The total number of phishing sites detected by the Anti-Phishing Working Group (APWG) went close to halving in 2018, from 263,538 at the beginning of the first quarter to 233,040 at the beginning of the second, 151014 at the beginning of the third and at the beginning of the fourth quarter there were 138,328. These were findings in the APWG’s Phishing Activity Trends Report for the Fourth Quarter of 2018 [pdf]. However the report notes detection of phishing sites has become harder because phishers are obfuscating phishing URLs with multiple redirections.
When it comes to the most targeted industry sectors, APWG member MarkMonitor saw phishing that targeted software as a service (SaaS) and Webmail services’ brands jump from 20.1% of all attacks in the third quarter to almost 30% in the fourth. Attacks against cloud storage and file hosting sites continued to drop, decreasing from 11.3%of all attacks in Q1 2018 to 4% in Q4.
For domain names used for phishing, RiskIQ analysed 6,718 confirmed phishing URLs reported to APWG in Q4 2018, and found that they were hosted on 4,485 unique second-level domains (and 100 were hosted on unique IP addresses, without domains).
Among the legacy gTLDs, of which .com is by far the largest, they represented almost half (49.57%) of the domain names in the world as of the beginning of Q4, and represented 56.43% of the phishing domains in the sample set. Most of these were in .com which had 2,098 domains in the set. There were 2,531 legacy gTLDs domain names in the sample set.
New generic top-level domains (new gTLDs), the largest being .top and .xyz, represented 6.83% of domain names under management (DUM) globally and 4.95% of the domains in the sample set. There were 222 new gTLD domains in the set.
The country code top level domains (ccTLDs) accounted for 43.6% of domain names globally as of the beginning of Q4, and accounted for 38.62% of the domains in the sample set. There were 1,732 ccTLD domain names in the sample set. ccTLD Internationalised domain names are included as part of this category, but there was only one such domain(.рф) in the set.
After .com’s 2.098 domain names in the set, the Palu ccTLD .pw came second with 374 unique domain names used for phishing, then .net (175), .org (154) and .uk (121), being the only TLDs with more than 100. There were a number of ccTLDs with low registration figures, often given away for free, that figure highly on the list, such as .cf (Central African Republic) with 84, .ml (Mali, 78) and .ga (Gabon, 68).
These “repurposed” ccTLDs, and a few others such as .tk and .gq, have notable amounts of phishing in them are are TLDs that phishers went to register domain names directly to perpetrate their crimes. These “repurposed” ccTLDs have granted their management rights to third parties who have then commercialised them. .TK, .ML, .GA, .CF, and .GQ are all operated by a Dutch company that offers domain names in those ccTLDs for free, while .PW is operated by a company based in India.
Some new gTLDs also rank high for phishing activity.
“.XYZ represented 8% of the registered new gTLD domain names in the world as of the beginning of the quarter, but 16.67% of the reported phishing new gTLDs in the quarter,” said Jonathan Matkowsky of RiskIQ. “.LOAN was a larger piece of the total new gTLD market than .XYZ as of the beginning of the quarter, but there was only one reported .LOAN domain used for phishing in our sample set. .TOP represented 14.4% of the total new gTLD market at the beginning of the quarter, but only 4.5% of the reporting phishing domains this quarter—half as many as in Q3.”
The report also found the default protocol HTTPs was used by 48.4% of all the websites in December 2018. Many phishing attacks are on hacked web sites, so it is not surprising that about the same percentage of phishing sites use the HTTPS encryption protocol.
The latest Phishing Activity Trends Report for the 4th Quarter of 2018 from the Anti Phishing Working Group is available for download from: