Global Phishing Survey: Period July - Trends and Domain December 2011 Name Use in 2H2011
Total Page:16
File Type:pdf, Size:1020Kb
Global Phishing Survey: Period July - Trends and Domain December 2011 Name Use in 2H2011 Unifying the Global Response To Cybercrime An Published April 2012 APWG Industry An APWG Industry Advisory Advisory1 http://www.apwg.org ● [email protected] PMB 246, 405 Waltham Street, Lexington MA USA 02421 Published April 26, 2012 Authors: Greg Aaron, Afilias <gaaron at afilias.info> and Rod Rasmussen, Internet Identity <rod.rasmussen at internetidentity.com> Research, Analysis Support, and Graphics: Aaron Routt, Internet Identity Table of Contents TABLE OF CONTENTS .......................................................................................................... 2 OVERVIEW ............................................................................................................................ 3 BASIC STATISTICS ................................................................................................................ 3 SHIFTING TARGETS .............................................................................................................. 5 PHISHING BY UPTIME ......................................................................................................... 8 PREVALENCE OF PHISHING BY TOP-LEVEL DOMAIN (TLD) ..................................... 10 COMPROMISED DOMAINS VS. MALICIOUS REGISTRATIONS ................................ 12 REGISTRARS USED FOR MALICIOUS DOMAIN REGISTRATIONS ............................. 13 USE OF SUBDOMAIN SERVICES FOR PHISHING ......................................................... 14 SHARED VIRTUAL SERVER HACKING ............................................................................ 16 USE OF INTERNATIONALIZED DOMAIN NAMES (IDNS) ............................................ 17 USE OF URL SHORTENERS FOR PHISHING .................................................................... 18 CONCLUSIONS.................................................................................................................. 19 APPENDIX: PHISHING STATISTICS AND UPTIMES BY TLD .......................................... 20 ABOUT THE AUTHORS & ACKNOWLEDGMENTS ......................................................... 30 Disclaimer: PLEASE NOTE: The APWG and its cooperating investigators, researchers, and service providers have provided this study as a public service, based upon aggregated professional experience and personal opinion. We offer no warranty as to the completeness, accuracy, or pertinence of these data and recommendations with respect to any particular company’s operations, or with respect to any particular form of criminal attack. This report contains the research and opinions of the authors. Please see the APWG web site – apwg.org – for more information. An APWG Industry Advisory 2 http://www.apwg.org ● [email protected] PMB 246, 405 Waltham Street, Lexington MA USA 02421 Global Phishing Survey 2H2011: Trends and Domain Name Use Overview Phishers are always refining their methods, to take advantage of new opportunities and circumvent defenses. In the second half of 2011 we discovered several such shifts, with significant implications for phishing targets, service providers, and anti-phishing responders. We hope that bringing new trends to light will lead to improved anti-phishing measures. This report seeks to understand trends and their significances by quantifying the scope of the global phishing problem. Specifically, this new report examines all the phishing attacks detected in the second half of 2011 (“2H2011”, July 1, 2011 through December 31, 2011). The data was collected by the Anti-Phishing Working Group, and supplemented with data from several phishing feeds, CNNIC, and private sources. The APWG phishing repository is the Internet’s most comprehensive archive of phishing and e-mail fraud activity. Our major findings in this report include: 1. In 2H2011, the average uptime of all phishing attacks dropped notably. (Pages 8-9) 2. For the first time, phishers registered more subdomains than regular domain names. (Pages 14-16) 3. Attacks by Chinese phishers have exploded. Chinese e-commerce site Taobao.com became the world’s most-attacked target. Phishers attacking Chinese institutions were responsible for 70% of all malicious domain name registrations made in the world. These phishers especially use free and low- priced domain providers outside of China. (Pages 6-7) 4. The number of targeted institutions has dropped; phishers concentrated on larger or more popular targets. (Pages 5-7) 5. Malicious domain name registrations are concentrated by domain registrar, and by TLD. (Pages 12-14) Basic Statistics Millions of phishing URLs were reported in 2H2011, but the number of unique phishing attacks and domain names used to host them was much smaller.1 The 2H2011 data set yields the following statistics: There were at least 83,083 unique phishing attacks worldwide, in 200 top-level domains (TLDs). This is far less than the 112,472 attacks we observed in the first half of 2011. The decrease is due in part to a decrease in phishing attacks that leveraged shared virtual servers to compromise multiple domains at once. An “attack” is defined as a phishing site that targets a specific brand or entity. One 1 This is due to several factors: A) Some phishing involves customized attacks by incorporating unique numbers in the URLs, often to track targeted victims, or to defeat spam filters. A single phishing attack can therefore manifest as thousands of individual URLs, while leading to essentially one phishing site. Counting all URLs would therefore inflate some phishing campaigns. Our counting method de-duplicates in order to count unique attacks, and has remained consistent across this and our previous reports. B) Phishers often use one domain name to host simultaneous attacks against different targets. Some phishers place several different phishing attacks on each domain name they register. C) A phishing site may have multiple pages, each of which may be reported. An APWG Industry Advisory 3 http://www.apwg.org ● [email protected] PMB 246, 405 Waltham Street, Lexington MA USA 02421 Global Phishing Survey 2H2011: Trends and Domain Name Use domain name can host several discrete attacks against different banks, for example. The attacks used 50,298 unique domain names.2 Again, this is down significantly from the 79,753 domains used in 1H2011. The number of domain names in the world grew from 218.8 million in May 2011 to 229.3 million in November 2011.3 In addition, 2,288 attacks were detected on 1,681 unique IP addresses, rather than on domain names. (For example: http://79.173.233.18/paypal/.) The number of attacks using IPs has remained consistent for two years, and is down just slightly from 2,960 attacks using 2,385 unique IPs recorded in 1H2012. None of these phish sat on IPv6 addresses. Of the 50,298 phishing domains, we identified 12,895 that we believe were registered maliciously, by phishers. This is down from 14,650 in 1H2011. Of those, 7,991 (62%) were registered to phish Chinese targets. The other 37,403 domains were hacked or compromised on vulnerable Web hosting. We counted 487 target institutions, down from 587 in 2H2010. Targets include the users of banks, e-commerce sites, social networking services, ISPs, government tax bureaus, online gaming sites, postal services, and securities companies. Phishing is generally distributed by top-level domain market share, but 93% of the malicious domain registrations were in just four TLDs: .TK, .COM, .INFO, and .IN. Only about 4% of all domain names that were used for phishing contain a brand name or variation thereof. (See “Compromised Domains vs. Malicious Registrations.”) Only 36 of the 79,753 domain names we studied were internationalized domain names (IDNs), and three were homographic attacks. 140,000 120,000 100,000 80,000 Attacks Domains 60,000 Malicious Domains 40,000 20,000 0 1H2009 2H2009 1H2010 2H2010 1H2011 2H2011 2 “Domain names” are defined as second-level domain names, plus third-level domain names if the relevant registry offers third-level registrations. An example is the .CN (China) registry, which offers both second-level registrations and third-level registrations (in zones such as com.cn, gov.cn, zj.cn, etc.). However, see the “Subdomains Used for Phishing” section for commentary about how these figures may undercount the phishing activity in a TLD. 3 As per our research; including gTLD stats from ICANN.org and stats provided by the ccTLD registry operators. An APWG Industry Advisory 4 http://www.apwg.org ● [email protected] PMB 246, 405 Waltham Street, Lexington MA USA 02421 Global Phishing Survey 2H2011: Trends and Domain Name Use Basic Statistics 2H2011 1H2011 2H2010 1H2010 2H2009 Phishing 50,298 79,753 42,624 28,646 28,775 domain names Attacks 83,083 115,472 67,677 48,244 126,697 TLDs used 190 200 183 177 173 IP-based phish 1,720 2,385 2,318 2,018 2,031 (unique IPs) Maliciously registered 12,895 14,650 11,769 4,755 6,372 domains IDN domains 36 33 10 10 12 For most domain names in this report, the registrar of record was not reported at the time the phish was live. Obtaining accurate registrar sponsorship data for a domain name requires either time-of-attack WHOIS data, or historical registry-level data. This data has not been collected in a comprehensive manner by the anti-phishing community, and is typically unavailable, especially in the ccTLD space. However, we were able to obtain a significant amount of gTLD registrar information for this survey from DomainTools, a company that tracks WHOIS data, and were thus