Home / Blogs

Phishing: the Worst of Times in the DNS

Greg Aaron

The Anti-Phishing Working Group has released its latest Global Phishing Survey, written by myself and Rod Rasmussen. This report comprehensively examines a large data set of more than 250,000 confirmed phishing attacks detected in 2015 and 2016. By analyzing this cybercrime activity, we have learned more about what phishers have been doing, and how they have done it. Unfortunately, there's more phishing than ever, and phishers are registering more domain names than ever.

Our major findings include:

1. In 2016, the number of phishing attacks, and the number of domain names used for phishing, reached an all-time high.

2. Malicious domain name registrations are also at an all-time high, indicating detection and mitigation problems at certain registrars and registries. Historically, most phishing has occurred on conpromised domains, where phishers broke into innocent registrants' web hosting. But increasingly, phishers just go and register the domains they need. This major shift is concerning, and it means abuse detection and mitigation efforts are failing especially at certain registries and registrars.

3. Phishing in the new top-level domains (nTLDs) is rising and becoming more pervasive, but is not yet as pervasive as it is in the domain space as a whole. By the end of 2016, almost half of the nTLDs that were available for open registration had phishing in them. The nTLDs are also a place where phishers are purchasing domain names for themselves. Of the 6,549 domains used for phishing in the nTLDs in 2016, 86% (5,633) were registered maliciously.

4. New companies are constantly being targeted by phishers, while a few brands face an onslaught of thousands of attacks per year.

5. Contrary to conventional wisdom, phishers often wait up to three weeks before using domain names they have registered.

Full statistics and analysis of each of these topics — including breakdowns by TLDs and registrars — are included in the report.

In the meantime, phishers are employing another new trick that uses the domain name system. We call this "domain shadowing," and is when a phisher manipulates an unsuspecting company's DNS settings to insert multiple phishing sites onto the company's servers. This often results in hundreds of new phishing sites at a time.

Our statistics under-count the total amount of phishing that occurred in the wild — more attacks were undetected by our sources, and more attacks were reported but not confirmed. The numbers are a baseline compiled through collection and counting methods that have remained consistent over the years.

Those who operate Internet resources have the responsibility to do so in a secure and wise manner. We hope this report is helpful and provides information that will make the Internet a better place.

By Greg Aaron, VP iThreat Cyber Group, and Co-Chair of the APWG's Internet Policy Committee

Related topics: Cybercrime, Cybersecurity, DNS, Domain Names, Top-Level Domains


Don't miss a thing – get the Weekly Wrap delivered to your inbox.


.BRAND new gTLDs are the solution... Jean Guillon  –  Jun 27, 2017 6:33 AM PDT

...to protect consumers: http://www.gtld.club/2017/05/brands-homograph-attacks.html

To post comments, please login or create an account.

Related Blogs

Related News

Explore Topics

Dig Deeper

DNS Security

Sponsored by Afilias

Mobile Internet

Sponsored by Afilias Mobile & Web Services

IP Addressing

Sponsored by Avenue4 LLC


Sponsored by Verisign

Promoted Posts

Buying or Selling IPv4 Addresses?

ACCELR/8 is a transformative IPv4 market solution developed by industry veterans Marc Lindsey and Janine Goodman that enables organizations buying or selling blocks as small as /20s to keep pace with the evolving demands of the market by applying processes that have delivered value for many of the largest market participants. more»

Industry Updates – Sponsored Posts

Domain Registrations Reach 331.9 Million, 6.7 Million Growth Year over Year

.brands Spotlight: Banking and Finance Industries

Google Buys Business.Site Domain for 'Google My Business'

Radix Announces Global Web Design Contest, F3.space

Global Domain Name Registrations Reach 330.6 Million, 1.3 Million Growth in First Quarter of 2017

.TECH Gets Its Big Hollywood Break

Verisign Named to the Online Trust Alliance's 2017 Audit and Honor Roll

Why the Record Number of Reverse Domain Name Hijacking UDRP Filings in 2016?

Attacks Decrease by 23 Precent in 1st Quarter While Peak Attack Sizes Increase: DDoS Trends Report

UDRP: Better Late than Never - ICA Applauds WIPO for Removing Misguided 'Retroactive Bad Faith'

The Rise and Fall of the UDRP Theory of 'Retroactive Bad Faith'

.PRESS Supports Press Freedom Day for 3rd Consecutive Year

Leading Internet Associations Strengthen Cooperation

5 Afilias Top Level Domains Now Licensed for Sale in China

Radix Announces Largest New gTLD Sale with Casino.Online

2016 Year in Review: The Trending Keywords in .COM and .NET Domain Registrations

Global Domain Name Registrations Reach 329.3 Million, 2.3 Million Growth in Last Quarter of 2016

A Look at How the New .SPACE TLD Has Performed Over the Past 2 Years

Verisign Releases Q4 2016 DDoS Trends Report: 167% Increase in Average Peak Attack from 2015 to 2016

Neustar to be Acquired by Private Investment Group Led by Golden Gate Capital