The bottom line on phishing

FAQ: Phishing tactics and how attackers get away with it

Phishing attacks on enterprises can be calamitous in terms of compromised networks or damaged brand names, and the Anti-Phishing Working Group (APWG), which aggregates and analyzes phishing trends data worldwide, offers some of the best insight from industry into what's occurring globally in terms of this cybercrime. The following list of frequently asked questions about phishing is derived from the APWG's April report that covers the period July-December 2012 worldwide.

Q: How many phishing attacks occurred in the second half of last year?

A: There were at least 123,486 unique phishing attacks worldwide. This is more than the 93,462 attacks that APWG observed in the first half of 2012. This is due to an increase in phishing attacks that leveraged shared virtual servers to compromise multiple domains at once.

Q: How many unique domain names were involved in the phishing attacks?

A: Due to the shared virtual server hacking, the attacks used 89,748 unique domain names -- up from the 64,204 domains used in for the first half of 2012. In addition, 2,489 attacks were detected on 1,841 unique IP addresses, rather than on domain names, a trend that has remained steady for three years. None of these phishing attacks were reported on IPv6 addresses though.

Q: How many of these domain names were maliciously registered by phishing attackers versus the number of domains that represent hacked or compromised ones on vulnerable Web hosting?

Of the 89,748 unique domain names, the APWG identified 5,835 domain names that APWG believes were registered maliciously by phishers. This number is down significantly from 7,712 identified in the first half of 2012, a downward trend that's occurred since the count for maliciously registered domain names stood at 14,650 in the first half of 2011. The other 83,913 domains were almost all hacked or compromised on vulnerable Web hosting. The overall use of subdomain services for phishing fell from 14% to 8% of all attacks. Phishers continue to use "URL shortening" services to obfuscate phishing URLs but such use involved only 785 attacks in the second half of 2012. Over 65% of malicious shortened URLS use for phishing were found at a single provider,

Q: What top-level domains (TLDs) are the most popular for registration by phishers?

A: 82% of the malicious domain registrations were in just three TLDs: .COM, .TK (Thailand) and .INFO. PayPal is the most targeted brand, with 39% of all phishing attacks aimed at PayPal users. .COM contained 48% of the phishing domains in the APWG's data set, and 42% of the domains in the world. Thailand's .TH domain, which accounts for just over half of the world's malicious registrations made in the .TK registry, continues its high ranking as it has for several years, and it suffers from compromised government and university web servers, according the APWG.

Q: What were the top registrars worldwide used by phishers to purchase domain names?

A: 21 registrars, several of them in China, accounted for 79% of the domains registered maliciously (a total of 2,991). These were Shanghai Yovole Networks; Chengdu West Dimension Digital technology; Hang Zhou E-Business Services; Jiangsu Bangning Science;; Beijing Innovative; 1API;; Directl/PDR; Hichina Zhicheng; Melbourne IT; Xin Net technology Corp;;; Fast Domain; eNom Inc.; OVH; GoDaddy; Tucows; 1 and 1 Internet AG.

Q: What's being seen in the trend toward mass break-in techniques?

A: Instead of hacking sites one at a time, the phisher can infect dozens, hundreds or even thousands of websites at a time, depending on the server. In the second half of 2011, APWG identified 58,100 phishing attacks that used the mass break-in technique, representing 47% of all phishing attacks recorded worldwide at that time. In February 2012, attacks of this nature started up again, peaking in August 2012 with over 14,000 phishing attacks sitting on just 61 servers. Levels declined in late 2012 but are still high. These attacks, according to APWG, "turn compromised servers at hosting facilities into weapons" because hosting facilities contain large numbers of powerful servers with the type of network access that supports large amounts of traffic. This break-in tactic against virtual-server farms offers the attacker significantly more computing power and bandwidth that scattered home PCs.

Q: What more is evident about the link between shared hosting environments and phishing?

A: In late 2012 and into 2013, the APWG saw increasing use of tools targeting shared hosting environments, and particularly WordPress, cPanel and Joomla installations. For example, beginning in late 2012, criminals hacked into server farms to perpetrate extended DDoS attacks against American banks. In April 2013, there were brute-force attacks against WordPress installations at hosting providers in order to build a large botnet. Tens of thousands to hundreds of thousands of these shared servers have been cracked by such techniques. Access and use of these boxes is then metered out in the criminal underground for all sorts of activities, including DDoS, malware distribution, and phishing. It all highlights the vulnerability of hosting providers, the software they use and weak password management. Rod Rasmussen, president and CTO at Internet Identity and co-chair of the APWG's Internet Policy Committee, says unpatched open-source software is a popular target with attackers hitting the hosting providers that make the software available to their customers.

Q: How long do live phishing attacks typically last these days?

A: The average "uptime" as of the last half of 2012 was 26 hours and 13 minutes. The median uptime was 10 hours and 19 minutes -- said to be almost twice the historically low uptime of five hours and 45 minutes achieved in the first half of 2012. According to the AWPG, the longer a phishing attack remains active, the more money the victims and target institutions lose. The first day of a phishing attack is believed to be the most lucrative for the phisher. The virtual-server-related attacks tended to be mitigated more efficiently if only because they prompted many complaints to the hosting providers that were impacted.

Q: The APWG points out that malicious domain registrations remained under 10% of all phishing domains for the last three quarters of 2012. Any idea why?

A: Some factors may be contributing to the trend -- reputation services are blocking domains and subdomains quickly, registrars and registries are more responsive to malicious registrations and have better fraud controls, and phishers may be relying more on automated scripts to exploit large numbers of Web servers using known vulnerabilities.

Ellen Messmer is senior editor at Network World, an IDG publication and website, where she covers news and technology trends related to information security. Twitter: @MessmerE. Email:

Read more about wide area network in Network World's Wide Area Network section.

Join the CSO newsletter!

Error: Please check your email address.

Tags securityNonelegalAnti Phishing Working GroupAnti-Phishing Working Groupphishingphishing attackscybercrimedomain registrarsURL shortening

More about IDGInc.Melbourne ITPayPalTucowsWest

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Ellen Messmer

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place