Phishers Expand the Number of Top Level Domains Abused in eCrime Scams Domain Name Registration Policy Changes Can Make Big Difference, Study Shows
LOS ALTOS, Calif. & CAMBRIDGE, Mass.--(BUSINESS WIRE)--The new Global Phishing Survey released by the Anti-Phishing Working Group (APWG) this month reveals that phishing gangs are concentrating their efforts within specific top level domains (TLDs), but also that anti-phishing policies and mitigation programs by domain name registrars and registries can have a significant and positive effect.
“The longer a phishing site remains online, the more identities and money the phisher is able to steal from unsuspecting victims”
For this new study, covering the first half of 2008, Rod Rasmussen of Internet Identity and Greg Aaron of Afilias surveyed 47,324 unique phishing attacks located on 26,678 unique domain names. (Phishing attacks are counterfeit websites designed to deceive consumers into revealing their personal financial information.)
The number of TLDs abused by phishers for their attacks expanded 7 percent from 145 in H2/2007 to 155 in H1/2008. The proportion of Internet-protocol (IP) number-based phishing sites decreased 35 percent in that same period, declining from 18 percent in the second half of 2007 to 13 percent in the first half of 2008.
“We’re seeing a trend away from fixed IP-based URLs which are readily shut-down to use of more domain based URLs,” said Mr. Rasmussen, co-chair of the APWG’s Internet Policy Committee. “Many of these are on compromised servers which already have established ‘good’ reputations, while others are on fraudulently registered domain names supported by botnets or other throw-away hosting resources. In either case, the mitigation effort is challenged, as one does not want to suspend an innocent domain name, while with a botnet, the domain is the only practical choke-point to neutralize the attack.”
The report finds some correlations between registry policies and the prevalence and duration of phishing activity in their TLDs. The APWG researchers’ analysis of phishing site uptime and other metrics showed that anti-phishing policies can help reduce phishing activity. Specifically, the .CN, .INFO, and .BIZ TLDs, whose managers have implemented counter-phishing programs, had phishing site uptimes notably below the industry average.
“The longer a phishing site remains online, the more identities and money the phisher is able to steal from unsuspecting victims,” said Mr. Aaron, an APWG Research Fellow. “Reducing uptime is a key measure of any anti-phishing program.”
The authors track the improvement in reduction of phishing activity at the .INFO TLD specifically to an anti-phishing program established in January 2008. (Disclosure: Mr. Aaron’s company, Afilias, is the operator of the .INFO TLD registry.) More dramatically, the investigators found that after anti-phishing measures went into place in March 2008 at the .HK registry, “the number of phishing domains in .HK quickly went from more than 1,000 per month to virtually nothing.”
“In this study we found direct correlation between registry policy and procedures, and the lifetimes of phishing sites,” said Mr. Rasmussen. “With typical losses estimated by financial institutions of several hundred to thousands of dollars per hour a phishing site is active these efforts - which shave several hours off an attack - can have a dramatic impact on the losses suffered by businesses and consumers.”
The survey also identified 4,512 subdomain sites/accounts used for phishing under 274 unique second-level domains. These were established on “subdomain registration services” in which customers set up a subdomain under a secondary level domain owned by the service provider (e.g. <customer_term>.<service_provider_sld>.TLD).
“The wide-spread use of subdomain registration services by phishers is a challenging development for the industry,” said Mr. Rasmussen. “These services have diverse business models and controls, and run outside the scope of ICANN, domain registries, or any recognized authority. This can make them an unwitting haven for phishers and in turn adversely affect the reputation of a TLD or registrar who has no control over their behavior.”
To determine the intensity or pervasiveness of phishing activities in a TLD relative to others, the authors established two metrics. The first compares the number of established phishing domains to the total number of registered domain names in that TLD.
The other, Phishing Attacks per 10,000, helps indicate which TLDs are predominantly used by phishers who employ subdomain services, or place multiple phish sites on a single domain. The top twelve TLDs in this statistical category ran from .HK (Hong Kong) with 142.1 phishing attacks per 10,000 domains to .BE (Belgium) with 8.7. The authors found that .SU (Soviet Union), .RU (Russia), and .FR (France) received high Attack Scores because phishers launched large numbers of attacks in these TLDs via subdomain hosting services.
The full report is available here: http://www.antiphishing.org/reports/APWG_GlobalPhishingSurvey1H2008.pdf
About the APWG: The APWG, founded as the Anti-Phishing Working Group in 2003, is an industry, law enforcement and government coalition focused on eliminating the identity theft and fraud that result from the growing problem of phishing, email spoofing, and crimeware. Membership is open to qualified financial institutions, online retailers, ISPs, the law enforcement community and solutions providers. There are more than 1,800 companies and government agencies worldwide participating in the APWG and more than 3,200 members. The APWG's Web site (www.antiphishing.org) offers the public and industry information about phishing and email fraud, including identification and promotion of pragmatic technical solutions that provide immediate protection. APWG's corporate sponsors include: 8e6 Technologies, AT&T (T), Able NV, Afilias Ltd., AhnLab, BillMeLater, BBN Technologies, BlueStreak, BrandMail, BrandProtect, Bsecure Technologies, Cisco (CSCO), Clear Search, Cloudmark, Cydelity, Cyveillance, DigiCert, DigitalEnvoy, DigitalResolve, Digital River, Earthlink (ELNK), eBay/PayPal (EBAY), Entrust (ENTU), Experian, eEye, Fortinet, FraudWatch International, FrontPorch, F-Secure, Goodmail Systems, Grisoft, GeoTrust, GlobalSign, GoDaddy, Goodmail Systems, GuardID Systems, HomeAway, IronPort, HitachiJoHo, ING Bank, Iconix, Internet Identity, Internet Security Systems, IOvation, IronPort, IS3, IT Matrix, Kaspersky Labs, Lenos Software, LightSpeed Systems, MailFrontier, MailShell, MarkMonitor, McAfee (MFE), MasterCard, MessageLevel, Microsoft (MSFT), MicroWorld, Mirapoint, MySpace (NWS), MyPW, MX Logic, NameProtect, National Australia Bank (ASX: NAB) Netcraft, NetStar, Network Solutions, NeuStar, Panda Software, Phoenix Technologies Inc. (PTEC), Phorm, The Planet, SalesForce, Radialpoint, RSA Security (EMC), SecureBrain, Secure Computing (SCUR), S21sec, Sigaba, SoftForum, SOPHOS, SquareTrade, SurfControl, SunTrust, Symantec (SYMC), TDS Telecom, Telefonica (TEF), Trend Micro (TMIC), Tricerion, TriCipher, TrustedID, Tumbleweed Communications (TMWD), SurfControl (SRF.L), Vasco (VDSI), VeriSign (VRSN), Visa, Websense Inc. (WBSN) and Yahoo! (YHOO).