|
How much phishing is there? Where is it occurring, and why? How can it be reduced? I and my colleagues at Interisle Consulting have just published a new study called Phishing Landscape 2020, designed to answer those questions. We assembled a deep set of data from four different, respected threat intelligence providers and enriched it with additional DNS data and investigation. The result is a look at phishing attacks that occurred in May through July 2020.
The data revealed more than 122,000 newly discovered phishing sites, on 99,412 different domain names. One of the things we established is those numbers are just a floor. Phishing is a much larger problem than is reported, and we explore how this is due to gaps in detection, gaps in data sharing, and the lack of WHOIS data. An ominous problem is: how much phishing is not being detected at all?
The data also shows that most phishing is concentrated at a small number of domain registrars, domain registries, and hosting providers. These providers can make a significant impact on phishing if they implement better anti-abuse programs. The report breaks the data down, with rankings and ratings.
We took a special look at “maliciously registered domain names”—domains registered by the phishers themselves. These domains are important for two reasons. First, there are reliable ways that registrars and registry operators can identify them, often before they are used. Second, these domains can be suspended by registrars and registry operators without creating any collateral damage. The data shows that almost half of all maliciously registered domains were purchased at just ten gTLD registrars. More than 88% of the maliciously registered domains in our data set occurred in just 20 top-level domains. Again, this presents opportunities for a few providers to put a big dent in phishing.
We also looked at the timing of these domain name registrations, and at recent research about how long phishing attacks last. One of the conclusions is that registries, registrars, and hosting providers should implement better anti-abuse programs that focus more on prevention. Many anti-abuse programs focus on mitigation—taking steps to stop a phishing attack once it is underway. That’s a reactive stance, and by the time a mitigation effort gets underway, the phishing has already taken place. In some places, these reactive programs are allowing constant cycles of new phishing, leading to no overall improvement of Internet safety. Mitigation and proactive prevention are two very different things, both are possible to implement, and both are needed.
We invite you to read the full report, or just the executve summary.
Sponsored byDNIB.com
Sponsored byRadix
Sponsored byCSC
Sponsored byWhoisXML API
Sponsored byVerisign
Sponsored byVerisign
Sponsored byIPv4.Global
Thank your for this study, which made some interesting reading. Identifying abusive registrations before they can be used is certainly the ideal situation, however it is not as easy as you make it out to be.
Many registrar do not have access to the excellent data points that the report indicates are in our possession. As significant portions of the registrations are transacted through third parties, many registrars never see the payment details, source IPs or purchase histories of individual registrants for a majority of their registrations.
I have doubts about the usefulness of whois data for identifying abusive domain names. Over the past years, our own experience has shown that a vast majority of malicious registrations reported to us actually have the best quality of registration data as this data was freshly harvested from one of the many data lists out there.
Many contracted parties do use feeds to detect abusive domains, but some of the providers are less then helpful as they do not show their work, e.g. they list a domain as abusive but will not provide evidence of how that conclusion was reached. This increases the risk of taking action against a false positive.
One of the best and safest methods we do have at our disposal is to take proactive action based on reactive action already taken. By looking for common characteristics amongst other domains that match those of an already identified domain, we often detect domains likely to be used in an abusive manner before they become active.