Interisle Consulting Group today released its fourth annual Phishing Landscape report investigating where and how cybercriminals acquire naming and hosting resources for phishing. Our study shows that cybercriminals evolved their tactics for obtaining attack resources, including sharply increasing their exploitation of subdomain and gateway providers. We also found that phishers continued to abuse domain names in known and persistent ways, including through the use of bulk registration and new generic top-level domains (new gTLDs.) The full Phishing Landscape 2024 report can be found at https://interisle.net/PhishingLandscape2024.
For our 2024 study we analyzed nearly four million phishing reports from four widely respected threat data providers (Anti-Phishing Working Group (APWG), OpenPhish, PhishTank, and Spamhaus) collected from May 2023 to April 2024. We then used data from our previous studies (available at the Cybercrime Information Center) to examine year-on-year trends. Among other findings, our study shows that:
- The total number of phishing attacks grew by nearly 50,000 attacks compared to last year, to just under 1.9 million incidents worldwide.
- While the number of unique domain names reported for phishing held relatively steady at just over 1.1 million, the use of subdomain providers for phishing rose 51% to over 450,000 reported names, representing 24% of all phishing attacks. The use of the decentralized InterPlanetary File System to host and launch phishing attacks also increased remarkably—up 1,300% to some 19,000 reported phishing sites.
- After the demise of the phish-friendly domain registry Freenom, cybercriminals also deepened their use of inexpensive domain names in new gTLDs. 42% of all domains reported for phishing were registered in new gTLDs, compared to 25% last year.
- The practice of registering of high volumes of domain names at one time (bulk registration) continues to be highly exploited by phishers. We found at least 27% of all domain names used in phishing attacks were registered in bulk.
- Four of the top five hosting providers used by phishers to host attacks were based in the United States. One U.S. hosting company accounted for over one-third of all phishing attacks.
- Domain name registration policies significantly affect the level of phishing in a TLD. Our study of ccTLD pricing and policies in Europe and the Asia-Pacific region shows that more robust customer verification requirements correlate with lower levels of phishing activity.
Phishing is the most commonly used tactic in the perpetration of cybercrime and a costly global threat. Balanced polices aimed at starving cybercriminals of the resources they need to conduct attacks are urgently required. Grounded in our findings, the study outlines a series of recommendations for curbing criminal access to attack resources and more effectively remediating phishing problems when they are found. Our recommendations include:
- Implement robust identify verification / certification requirements for parties wishing to bulk register domain names and reasonably limit the number of accounts and subdomains a customer can register at subdomain providers.
- Strengthen verification of customers and submitted registration information across the domain name, subdomain, and hosting industries, including implementing automated tools to screen for bogus registration data and fraudulent payment information.
- Expand the deployment of automated systems to screen for suspicious patterns of domain name and subdomain registrations, including algorithmically generated names and names deceptively similar to known brands.
- Implement more effective, proactive procedures to identify the use of hosting resources for cybercrime, including measures to suspend suspicious accounts in a timely way.
- Create “Trusted Reporter” programs across industry to facilitate swift suspension of phishing resources identified by recognized and trusted cybercrime monitors.
- More effective, outcome-oriented, cross-sector collaborations aimed at preventing and more quickly mitigating criminal access to phishing resources.
Ultimately, coordination, cooperation, and consistent action across a range of actors will be needed to create sustained, positive change in the phishing landscape. In addition to voluntary industry actions and policy changes through the ICANN process, action by government may be needed to foster effective solutions.