« Domain Name Seizures Prominent in Dismantling the ZeuS botnet | Main | Book Review: The Alexandria Project »

Monday, 30 April 2012

APWG Global Phishing Survey 2H2011: Trends both encouraging and disturbing

Colleagues Greg Aaron and Rod Rasmussen have published the 2H2011 APWG study on global phishing trends. Some of the major findings from the report are encouraging. The average up time for phishing attacks has noticeably decreased, down from 73 hours in 2H2010 to a much improved 46 hours in 2H2011, with a median uptime of 11 hours. Most of the damage a phish inflicts occurs in the first two days of a campaign so the dramatic improvement in the average uptime is welcomed. While the median uptime for 2H2011 is roughly the same as 2H2011 and more improvement would be welcome (the 11 hours is a larger window than a suggested 4 hours, see Clayton2009, Moore2008) .

Also encouraging finding is that the number of brands targeted by phishers decreased. Well, this is at least encouraging to those brands that fell off the phishers' radars.  Those that remained targeted, however, are weathering a storm. Greg and Rod comment that "phishers launched fewer attacks on such targets through 2011, concentrating on larger, more prominent targets. We believe they did so because:

  1. "There is less money to be made off the smaller targets. It is easier for phishers to sell stolen credentials associated with more popular institutions.
  2. "Phishers advertise via spam. It is less efficient for them to spam out lures related to smaller targets, unless the phishers possesses a qualified list of e-mail addresses.
  3. "There is a growing emphasis on gaining access to e-mail accounts, which enable phishers to spam from whitelisted services such as Gmail, Hotmail, and so on."

CNNIC, APAC Join the Hunt

The staff at China Internet Network Information Center (CNNIC) and the Anti-Phishing Alliance of Chine (APAC) provided more information about Chinese phishing than was available for prior surveys. These data allowed Greg and Rod to call attention to behaviors unique to Chinese phishers, who prefer to use malicious registrations to host phishing attacks, for example, than to host phishing URLs on compromised servers. The data also show Taobao.com as second only to PayPal as the most targeted brand.

Whois from Domain Tools

The 2H2011 Survey is the first in this series to analyze where phishers register domain names. This kind of analysis relies on acquiring the Whois records that reflect the registration data that was used by the phisher at the time of registration. This analysis was made possible via WHOIS data captured byDomainTools.com. Domain Tools attempts to maintain histories of registration records from the time of domain name creation, so their contribution was critical to this analysis. The scores for registrars with more than 25 phishing domains and 1000 domains (from the Report):

Registrar

Subdomain registrations: 'told you so...

In November 2008, Rod Rasmussen and I published an APWG report, Making Waves in the Phisher’ Safest Harbors: Exposing the Dark Side of Subdomain Registries, where we observed that phishers were beginning to use what subdomain registrations to host phish sites. We discussed measures individuals and organizations can consider if they opt to make these harbors less attractive and effective to phishers. Apparently, few people paid attention, because phishers registered more subdomains in 2H2012 than domain names.

Subdomain
As with all the bi-annual reports of this series, Global Phishing Survey: Domain Name Use and Trends in 2H2011 analyzes data from multiple phish reporting and monitoring resources to assess phishing and e-criminal activity. Greg and Rod are also able to use past survey results to illustrate trends that reports from anti-malware companies often do not include.

The report is always worth reading in its entirety. It's always done professionally, with great attention to detail and a disciplined approach to intepreting data that is hard to find and easy to admire.

Posted at 03:52 PM in Anti-Malware and Anti-phishing, Domain names and DNS |

Comments

Feed You can follow this conversation by subscribing to the comment feed for this post.

Verify your Comment

Previewing your Comment

Posted by:  | 

This is only a preview. Your comment has not yet been posted.

Working...
Your comment could not be posted. Error type:
Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.

Working...

Post a comment

Comments are moderated, and will not appear until the author has approved them.

Your Information

(Name is required. Email address will not be displayed with the comment.)

Find me on Mastodon and Facebook

Spotlight Posts

  • Interisle study reveals that phishing attacks have tripled since May 2020, situation worsening each year
    My colleagues at Interisle Consulting Group and I today announced the publication of an industry report, Phishing Landscape 2023, A Study of the Scope and Distribution of Phishing. We analyzed more than 11 million phishing reports collected from 1 May 2020 to 30 April 2023 to provide annual and triennial measurements of phishing. Our study identifies distinct, persistent exploitation and abuse of Internet resources, reveals that criminals can trivially acquire everything they need to phish. Among the major findings in the study, Interisle reports that: The number of phishing attacks has tripled since May 2020, and has increased 65% over...
  • FTC's proposed Trade Regulation Rule on Impersonation of Government and Businesses is important for #infosec
    M3AAWG comments on the FTC's proposed rule Trade Regulation Rule on Impersonation of Government and Businesses is available. I was one of the contributors to the comment. In the comment, M3AAWG "suggests additional regulatory solutions and best practices to complement the goals of this rule, such as clarifying the scope of the rule to include the use of domain names in impersonation schemes and the use of technologies that enable impersonation" and the important role that Whois plays in investigating impersonation and fraud. Several reports that my Interisle colleagues and I published are cited in the comment, along with the...
  • Cybercrime Information Center reports sharp increases in phishing attacks, unique domains reported in August-October 2022 time period
    A recent ebb in domain names reported for phishing created some euphoria in the domain industry. With phishing activity, as with tides, ebbs are invariably followed by flows. In their August- October 2022 Quarterly Phishing Activity, the Cybercrime Information Center observed a 40% increase in phishing attacks and a nearly 20% increase in unique domain names reported for phishing.
  • Cybercrime Information Center's YouTube Channel
    My colleagues and I at Interisle have created a YouTube channel to complement the quarterly reporting and studies of cybercrime we host at the Cybercrime Information Center. Our goal is to share, in a few minutes, the findings and insights from our research in a format that's easily accessible and shareable, informative, and entertaining. The inaugural videos provide 2-5 minute summaries of our annual Phishing and Malware Landscape studies. We'll continue to produce videos of our annual studies. If you like what you see, leave us a comment.
  • Malware Landscape 2022: unabated malware growth, continued exploitation of IoT devices
    My colleagues at Interisle and I have published a study, Malware Landscape 2022: A Study of the Scope and Distribution of Malware. The study, which analyzed 2.5 million records of distinct malware events from May 2021 to April 2022 collected by the Cybercrime Information Center, explains what malware was most prevalent, where malware was served from, and what resources criminals used to pursue their attacks.

Search

My Photo

Categories