Repurposed ccTLDs Showing Higher Levels of Phishing: APWG

Some of the TLDs with the highest levels of domain names used for phishing are in “repurposed” ccTLDs – those where management rights have been granted to third parties who have then commercialised the TLDs, according to the latest Phishing Activity Trends Report for the third quarter of 2018 from the Anti Phishing Working Group. Among those with the highest levels are .tk, .ml, .ga, .cf and .gq who are all operated by a Dutch company that offers domain names in those TLD for free, while .pw is operated by a company based in India. But there are also ccTLDs with a higher than expected number of phishing domain names outside this description such as .br, .ru, .in and .au.

The TLD with the most phishing domain names was unsurprisingly .com which had 922 domain names (out of a total 137.6 million), followed by .org with 80 out of 10.3 million and then .net with 78 out of 14.1 million. They were followed by .pw with 53 phishing domain names, .info (43 out of 5.0 million) and .br (41 out of 4.0 million). The first new gTLD on the list, .xyz, was seventh with 30, .ml an d.ru (28), .in and .tk (24 out of 21.5 million), .ga and .uk (23 out of 11.9 million), .cf and .gq (22), .au and .top (20 out of 3.2 and 3.9 million respectively) while .business (17 out of 63,000) and .agency and .co (15 each out of 64,000 for .agency) rounded out the top 20.

“Sometimes it is easy to discount the total volume of abuse in a TLD if the TLD hasa large number of domains in it,” said Jonathan Matkowsky of RiskIQ. “We assigned a weighted score against the total number of domains in each zone, looking at TLDs where there were at least five unique domain names used for phishing, as a way of understanding the size of the zone and the phishing prevalence in it. After discounting the number of unique hosts by the relative size of those zones, .TOP and .XYZ were still the new gTLDs that scored highest.”

There has also been a growth in websites using web addresses with https, which is supposedly more secure. APWG notes that at the end of 2016, less than 5% of phishing sites were found on HTTPS infrastructure. In the third quarter of 2018, PhishLabs saw the number of phishing web sites using SSL/TLS encryption increase to 49.4%, up from 35.2% in the second quarter.

“This is likely a result of attackers obtaining certificates for use on their own infrastructure , and in general, as more legitimate Web sites obtain SSL certificates, some of those will naturally become compromised by phishers,” John LaCour , the Chief Technology Officer of PhishLabs noted. “As of July 2018, the Google Chrome browser began to warn users that plain HTTP sit es are ‘not secure ’, and that will drive more web site owners to use HTTPS . So over time we expect that most phishing sites will use SSL certificates . Certificate authorities that offer free certificates will be increasingly abused by phishers in the future.”