attributed the attack against the parliament that occurred in March 2021 to…

1 day ago

TheMoon bot infected 40,000 devices in January and February

A new variant of TheMoon malware infected thousands of outdated small office and home office…

2 days ago

This website uses cookies.