Phishers Continue Targeting Companies, But Limited Interest in New gTLDs: APWG

APWG logoNew companies are constantly being targeted by phishers, with some phishers attacking targets where consumers may least expect it while the ten companies that are targeted most often by phishers are attacked constantly, sometimes more than 1,000 times per month. These are some of the findings of the Global Phishing Survey for Second Half of 2014, released by the Anti-Phishing Working Group (APWG) on Wednesday.

The report found phishing occurred in 272 top level domains (TLDs) with 56 in new gTLDs. And the number of domain names used for phishing has reached an all-time high, but the interest in new gTLDs has so far been limited. However with the registration fees for some of the new gTLDs dropping to below .com prices, the APWG believes this will attract phishing and other kinds of abuse.

However the report notes that tens of thousands of domains in the new gTLDs are being consumed by spammers and are being blocklisted by providers such as Spamhaus and SURBL. So while relatively few new gTLD domains have been used for phishing, the report notes the total number of them being used maliciously is much higher.

Of the new gTLDs, the largest, .xyz, had the most phishing domains with 288. The .xyz gTLD became notorious as Network Solutions gave their .com registrants a .xyz domain. But only four of the .xyz domains were registered with Network Solutions. Most of the .xyz phishing registrations (298) were made at Xin Net and other Chinese registrars, and were used to attack Chinese targets. A lesson here, the report notes, is that when it comes to abuse, who can obtain domains in a TLD (and in what quantities) may be as important as the (low) price of the domain. .XYZ had a phishing-per-10,000-domains score of 3.6, which was just slightly above the average of 3.4 for all TLDs, and lower than .com’s score of 4.7. Since

But there only 1.9 percent of all domain names that were used for phishing contained a brand name or variation thereof.

According to the report, there were at least 123,972 unique phishing attacks worldwide during the six-month period. This was almost the same number as in the first half of 2014, and the most seen in a six-month period since the second half of 2009. The APWG defines an attack as a phishing site that targets a specific brand or entity. A single domain name can host several discrete phishing attacks against different banks, for example.

These attacks occurred on 95,321 unique domain names, the most ever recorded in a half-year period. The number of domain names in the world grew from 279.5 million in April 2014 to 287.3 million in December 2014.

Of the 95,321 phishing domains, the APWG identified, 27,253 are believed to have been registered maliciously by phishers. This is an all-time high, and much higher than the 22,629 identified in the first half of 2014. Most of these registrations were made by Chinese phishers. The other 68,303 domains were almost all hacked or compromised on vulnerable Web hosting.

The registrations were concentrated in just five TLDs with seventy-five percent of the malicious domain registrations in .com, .tk, .pw, .cf and .net.

In addition, 3,582 attacks were detected on 3,095 unique IP addresses, rather than on domain names. (For example: http://77.101.56.126/FB/) But none were observed on IPv6 addresses.

There were also 569 targeted institutions, down significantly from the all-time high of 756 observed in the first half of 2014.

The average uptime in the second half of 2014 was 29 hours and 51 minutes. The median uptime in the six-month period increased to 10 hours 6 minutes, meaning that half of all phishing attacks stay active for slightly more than 10 hours.