by Posted by The Security Skeptic  21 November 2011


Colleagues Greg Aaron and Rod Rasmussen have released the 1H2011 APWG Global Phishing Survey which again provides a wealth of statistics and insights into phishing behavior and methodology.

One very positive bit of news is that the average duration of a phishing “uptime” (the amount of time phishers can inflict loss or harm) dropped over 25% from 2H2010 and the median of 10 hours 44 minutes is the lowest the authors have reported in four years.

On the down side, phishers continue to prefer compromised hosts over malicious registrations and have recycled an old attack to make this even more confounding to interveners and profitable for themselves. The Report explains that phishers have been very successful in exploiting virtual hosting services: by compromising a single server that supports virtual hosting, phishers can host the same phishing content in dozens of subdirectories.

The Report notes that phishers are also registering fewer domain names. Fewer than one in five phishing URLs included in the study were malicious registrations. However, there’s a dark lining in this seemingly silver cloud.

When phishers do register malicious domains, they are definitively bargain shoppers. They look for free or cheap registrations, or opportunities to buy in bulk, and they aren’t picky about the TLD. Of course, given the choice, phishers are happy to choose free over for fee. But free registrations are costly to everyone but phishers.

Free domain name registrations are offered by registries seeking to grow their market share but according to the Report, phishers flocked to the Tokelau registry. Malicious registrations in TK accounted for a staggering 88% of attacks against Chinese companies. TK’s operators have since increased measures to eliminate this attack vector through the unique approach of giving direct access to the registry so that their trusted partners can “automatically cancel any domain name registrations which they find are abused for spam, phishing, or malware”. This program will no doubt be exposed to considerable scrutiny but for the moment, it’s effectively reducing abuse.

Free domain name registrations by TLDs are not the only source of pain. Hosting companies that offer free “vanity names” to customers who host email or web sites of the form<customer_term>.<service_provider_sld>.TLD also cause considerable pain. According to the Report, subdomain registrations used for phishing now account for the bulk of phishing activity in certain TLDs. 

Subdomain registrations are problematic for brand and trademark protection: while measures taken to detect confusingly similar strings in domain name registrations have proven effective, the same is not so for subdomain “names”. The Report confirms that phishers routinely include brand names “somewhere in the URL, where potential victims may see it and be fooled. Internet users are rarely knowledgeable enough to be able to pick out the ‘base’ or true domain name being used in a URL.”

The subdomain registry CO.CC (the Cocos/Keeling Islands), the top offender in 1H2011, is taking measures to reduce abuse. Other operators in the Top 20 may voluntarily do so as well in 2H2011. If they don’t, the operators may find themselves in the company of CZ.CC at the receiving end of criminal complaints and restraining orders if other major brands followMicrosoft in aggressively seeking relief.

There’s much more in the Report. I find it worthwhile to compare past reports to present, to compare methodologies, observe trends and flocking behavior. I hope you find it as valuable as I have.