Here at the Anti-Phishing Working Group meeting in Hong Kong, we’ve just released the latest APWG Global Phishing Survey. Produced by myself and my research partner Rod Rasmussen of Internet Identity, it’s an in-depth look at the global phishing problem in the second half of 2013. Overall, the picture isn’t pretty.

There were at least 115,565 unique phishing attacks worldwide during the period. This is one of the highest semi-annual totals we’ve observed since we began our studies in 2007.

The companies (brands) targeted by phishing targets were diverse, with many targeted for the first time. The criminals are looking for new opportunities in new places, among every kind of site that takes in user information.

The attacks occurred on 82,163 unique domain names. Most of those domains were hacked—on web servers that the phishers broke into, a testament to the vulnerability of hosting facilities. But at least 22,831 of the domain names were registered maliciously, by phishers. This is the highest number of malicious domain registrations we have ever counted. In fact, it was about four times as bad as during the same period a year before.

The domain registration problem is due almost entirely to Chinese phishers. Of those 22,831 malicious domain registrations, 85% were registered to phish Chinese targets—services and sites in China that serve a primarily Chinese customer base.

Where did they get the domains? In various TLDs, including .COM, .INFO, .CN, and .ASIA, and using 230 different ICANN-accredited registrars. A notable portion of the problem clusters around nine Chinese registrars. And about 28% of the world’s malicious registrations were made at the free domain name registries offered by Freenom. Freenom is best known for running .TK, where free domains have made it the biggest ccTLD in the world. Late in 2013 Freenom obtained the rights to turn the .CF, .GA, and .ML registries into free registration zones too. Within a few months phishers registered at least 1,429 phishing sites in those three TLDs.

There was a bit of good news: The average uptimes of phishing attacks declined, and were close to historic lows. The average phish lasted 28 hours, which is enough time for a phisher to glean some user credentials. The median uptime in 2H2013 was 7 hours and 54 minutes, meaning that half of all phishing attacks stay active for less than 8 hours. This is the result of diligent work by brand victims, security companies and researchers, some registrars and registries, and hosting companies.

Take a few minutes to read the report. It’s a good way to know the enemy, and to protect your company and your users.

By Greg Aaron, President, Illumintel Inc. and Co-Chair of the APWG Internet Policy Committee.