Home / Blogs

Phishing: A Look Into the E-Crime Landscape

At the recent Anti-Phishing Working Group meeting in San Francisco, Rod Rasmussen and I published our latest APWG Global Phishing Survey. Phishing is a distinct kind of e-crime, one that’s possible to measure and analyze in depth. Our report is a look at how criminals act and react, and what the implications are for the domain name industry.

This report seeks to understand trends and their significance by quantifying the scope of the global phishing problem, specifically all the phishing attacks detected in the first half of 2013. Here’s some of what we found.

Phishers seek out vulnerable resources. There were at least 72,758 unique phishing attacks worldwide, occurring on 53,685 unique domain names. Most of those domains were hacked—on vulnerable web servers that the phishers broke into. In fact, 27% of all phishing attacks recorded worldwide involved mass break-ins at vulnerable hosting centers. Breaking into such hosting is a high-yield activity, and fits into a larger trend where criminals turn compromised servers at hosting facilities into weapons. We see such servers being utilized for all manner of abuse beyond phishing, ranging from underground proxy networks to large-scale DDoS attacks.

Like other criminals, phishers seek new markets. Phishing is exploding in China, where the expanding middle class is using e-commerce more often. We identified 12,175 domain names that we believe were registered maliciously, by phishers. Of those, at least 8,240 (68%) were registered to phish Chinese targets: services and sites in China that serve a primarily Chinese customer base.

Anti-abuse responses work. Some TLDs have anti-abuse monitoring and response programs, and the data shows that phish in these TLDs are taken down much more quickly, thereby saving a lot of victims. Phishing that uses URL shorteners is also way down, because companies such as BIT.LY and T.CO have implemented good monitoring programs, which has driven phishers away. And a lack of abuse monitoring becomes really noticeable in some TLDs, which suffer high levels of abuse.

Sometimes the data explodes common perceptions. Phishers don’t cyber-squat much. Just 2.3% of all domains that were used for phishing contain a relevant brand name or reasonable variation thereof (often a misspelling). Instead, phishers usually register nonsense strings. Placing brand names or variations thereof in the domain name itself is not a favored tactic since brand owners are proactively scanning Internet zone files for their brand names. Instead, phishers often place brand names in subdomains or subdirectories.

And while people used to worry that IDNs would be used widely to fool people into visiting look-alike domains, the actual occurrence is vanishingly small. In seven years of research, we have found only eight IDNs domains used for homographic attacks, out of the hundreds of millions of domains registered during that time. It’s a reminder that a security vulnerability can be measured by its actual impact.

If you’re a registry operator, a new TLD applicant, a registrar, reseller, or responder, take a few minutes to read the report. It’s a good way to know the enemy, and to protect your company and your users.

By Greg Aaron, President, Illumintel Inc.

Filed Under


A well-researched essay on the landscape of Alex Tajirian  –  Oct 1, 2013 6:29 PM

A well-researched essay on the landscape of phishing. What should I do as an online company to protect against it?

For a good study on the economics of online crime, see http://bit.ly/GzJPUx.

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet



New TLDs

Sponsored byRadix


Sponsored byVerisign

Brand Protection

Sponsored byCSC

Threat Intelligence

Sponsored byWhoisXML API

Domain Names

Sponsored byVerisign


Sponsored byDNIB.com

IPv4 Markets

Sponsored byIPv4.Global