|
New research from the Anti-Phishing Working Group (APWG) has found that up to 81% of domain names used for phishing are legitimate domains that have been hacked. More specifically, out of the 30,454 phishing domains under observation, only 5,591 domain names (18.5%) were registered by phishers according to APWG. The remaining small percentage of the domains used in phishing belonged to subdomain resellers such as ISPs and other web-based services.
“Phishing most often takes place on compromised Web servers, where the phishers place their phishing pages unbeknownst to the site operators,”” says APWG. “This method gains the phishers free hosting, and complicates take-down efforts because suspending a domain name or hosting account also disables the resolution of the legitimate user’s site. Phishing on a compromised Web site typically takes place on a subdomain or in a subdirectory, where the phish is not easily noticed by the site’s operator or visitors.”
Major findings include:
1. Phishers are increasingly using subdomain services to host and manage their phishing sites. This trend shows phishers migrating to services that cannot be taken down by registrars or registry operators, thereby frustrating some takedowns and extending the uptimes of attacks.
2. Phishers continue to target specific TLDs and specific domain name registrars, and shift their preferences over time.
3. The amount of Internet names and numbers used for phishing has remained fairly steady over the past two years.
4. Anti-phishing programs implemented by domain name registries can have a remarkable effect on the up-times (durations) of phishing attacks.
5. There are decreases in phishing on IP addresses and the use of brand names in domain names to fool users. Phishers are not using IDNs (Internationalized Domain Names).
To download the full report from APWG click here (PDF).
Sponsored byVerisign
Sponsored byWhoisXML API
Sponsored byVerisign
Sponsored byCSC
Sponsored byIPv4.Global
Sponsored byRadix
Sponsored byDNIB.com
As mentioned in the post, a huge percent (>80%) of all phishing sites are hosted on web servers that have been hacked. One scary thing about this statistic is that the owners of those web servers often have very little expertise to understand what is happening to them or how to rectify the situation.
It’s because of this that the APWG published a best practices document that is complementary to the 2H2008 report referenced above. The What to Do if Your Site has Been Hacked by Phishers best practices document gives general information about how to tell if your site has been hacked, what to do to remove the phish site, and how to harden you web server going forward.
The document was written by Suzy Clarke of ASB Bank in New Zealand and Dave Piscitello of ICANN’s Security and Stability Advisory Committee. Contributors include people from ISPs, financial institutions, and law enforcement.
As co-chair of APWG’s Internet Policy Committee, I am thrilled that both the 2H2008 study and the “What to do if your site has been Hacked” document are getting recognition within the community. We’d like to get the “Hacked” document to more web hosting providers. We figure it’s the web hosting providers who are often dealing with the owners of websites that have been hacked. If you have any friends in the web hosting community, definitely feel free to forward the link to them and encourage them to send it to their customers when they suspect there may be a phishing issue.