|
Highlights from the latest research published by the Anti-Phishing Working Group (APWG)
Criminals behind phishing attacks are constantly looking for new vulnerabilities.
The latest Anti-Phishing Working Group (APWG) Global Phishing Survey, which analyzed over 100,000 phishing attacks in the first half of 2014, examines the progress that top level domains (TLDs) are making in responding to phishing attacks that use their TLDs.
The report finds the .INFO domain has the lowest average phishing uptimes as compared to other TLDs, such as .COM and .NET.
Key Findings
Quick Phishing Takedowns Matter
The first day of a phishing attack is the most lucrative for the phisher, so quick takedowns are critical. Large, generic top-level domains are usually big targets for phishers, because these TLDs are the most familiar to the average Internet user. Among these domains, .INFO (owned and operated by Afilias), .ORG (owned by PIR and operated with Afilias technology), and .BIZ (operated by Neustar) have formal notification and takedown programs in place, according to the APWG report.
With .INFO and .ORG, Afilias proactively monitors and looks for malicious or compromised domains (see next section for more details), allowing for efficient detection, analysis, and confirmation of phishing. Evidence of the phishing is then immediately reported to registrars to quickly mitigate the abuse.
.INFO has the shortest average phishing uptimes in June 2014:
Source: Anti-Phishing Working Group (APWG) Global Phishing Survey
Trends and Domain Name Use report (PDF)
Rigorous Scrubbing Matters
While the majority of attackers use compromised websites to host their attacks, a quarter of all attacks (25.8%) are carried out via domain names registered by phishers. Rigorously watching domain name portfolios, and scrubbing them quickly to get rid of phishing domains, makes a big difference. For example, Afilias uses proprietary abuse-detection and pattern-recognition systems to monitor registrations, usage, and queries, on a daily basis, along with alarms and alerts. Other registries use different methods to achieve similar end-goals. Strong working relationships with registrars are crucial, since they have the ability to respond quickly to problems.
The APWG reports use two particularly useful metrics:
Phishing Domains per 10,000. This ratio shows how many domain names were used for phishing in a TLD as compared to the total number of registered domain names in that TLD, revealing whether a given TLD has a higher or lower incidence of phishing relative to others.
Malicious Domains per 10,000 Domains. This ratio reveals how many domains in a TLD were “malicious” registrations (domains reported for phishing shortly after being registered) as compared to the total number of registered domains names in that TLD, revealing whether a TLD has a higher or lower incidence of malicious registrations relative to others.
TLD | Phishing Domains/10,000 | Malicious Domains/10,000 |
.com | 4.1 | 1.2 |
.net | 2.9 | 0.5 |
.org | 3.2 | 0.2 |
.info | 2.1 | 0.4 |
.biz | 1.6 | 0.1 |
Source: Anti-Phishing Working Group (APWG) Global Phishing Survey
Trends and Domain Name Use report (PDF)
New TLDs Not (Yet?) Attractive to Phishers
The introduction of hundreds of new generic TLDs in 2014 did not create a new phishing haven. In fact, most of the new generic TLD domains used for phishing were not themselves malicious domains, but were on compromised web sites. As the APWG report points out, phishers usually don’t register domains that contain brand names, since most brand owners proactively scan internet zone files for their brand names and can quickly identify these phishing sites.
Some of the new “restricted” generic TLDs offer an additional layer of protection against malicious registrations—with their verification requirements. The .ORGANIC domain, for example, is available only to producers of organic products and services, and to others who serve the organic community. Similarly, .NGO and .ONG will be available only to qualified NGO organizations. Few, if any, phishing criminals will pass the verification process, and most won’t even try.
Conclusion
Registries must stay on top of the new tricks and tactics employed by phishers, and constantly improve their security measures to make top-level domains safe.
Sponsored byVerisign
Sponsored byWhoisXML API
Sponsored byVerisign
Sponsored byDNIB.com
Sponsored byRadix
Sponsored byCSC
Sponsored byIPv4.Global
...isn’t .TRUST new gTLd supposed to change all this?
The .TRUST TLD is also likely to be subject to phishing campaigns; they will also need to have a robust response mechanism when this happens.
According to the article after, it does not seem to worry :-)
https://www.nccgroup.com/en/blog/2014/11/customer-confusion-over-newish-gtlds-targeting-financial-services/
Well, there’s marketing and there’s what happens in real life :)
As a co-author of the APWG report, I must note that .INFO did not have “the lowest average phishing uptimes” as the above article states. Among the large legacy gTLDs—the TLDs represented on the cited chart—.BIZ had both the lowest average and median uptimes during the study period. .ORG also had average and median uptimes that were lower than .INFO. The only time .INFO had the lowest average in its peer group was in the month of June, as the chart illustrates.
The stats for all gTLDs and ccTLDs can be seen in the APWG report’s appendix.
—Greg Aaron
Greg, thanks for providing clarity on this. I’ll see how to revise the article to more accurately reflect the results.
Greg, corrected
Interesting summary Ram, glad you continue to provide these (albeit a little dated :-).
FWIW, your heading ‘New TLDs Not (Yet?) Attractive to Phishers’ is dangerously misleading and conveys a false sense of security. Security professionals have already documented the use of new gTLDs such as .SUPPORT to enhance the effectiveness of phishing attacks by giving the appearance of a legitimate “support” site, and the fact that legitimately-issued SSL certificates are uniquely available to registrants in new gTLDs for use in giving phishing attacks cryptographic legitimacy is arguably confusing users.
For an example see CSO Online’s recent article titled “Recently introduced TLDs create new opportunities for criminals” for an example.
Also, other key observations this APWG report highlighted (but not in your summary) included:
“Second, most of the new gTLDs have been in their early phases of introduction. Those that have been available for purchase by the general public have usually been priced higher than .COM and other popular legacy TLDs. Phishers and spammers have been able to get cheaper domain names in the legacy TLDs.
This situation will certainly change, though. As autumn 2014 begins, the new gTLD market is becoming more crowded and competitive, and some registries have begun to compete aggressively on price. As prices drop and the new gTLDs gain more adoption, we are seeing an increase in phishing on new gTLD domains, due to both malicious registrations and compromised domains on hacked servers. Anecdotal discussions in the security community also indicate that malware authors and other miscreants are experimenting with registering domains in some of the new gTLD domains for various malicious activities.”
I look forward to the APWG’s continued work product in this area, they’re doing good stuff!
Hi Danny, thanks for the excellent comments. Blush re. quoting the report from summer, it’s just how things roll sometimes!
I agree that all new gTLDs are going to be targets. I was summarizing from the APWG report that didn’t find evidence of large scale phishing on new gTLDs, although as you can see from my conclusion as well as comments above, I believe that it’s a matter of when, not if. Anyone who gets a sense of security reading this is going to be in for a surprise, sooner than later.
Yes, the APWG work in this area is useful and illustrative of the need to keep a clear focus on security when working with TLDs.