Colleagues Greg Aaron (Illumintel) and Rod Rasmussen (Internet Identity) have published another comprehensive survey on phishing patterns, behavior and impact. With Greg's permission, I'm posting his summary of highlights from the Report.
The APWG Global Phishing Survey Report (2H2012) contains key stats and analysis for the time period July-December 2012, including what top-level domains were used, phishing site uptimes, and at what registrars phishers registered domain names.
Highlights from the Report:
- Attacks made by compromising virtual hosting accounted for 47% of all phishing attacks in the period. Breaking into hosting providers has been a high-yield activity of the bad guys, since it allows them to mount phish on hundreds of domains at a time. Those compromised sites also have higher reputations than new domains. This activity fits into a larger criminal trend: the targeting of shared hosting environments (notably WordPress, cPanel, and Joomla installations) to create botnets, wage DDoS attacks, etc. (pages 5-6)
- The number of domain names registered by phishers has dropped by 60% since 2011. Instead, phishers are using alternatives that are more attractive – such as those mass compromises on shared hosting platforms, and registering subdomains -- which can be cheap and are often not well-managed by their registrar/registry. Phishers registered more subdomains than “regular” domain names (pages 16-17).
- On the other hand, Chinese phishers generally prefer to make domain registrations, as they continue their attacks on Chinese targets such as Taobao.com and CCTV. Some Chinese phishers are also going after gaming site Battle.net a lot. A set of small Chinese registrars has prevalent phishing registrations (pages 14-15).
Skeptic: The report, as always, is well worth reading and sharing.