APWG Report: Cybercrime Gangs Ramp Up Phishing Attacks in 2018

Criminals continue to go where the money is

CAMBRIDGE, Mass.--()--According to the APWG’s new Phishing Activity Trends Report, phishing in the first part of 2018 surged 46 percent higher than late 2017. The total number of phish detected in the first quarter of 2018 was 263,538. That was up from the 180,577 observed in the fourth quarter of 2017. It was also significantly greater than the 190,942 seen in the third quarter of 2017.

The phishing attacks of early 2018 targeted users of online payment services more than in any other industry sector, accounting for 39 percent of all phishing attacks. APWG member MarkMonitor also saw modest increases in phishing that targeted SAAS/webmail providers (19 percent of the total) and file hosting/sharing sites (11 percent). Phishing against banks’ brands dropped slightly, to 14 percent.

The full text of the report is available here:

Some phishers also adjusted their tactics in the period. “In Q1 2018, there was a marked increase in URL detections starting in February and ramping up through March, but the number of unique phishing domains remained flat,” said Stefanie Ellis, AntiFraud Product Marketing Manager, MarkMonitor. “This increase in URLs can largely be attributed to one-time-use URLs. These unique URLs are automatically generated by phishers to allow for a one-time access by victims to a unique phishing URL.“

In other news, APWG member RiskIQ analyzed what domain names were used by phishers and found domain use generally matched market share among top-level domains and registrations.

"Because cybercriminals focus on the cost-benefit analysis of their activities, they like to register their domains with the cheapest, most common registrars," said Yonathan Klijnsma, Head Researcher at RiskIQ. "This is why phishing domain use often correlates with the market share of top-level domains and why the web hosters associated with phishing sites—many of which come from compromised websites—are typically the largest ones. For instance, GoDaddy, the largest hosting provider in Q1 2018, was also the top registrar affected by phishing."

APWG member PhishLabs continued its monitoring of the use of HTTP protection on phishing web sites. By the second quarter of 2018, PhishLabs more than a third of phishing attacks were hosted on Web sites that had HTTPS and SSL certificates, reflecting and the general increase in HTTPS deployment on the Internet.

Crane Hassold, PhishLabs Director of Threat Intelligence, said, “Following the pattern we’ve seen over the past 18 months, the percentage of HTTPS phishing sites continues to grow and now comprises more than a third of all attacks globally. While some of this increase is due to the general adoption of HTTPS across the web, much of this trend has been driven by threat actors registering malicious domains and obtaining free SSL certificates to make their phishing sites appear more legitimate. As browsers add more negative visual indicators that cause general web users to become less trusting of HTTP websites, we expect this trend to continue and likely accelerate.”

Axur, the APWG’s observer in Brazil, recorded significant increases in web-based scams on sites like Facebook, and saw phishing via text messages.

APWG European research chapter, APWG.EU, will be hosting two programs this fall in Poland:

The Symposium on Global Cybersecurity Awareness – Sept. 11-12 in Warsaw


EU Symposium on Electronic Crime Research – Sept. 17-19 in Warsaw


About the APWG:

Founded in 2003, the Anti-Phishing Working Group, (APWG) is the global industry, law enforcement, and government coalition focused on unifying the global response to electronic crime. Membership is open to qualified financial institutions, online retailers, ISPs and Telcos, the law enforcement community, solutions providers, multi-lateral treaty organizations, research centers, trade associations and government agencies. There are more than 2,200 companies, government agencies and NGOs participating in the APWG worldwide. The APWG's <www.apwg.org> and <education.apwg.org> websites offer the public, industry and government agencies practical information about phishing and electronically mediated fraud as well as pointers to pragmatic technical solutions that provide immediate protection. The APWG is co-founder and co-manager of the Stop. Think. Connect. Messaging Convention, the global online safety public awareness collaborative <https://education.apwg.org/safety-messaging-convention/> and founder/curator of the eCrime Researchers Summit, the world’s only peer-reviewed conference dedicated specifically to electronic crime studies <www.ecrimeresearch.org>. APWG advises hemispheric and global trade groups and multilateral treaty organizations such as the European Commission, the G8 High Technology Crime Subgroup, Council of Europe's Convention on Cybercrime, United Nations Office of Drugs and Crime, Organization for Security and Cooperation in Europe, Europol EC3 and the Organization of American States. APWG is a member of the steering group of the Commonwealth Cybercrime Initiative at the Commonwealth of Nations. Among APWG's corporate sponsors are: AhnLab, AnchorFree, AT&T (T), Afilias, Avast!, AVG Technologies, BBN Technologies, Barracuda Networks, BillMeLater, Booz Allen Hamilton, Blue Coat, BrandMail, BrandProtect, Bsecure Technologies, CSC Digital Brand Services, Check Point Software Technologies, Comcast, CSIRTBANELCO, Cyber Defender, DigiCert, Domain Tools, Donuts.co, Easy Solutions, eBay/PayPal (EBAY), eCert, EC Cert, ESET, EST Soft, Facebook, Forcepoint, Fortinet, FraudWatch International, F-Secure, GlobalSign, GoDaddy, Google, GroupIB, Hauri, Hitachi Systems, Ltd., Huawei Symantec, ICANN, Iconix, Infoblox (BLOX), IronPort, ING Bank, Intuit, Internet.bs, IT Matrix, iThreat Cyber Group, Kindsight, LaCaixa, Lenos Software, LINE, Lookingglass, MailChannels, MailChimp, MailShell, MarkMonitor, M86Security, McAfee (MFE), Melbourne IT, MessageLevel, Microsoft (MSFT), MicroWorld, Mimecast, Mirapoint, NHN, MyPW, nProtect Online Security, Netcraft, Network Solutions, NeuStar, Nominet, Nominum, Public Interest Registry, Panda Software, Phishlabs, Phishme.com, Phorm, Planty.net, Prevx, Proofpoint, QinetiQ, Return Path, RSA Security (EMC), RuleSpace, SalesForce, SecureBrain, S21sec, SIDN, SiteLock, SoftForum, SoftLayer, SoftSecurity, SOPHOS, SunTrust, SurfControl, Symantec (SYMC), Tagged, TDS Telecom, Telefonica (TEF), TransCreditBank, Trend Micro (TMIC), Trustwave, Vasco (VDSI), VeriSign (VRSN), Wombat Security Technologies, and zvelo.


Anti-Phishing Working Group
Peter Cassidy, +1-617-669-1123


Anti-Phishing Working Group
Peter Cassidy, +1-617-669-1123