« Online child predation rising during COVID lockdown | Main | In new study Interisle Reveals Excessive Withholding of Internet WHOIS Data »

Tuesday, 13 October 2020

New study: Phishing Landscape 2020

My colleagues Greg Aaron, Dr. Colin Strutt, Lyman Chapin and I have published a new research report, Phishing Landscape 2020: A Study of the Scope and Distribution of Phishing.

The report can be found at http://www.interisle.net/PhishingLandscape2020.html

Our goal in this study was to capture and analyze a large set of information about phishing attacks, to better understand how much phishing is taking place and where it is taking place, and to see if the data suggests better ways to fight phishing. We studied where phishers are getting the resources they need to perpetrate their crimes — where they obtain domain names, and what web hosting is used. We identify where additional phishing detection and mitigation efforts are needed and can identify vulnerable providers.

We collected URLs, domain names, IP addresses, and other data about phishing attacks from four widely used and respected threat data providers: the Anti-Phishing Working Group (APWG), OpenPhish, PhishTank, and Spamhaus. (We greatly appreciate the cooperation from these providers).

Over a three-month collection period, we learned about more than 100,000 newly discovered phishing sites.

Our major findings and conclusions are based on the data we collected:

  1. Most phishing is concentrated at small numbers of domain registrars, domain registries, and hosting providers.
  2. Phishers themselves register more than half of the domain names on which phishing occurs.
  3. Domain name registrars and registry operators can prevent and mitigate large amounts of phishing by finding and suspending maliciously registered domains.
  4. Registries, registrars, and hosting providers should focus on both mitigation and prevention.
  5. The problem of phishing is bigger than is reported, and the exact size of the problem is unknown. This is due to gaps in detection and in data sharing. The over-redaction of contact data in WHOIS is contributing to the under-detection problem.
  6. Sixty-five percent of maliciously registered domain names are used for phishing within five days of registration.
  7. New top-level domains introduced since 2014 account for 9% of all registered domain names, but 18% of the domain names used for phishing.
  8. About 9% of phishing occurs at a small set of providers that offer subdomain services.

The data set that we collected for this study is quite interesting. Key statistics:

  • 298,012 phishing reports. This is the number of URLs and domains that were added to the four feeds during the study period. Duplicates, i.e., URLs reported separately by one or more of the sources, were removed.
  • 122,092 phishing attacks. From the reports, we identified phishing site (a web location) that targeted a specific brand or entity. We call these "attacks" (the methodology describes how we identified attacks).
  • 99,412 unique domain names. This is the number of unique "registrations", e.g., second-level domain names and third-level domain names where the relevant registry offers third-level registrations (such as domain.co.uk).
  • 439 top-level domains. This is the number of TLDs where at least one phish was reported.
  • 414 registrars. This is the number of registrars that sponsored gTLD domains that were used for phishing. (A registrar is a businesses that processes domain registrations.
  • 2,169 different Autonomous Systems (AS). This is the number of Autonomous Systems where a phish was reported in at least one IP space delegated from the AS. 
  • 619 attacks on URLs that contained IPv4 addresses and no domain name.

We also identified 60,935 maliciously registered domain names. Of the 99,412 domains used for phishing, we identified 60,935 that we believe were registered maliciously, by phishers. The rest were “compromised domains,” owned by innocent parties on vulnerable hosting.

During our collection period, phishers targeted a whopping 684 brands. The phishing sites emulated 684 different entities. The most-attacked targets identified by our data sources were, in alphabetical order: Amazon, Apple, AT&T, Chase, Facebook, LinkedIn, Microsoft, Outlook (owned by Microsoft), PayPal, and WhatsApp. These top ten targets suffered 50% of the identified phishing attacks. 

One of our most important findings is that:

"Domain name registrars and registry operators are [ ] in an excellent position to find and
prevent the majority of phishing, which takes place on maliciously registered domains. It is possible
for registrars and registry operators to identify maliciously registered phishing domains with a high
degree of accuracy, often at the time of registration... Registrars also possess dispositive information that no one else does: the registrant’s identity (contact information, now mostly redacted in public WHOIS as allowed by a recent change in ICANN policy), the registrant’s payment information, the registrant’s IP address, and the
registrant’s purchase history."

From this finding, I'll suggest that

With great (or in this case, unique) power comes great responsibility. 

ICANN should contemplate carefully how its Whois policy has affected phishing and other cyber attack response and mitigation. Registrars and registries are now the only parties who can reliably access contact data in a timely manner (e.g., in minutes or hours). In our report, we describe proactive or preemptive measures that ICANN's contracted parties could adopt to quash some phishing attacks before harm is done. It's time to step up your game.

Posted at 01:59 PM in Anti-Malware and Anti-phishing |

Comments

Feed You can follow this conversation by subscribing to the comment feed for this post.

It is neccesary to protect us from phishing, malwares, hacking and data information stealing. Cybersecurity blogs are extraordinarily useful to learn about threats and how we can protect from it.

Posted by: MelvinHurtado | Saturday, 30 January 2021 at 11:42 PM

Verify your Comment

Previewing your Comment

Posted by:  | 

This is only a preview. Your comment has not yet been posted.

Working...
Your comment could not be posted. Error type:
Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.

Working...

Post a comment

Comments are moderated, and will not appear until the author has approved them.

Your Information

(Name is required. Email address will not be displayed with the comment.)

Find me on Mastodon and Facebook

Spotlight Posts

  • Cybercrime Reported in April 2025
    In today's Interisle Insights, Colin Strutt looks at cybercrime activity collected at the Cybercrime Information Center for the month of April 2025.We point out anything that strikes us as particularly interesting in overall numbers as well as significant changes in ranking for Top Level Domains (TLDs), Registrars, and Hosting Networks. Read Cybercrime Reported in April 2025. Interisle Insights is a reader-supported publication. To receive new posts and support our work, consider becoming a free or paid subscriber. Join now!
  • Malware Trends: January - March 2025
    Malware activity reports for the quarter are now posted at the Cybercrime Information Center. Our key statistics show small quarter-over-quarter increases in malicious IP address malware records (Traffic Injectors and Attackware) and unique IPv4 addresses reported as serving or distributing malware, and but meaningful decreases in both endpoint and IoT malware reported. Read Malware Trends: January - March 2025
  • The World's Phishiest Neighborhoods
    In this Interisle Insights article, we take a closer look at our data to better understand what’s hosted at three autonomous systems which have appeared at or near the top in recent quarters. We’ll also review who’s being targeted by these attacks and what corresponding name and address resources are most frequently exploited. Autonomous systems are blocks of Internet addresses, which you can compare to "neighborhoods" in a city. And like any city, some neighborhoods are safe and some are not. The full article, The World's Phishiest Neighborhoods, is hosted here.
  • Interisle Study Reveals Alarming Rise in Online Abuse and Identifies Exploitable Links in Cybercriminal Supply Chains
    My Interisle colleagues and I today published our 2024 Cybercrime Suppy Chain study. We analyzed 16 million cybercrime events to expose a dramatic rise in criminal exploitation of name, address, hosting, and financial supply chains. Our year-over-year findings show that cybercriminals exploit lax policies to easily and cheaply obtain resources for phishing, malware, and spam campaigns. In our report, we provide actionable insights for those aiming to curb cybercrime. Among the major findings in the study, Interisle reports that: The total number of malware, phishing, and spam attacks grew year-over-year by nearly 54%, to nearly 16.3 million attacks. Spam doubled,...
  • Malware quarterly reports for July-September
    Malware quarterly reports for July-September 2024 is now posted at the Cybercrime Information Center. For the period... Malware identified as targeting endpoint devices increased 277% over the prior period. WordPress blog sites used for malware accounted for nearly all the malicious documents reported for this period. We continue to see an uptick in malicious scripts. IPv4 addresses reported for exhibiting characteristics of attackware and traffic injectors increased 38% to just under 1 million. ASNs in China and India again have the most IPv4 addresses reported for hosting malware. More malware trends for the period at https://www.cybercrimeinfocenter.org/malware-trends-july-september-2024. For historical reporting of...

Search

My Photo

Categories