Colleagues Greg Aaron and Rod Rasmussen have published the 2H2011 APWG study on global phishing trends. Some of the major findings from the report are encouraging. The average up time for phishing attacks has noticeably decreased, down from 73 hours in 2H2010 to a much improved 46 hours in 2H2011, with a median uptime of 11 hours. Most of the damage a phish inflicts occurs in the first two days of a campaign so the dramatic improvement in the average uptime is welcomed. While the median uptime for 2H2011 is roughly the same as 2H2011 and more improvement would be welcome (the 11 hours is a larger window than a suggested 4 hours, see Clayton2009, Moore2008) .
Also encouraging finding is that the number of brands targeted by phishers decreased. Well, this is at least encouraging to those brands that fell off the phishers' radars. Those that remained targeted, however, are weathering a storm. Greg and Rod comment that "phishers launched fewer attacks on such targets through 2011, concentrating on larger, more prominent targets. We believe they did so because:
- "There is less money to be made off the smaller targets. It is easier for phishers to sell stolen credentials associated with more popular institutions.
- "Phishers advertise via spam. It is less efficient for them to spam out lures related to smaller targets, unless the phishers possesses a qualified list of e-mail addresses.
- "There is a growing emphasis on gaining access to e-mail accounts, which enable phishers to spam from whitelisted services such as Gmail, Hotmail, and so on."
CNNIC, APAC Join the Hunt
The staff at China Internet Network Information Center (CNNIC) and the Anti-Phishing Alliance of Chine (APAC) provided more information about Chinese phishing than was available for prior surveys. These data allowed Greg and Rod to call attention to behaviors unique to Chinese phishers, who prefer to use malicious registrations to host phishing attacks, for example, than to host phishing URLs on compromised servers. The data also show Taobao.com as second only to PayPal as the most targeted brand.
Whois from Domain Tools
The 2H2011 Survey is the first in this series to analyze where phishers register domain names. This kind of analysis relies on acquiring the Whois records that reflect the registration data that was used by the phisher at the time of registration. This analysis was made possible via WHOIS data captured byDomainTools.com. Domain Tools attempts to maintain histories of registration records from the time of domain name creation, so their contribution was critical to this analysis. The scores for registrars with more than 25 phishing domains and 1000 domains (from the Report):
Subdomain registrations: 'told you so...
In November 2008, Rod Rasmussen and I published an APWG report, Making Waves in the Phisher’ Safest Harbors: Exposing the Dark Side of Subdomain Registries, where we observed that phishers were beginning to use what subdomain registrations to host phish sites. We discussed measures individuals and organizations can consider if they opt to make these harbors less attractive and effective to phishers. Apparently, few people paid attention, because phishers registered more subdomains in 2H2012 than domain names.
As with all the bi-annual reports of this series, Global Phishing Survey: Domain Name Use and Trends in 2H2011 analyzes data from multiple phish reporting and monitoring resources to assess phishing and e-criminal activity. Greg and Rod are also able to use past survey results to illustrate trends that reports from anti-malware companies often do not include.
The report is always worth reading in its entirety. It's always done professionally, with great attention to detail and a disciplined approach to intepreting data that is hard to find and easy to admire.