Home / Blogs

A Bad Year for Phishing

Here at the Anti-Phishing Working Group meeting in Hong Kong, we’ve just released the latest APWG Global Phishing Survey. Produced by myself and my research partner Rod Rasmussen of Internet Identity, it’s an in-depth look at the global phishing problem in the second half of 2013. Overall, the picture isn’t pretty.

There were at least 115,565 unique phishing attacks worldwide during the period. This is one of the highest semi-annual totals we’ve observed since we began our studies in 2007.

The companies (brands) targeted by phishing targets were diverse, with many targeted for the first time. The criminals are looking for new opportunities in new places, among every kind of site that takes in user information.

The attacks occurred on 82,163 unique domain names. Most of those domains were hacked—on web servers that the phishers broke into, a testament to the vulnerability of hosting facilities. But at least 22,831 of the domain names were registered maliciously, by phishers. This is the highest number of malicious domain registrations we have ever counted. In fact, it was about four times as bad as during the same period a year before.

The domain registration problem is due almost entirely to Chinese phishers. Of those 22,831 malicious domain registrations, 85% were registered to phish Chinese targets—services and sites in China that serve a primarily Chinese customer base.

Where did they get the domains? In various TLDs, including .COM, .INFO, .CN, and .ASIA, and using 230 different ICANN-accredited registrars. A notable portion of the problem clusters around nine Chinese registrars. And about 28% of the world’s malicious registrations were made at the free domain name registries offered by Freenom. Freenom is best known for running .TK, where free domains have made it the biggest ccTLD in the world. Late in 2013 Freenom obtained the rights to turn the .CF, .GA, and .ML registries into free registration zones too. Within a few months phishers registered at least 1,429 phishing sites in those three TLDs.

There was a bit of good news: The average uptimes of phishing attacks declined, and were close to historic lows. The average phish lasted 28 hours, which is enough time for a phisher to glean some user credentials. The median uptime in 2H2013 was 7 hours and 54 minutes, meaning that half of all phishing attacks stay active for less than 8 hours. This is the result of diligent work by brand victims, security companies and researchers, some registrars and registries, and hosting companies.

Take a few minutes to read the report. It’s a good way to know the enemy, and to protect your company and your users.

By Greg Aaron, President, Illumintel Inc. and Co-Chair of the APWG Internet Policy Committee.

By Greg Aaron, President, Illumintel Inc.

Filed Under


Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet



New TLDs

Sponsored byRadix

Domain Names

Sponsored byVerisign


Sponsored byVerisign

Threat Intelligence

Sponsored byWhoisXML API


Sponsored byDNIB.com

Brand Protection

Sponsored byCSC

IPv4 Markets

Sponsored byIPv4.Global