All matters security

Monday, 04 October 2021

Study reports a 70% increase in phishing from May 2020 through April 2021

My Interisle colleagues, together with Greg Aaron of Illumintel, have published a study of the scope and distribution of phishing.

From 1 May 2020 through 30 April 2021, we collected nearly 1.5 million phishing reports. Our analyses found ~700,000 phishing attacks among the reports collected.

Highlights from the study:

 

Phishing increased by nearly 70% over the yearly period. 

 

Most phishing is concentrated at small numbers of
domain registrars, domain registries, and hosting providers.

 

The top 10 brands targeted accounted for 46% of the phishing attacks associated with specific brands.

 

Phishing attacks are disproportionately concentrated in new Top-level Domains (TLD).

 

We studied registration behaviors among phishers and found that when phishers register domains, they tend to use them quickly.

 

57% of domains reported for phishing were used within 14 days following registration and more than half of those were used within 48 hours.

 

We also developed a method for distinguishing maliciously registered domain names from legitimate but compromised domain names and found that

 

65% of phishing occurs on domains registered by phishers, for phishing attacks.


Interisle’s report is available at https://interisle.net/PhishingLandscape2021.html.

Posted at 09:54 AM in All matters security, Anti-Malware and Anti-phishing | | Comments (0)

Monday, 25 January 2021

In new study Interisle Reveals Excessive Withholding of Internet WHOIS Data

My  Interisle colleagues, together with Greg Aaron, have completed an in-depth analysis of the effects of ICANN policy for WHOIS, a public lookup service that has until recently made it possible to identify who registered and controls a domain name. 

The European Union’s General Data Protection Regulation (GDPR), adopted in May 2018, restricted the publication of personally identifiable data in WHOIS. In response, the Internet Corporation for Assigned Names and Numbers (ICANN) established a new policy, allowing registrars and registry operators to redact (withhold) personally identifiable data from publication in WHOIS. The implementation of this policy has been widely criticized, in particular, for failing to discriminate between legal entities and natural persons and for failing to scope the application of redaction to parties operating or residing in the EU's "jurisdiction". This over-redaction is alleged to interfere with parties who have legitimate reasons to contact domain owners (e.g., to notify a victim of a phishing attack) or who are investigating the thousands of domains used daily to perpetrate fraud (business email compromise), extortion (ransomware) or to foment political unrest (state sponsored election interference) or social uncertainty (anti-science rhetoric). 

In 2013, ICANN commissioned NORC/University of Chicago to conduct a WHOIS Registrant Identification Study  Despite the obvious benefit of having more recent data to inform policy, ICANN avoided studying the "demographics" of domain name registrations but instead allowed its community to  develop policy with no answers to the following relevant and compelling questions:

  1. What percentage of gTLD domains have actual registrant data on record?
  2. What percentage of gTLD domains are under privacy/proxy services, and which services?
  3. What percentage of gTLD domains have contact data that is redacted/hidden under ICANN’s Temporary Specification?
  4. What percentage of gTLD domains have redacted contact data but are not subject to GDPR? 
  5. What percentages of gTLD registrants are natural versus legal persons? Of these, how many are inside versus outside the jurisdiction of the European Union?  What is the relative percentage of privacy/proxy use among legal persons?
  6. What are the percentages for gTLD domains registered for malicious purposes (cybercrimes such as malware and phishing)?

We adopted the NORC methodology terms of reference and conducted our own study to answer these questions in our WHOIS Contact Data Availability and Registrant Classification Study, where we also compare the answers to 1-6 above to the state that existed in early 2018, before the GDPR and ICANN’s ill-advised took effect.

Some takeaways from the study:


ICANN’s GDPR-driven policy has resulted in the redaction of contact data for 57% of all generic Top-level Domain (gTLD) names.

ICANN’s policy has allowed registrars and registry operators to hide much more contact data than is required by the GDPR—perhaps five times as much.

Including “proxy-protected” domains, for which the identity of the domain owner is deliberately concealed, 86.5% of registrants can no longer be identified via WHOIS—up from 24% before the ICANN policy went into effect.

The implications of this ICANN policy change are profound: consumers can no longer use WHOIS to confirm the identities of parties they may want to transact with on the Internet, it is harder for law enforcement personnel and security professionals to identify criminals and cybercrime victims, and brand owners face greater challenges defending misuse of their intellectual property.

We hope that our study provides policy decision makers, regulators, and legislators with the bases to make more informed policy or if need be to impose regulatory obligations to (i) continue to offer GDPR privacy protections to intended parties but to (ii) cease the needless suppression of contact data that is needed to maintain a secure and interoperable Internet.

Posted at 09:06 AM in All matters security, Anti-Malware and Anti-phishing, Domain names and DNS, Malware | | Comments (0)

« Previous | Next »
Find me on Mastodon and Facebook

Spotlight Posts

  • FTC's proposed Trade Regulation Rule on Impersonation of Government and Businesses is important for #infosec
    M3AAWG comments on the FTC's proposed rule Trade Regulation Rule on Impersonation of Government and Businesses is available. I was one of the contributors to the comment. In the comment, M3AAWG "suggests additional regulatory solutions and best practices to complement the goals of this rule, such as clarifying the scope of the rule to include the use of domain names in impersonation schemes and the use of technologies that enable impersonation" and the important role that Whois plays in investigating impersonation and fraud. Several reports that my Interisle colleagues and I published are cited in the comment, along with the...
  • Cybercrime Information Center reports sharp increases in phishing attacks, unique domains reported in August-October 2022 time period
    A recent ebb in domain names reported for phishing created some euphoria in the domain industry. With phishing activity, as with tides, ebbs are invariably followed by flows. In their August- October 2022 Quarterly Phishing Activity, the Cybercrime Information Center observed a 40% increase in phishing attacks and a nearly 20% increase in unique domain names reported for phishing.
  • Cybercrime Information Center's YouTube Channel
    My colleagues and I at Interisle have created a YouTube channel to complement the quarterly reporting and studies of cybercrime we host at the Cybercrime Information Center. Our goal is to share, in a few minutes, the findings and insights from our research in a format that's easily accessible and shareable, informative, and entertaining. The inaugural videos provide 2-5 minute summaries of our annual Phishing and Malware Landscape studies. We'll continue to produce videos of our annual studies. If you like what you see, leave us a comment.
  • Malware Landscape 2022: unabated malware growth, continued exploitation of IoT devices
    My colleagues at Interisle and I have published a study, Malware Landscape 2022: A Study of the Scope and Distribution of Malware. The study, which analyzed 2.5 million records of distinct malware events from May 2021 to April 2022 collected by the Cybercrime Information Center, explains what malware was most prevalent, where malware was served from, and what resources criminals used to pursue their attacks.
  • New TLDs are coming #Dangerclose.
    A Domain Name Wire post, Time to pay attention to the next round of new TLDs, begins with an ominous: They’re coming. Eventually. While not as dramatic or enduring as Arnold Schwarzenegger's "I'll be back", the reporter cites policy activity at ICANN as evidence that new TLDs are coming. Eventually. In a September 2019 post, and in response to the ICANN memorandum, Readiness to Support Future Rounds of New gTLDs, I asked, Has enough been done to study and rectify the concentration of security threats in the new TLD space? In that post, I quoted correspondence from ICANN's security advisory...

Search

My Photo

Categories