Home / News I have a News Tip

New Research Finds Over 80% of Domain Names Used by Phishers Are Legitimate Domains

New research from the Anti-Phishing Working Group (APWG) has found that up to 81% of domain names used for phishing are legitimate domains that have been hacked. More specifically, out of the 30,454 phishing domains under observation, only 5,591 domain names (18.5%) were registered by phishers according to APWG. The remaining small percentage of the domains used in phishing belonged to subdomain resellers such as ISPs and other web-based services.

"Phishing most often takes place on compromised Web servers, where the phishers place their phishing pages unbeknownst to the site operators,"" says APWG. "This method gains the phishers free hosting, and complicates take-down efforts because suspending a domain name or hosting account also disables the resolution of the legitimate user's site. Phishing on a compromised Web site typically takes place on a subdomain or in a subdirectory, where the phish is not easily noticed by the site's operator or visitors."

Major findings include:

1. Phishers are increasingly using subdomain services to host and manage their phishing sites. This trend shows phishers migrating to services that cannot be taken down by registrars or registry operators, thereby frustrating some takedowns and extending the uptimes of attacks.

2. Phishers continue to target specific TLDs and specific domain name registrars, and shift their preferences over time.

3. The amount of Internet names and numbers used for phishing has remained fairly steady over the past two years.

4. Anti-phishing programs implemented by domain name registries can have a remarkable effect on the up-times (durations) of phishing attacks.

5. There are decreases in phishing on IP addresses and the use of brand names in domain names to fool users. Phishers are not using IDNs (Internationalized Domain Names).

To download the full report from APWG click here (PDF).

Follow CircleID on
SHARE THIS POST

If you are pressed for time ...

... this is for you. More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Vinton Cerf, Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Share your comments

Owners of hacked web servers need guidance Laura Mather  –  May 28, 2009 11:54 AM PDT

As mentioned in the post, a huge percent (>80%) of all phishing sites are hosted on web servers that have been hacked.  One scary thing about this statistic is that the owners of those web servers often have very little expertise to understand what is happening to them or how to rectify the situation.

It's because of this that the APWG published a best practices document that is complementary to the 2H2008 report referenced above.  The What to Do if Your Site has Been Hacked by Phishers best practices document gives general information about how to tell if your site has been hacked, what to do to remove the phish site, and how to harden you web server going forward.

The document was written by Suzy Clarke of ASB Bank in New Zealand and Dave Piscitello of ICANN's Security and Stability Advisory Committee.  Contributors include people from ISPs, financial institutions, and law enforcement.

As co-chair of APWG's Internet Policy Committee, I am thrilled that both the 2H2008 study and the "What to do if your site has been Hacked" document are getting recognition within the community.  We'd like to get the "Hacked" document to more web hosting providers.  We figure it's the web hosting providers who are often dealing with the owners of websites that have been hacked.  If you have any friends in the web hosting community, definitely feel free to forward the link to them and encourage them to send it to their customers when they suspect there may be a phishing issue.

To post comments, please login or create an account.

Related

Topics

DNS Security

Sponsored byAfilias

Domain Names

Sponsored byVerisign

IP Addressing

Sponsored byAvenue4 LLC

Cybersecurity

Sponsored byVerisign

New TLDs

Sponsored byAfilias