Home / News

New Research Finds Over 80% of Domain Names Used by Phishers Are Legitimate Domains

New research from the Anti-Phishing Working Group (APWG) has found that up to 81% of domain names used for phishing are legitimate domains that have been hacked. More specifically, out of the 30,454 phishing domains under observation, only 5,591 domain names (18.5%) were registered by phishers according to APWG. The remaining small percentage of the domains used in phishing belonged to subdomain resellers such as ISPs and other web-based services.

“Phishing most often takes place on compromised Web servers, where the phishers place their phishing pages unbeknownst to the site operators,”” says APWG. “This method gains the phishers free hosting, and complicates take-down efforts because suspending a domain name or hosting account also disables the resolution of the legitimate user’s site. Phishing on a compromised Web site typically takes place on a subdomain or in a subdirectory, where the phish is not easily noticed by the site’s operator or visitors.”

Major findings include:

1. Phishers are increasingly using subdomain services to host and manage their phishing sites. This trend shows phishers migrating to services that cannot be taken down by registrars or registry operators, thereby frustrating some takedowns and extending the uptimes of attacks.

2. Phishers continue to target specific TLDs and specific domain name registrars, and shift their preferences over time.

3. The amount of Internet names and numbers used for phishing has remained fairly steady over the past two years.

4. Anti-phishing programs implemented by domain name registries can have a remarkable effect on the up-times (durations) of phishing attacks.

5. There are decreases in phishing on IP addresses and the use of brand names in domain names to fool users. Phishers are not using IDNs (Internationalized Domain Names).

To download the full report from APWG click here (PDF).

By CircleID Reporter

CircleID’s internal staff reporting on news tips and developing stories. Do you have information the professional Internet community should be aware of? Contact us.

Visit Page

Filed Under


Owners of hacked web servers need guidance Laura Mather  –  May 28, 2009 6:54 PM

As mentioned in the post, a huge percent (>80%) of all phishing sites are hosted on web servers that have been hacked.  One scary thing about this statistic is that the owners of those web servers often have very little expertise to understand what is happening to them or how to rectify the situation.

It’s because of this that the APWG published a best practices document that is complementary to the 2H2008 report referenced above.  The What to Do if Your Site has Been Hacked by Phishers best practices document gives general information about how to tell if your site has been hacked, what to do to remove the phish site, and how to harden you web server going forward.

The document was written by Suzy Clarke of ASB Bank in New Zealand and Dave Piscitello of ICANN’s Security and Stability Advisory Committee.  Contributors include people from ISPs, financial institutions, and law enforcement.

As co-chair of APWG’s Internet Policy Committee, I am thrilled that both the 2H2008 study and the “What to do if your site has been Hacked” document are getting recognition within the community.  We’d like to get the “Hacked” document to more web hosting providers.  We figure it’s the web hosting providers who are often dealing with the owners of websites that have been hacked.  If you have any friends in the web hosting community, definitely feel free to forward the link to them and encourage them to send it to their customers when they suspect there may be a phishing issue.

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet



New TLDs

Sponsored byRadix

Domain Names

Sponsored byVerisign

IPv4 Markets

Sponsored byIPv4.Global

Threat Intelligence

Sponsored byWhoisXML API

Brand Protection

Sponsored byCSC


Sponsored byVerisign