FAQ: Phishing tactics and how attackers get away with it

Latest Anti-Phishing Working Group report shows rise of attacks on virtual-server farms at hosting facilities

APWG logo

Phishing attacks on enterprises can be calamitous in terms of compromised networks or damaged brand names, and the Anti-Phishing Working Group (APWG), which aggregates and analyzes phishing trends data worldwide, offers some of the best insight from industry into what's occurring globally in terms of this cybercrime. The following list of frequently asked questions about phishing is derived from the APWG's April report that covers the period July-December 2012 worldwide.

Q: How many phishing attacks occurred in the second half of last year?

A: There were at least 123,486 unique phishing attacks worldwide. This is more than the 93,462 attacks that APWG observed in the first half of 2012. This is due to an increase in phishing attacks that leveraged shared virtual servers to compromise multiple domains at once.

Q: How many unique domain names were involved in the phishing attacks?

A: Due to the shared virtual server hacking, the attacks used 89,748 unique domain names -- up from the 64,204 domains used in for the first half of 2012. In addition, 2,489 attacks were detected on 1,841 unique IP addresses, rather than on domain names, a trend that has remained steady for three years. None of these phishing attacks were reported on IPv6 addresses though.

Q: How many of these domain names were maliciously registered by phishing attackers versus the number of domains that represent hacked or compromised ones on vulnerable Web hosting?

Of the 89,748 unique domain names, the APWG identified 5,835 domain names that APWG believes were registered maliciously by phishers. This number is down significantly from 7,712 identified in the first half of 2012, a downward trend that's occurred since the count for maliciously registered domain names stood at 14,650 in the first half of 2011. The other 83,913 domains were almost all hacked or compromised on vulnerable Web hosting. The overall use of subdomain services for phishing fell from 14% to 8% of all attacks. Phishers continue to use "URL shortening" services to obfuscate phishing URLs but such use involved only 785 attacks in the second half of 2012. Over 65% of malicious shortened URLS use for phishing were found at a single provider, TinyURL.com.

Q: What top-level domains (TLDs) are the most popular for registration by phishers?

A: 82% of the malicious domain registrations were in just three TLDs: .COM, .TK (Thailand) and .INFO. PayPal is the most targeted brand, with 39% of all phishing attacks aimed at PayPal users. .COM contained 48% of the phishing domains in the APWG's data set, and 42% of the domains in the world. Thailand's .TH domain, which accounts for just over half of the world's malicious registrations made in the .TK registry, continues its high ranking as it has for several years, and it suffers from compromised government and university web servers, according the APWG.

Q: What were the top registrars worldwide used by phishers to purchase domain names?

A: 21 registrars, several of them in China, accounted for 79% of the domains registered maliciously (a total of 2,991). These were Shanghai Yovole Networks; Chengdu West Dimension Digital technology; Hang Zhou E-Business Services; Jiangsu Bangning Science; Intenret.bs; Beijing Innovative; 1API; Bizcn.com; Directl/PDR; Hichina Zhicheng; Melbourne IT; Xin Net technology Corp; Regsiter.com; Name.com; Fast Domain; eNom Inc.; OVH; GoDaddy; Tucows; 1 and 1 Internet AG.

Q: What's being seen in the trend toward mass break-in techniques?

A: Instead of hacking sites one at a time, the phisher can infect dozens, hundreds or even thousands of websites at a time, depending on the server. In the second half of 2011, APWG identified 58,100 phishing attacks that used the mass break-in technique, representing 47% of all phishing attacks recorded worldwide at that time. In February 2012, attacks of this nature started up again, peaking in August 2012 with over 14,000 phishing attacks sitting on just 61 servers. Levels declined in late 2012 but are still high. These attacks, according to APWG, "turn compromised servers at hosting facilities into weapons" because hosting facilities contain large numbers of powerful servers with the type of network access that supports large amounts of traffic. This break-in tactic against virtual-server farms offers the attacker significantly more computing power and bandwidth that scattered home PCs.

Q: What more is evident about the link between shared hosting environments and phishing?

A: In late 2012 and into 2013, the APWG saw increasing use of tools targeting shared hosting environments, and particularly WordPress, cPanel and Joomla installations. For example, beginning in late 2012, criminals hacked into server farms to perpetrate extended DDoS attacks against American banks. In April 2013, there were brute-force attacks against WordPress installations at hosting providers in order to build a large botnet. Tens of thousands to hundreds of thousands of these shared servers have been cracked by such techniques. Access and use of these boxes is then metered out in the criminal underground for all sorts of activities, including DDoS, malware distribution, and phishing. It all highlights the vulnerability of hosting providers, the software they use and weak password management. Rod Rasmussen, president and CTO at Internet Identity and co-chair of the APWG's Internet Policy Committee, says unpatched open-source software is a popular target with attackers hitting the hosting providers that make the software available to their customers.

Q: How long do live phishing attacks typically last these days?

A: The average "uptime" as of the last half of 2012 was 26 hours and 13 minutes. The median uptime was 10 hours and 19 minutes -- said to be almost twice the historically low uptime of five hours and 45 minutes achieved in the first half of 2012. According to the AWPG, the longer a phishing attack remains active, the more money the victims and target institutions lose. The first day of a phishing attack is believed to be the most lucrative for the phisher. The virtual-server-related attacks tended to be mitigated more efficiently if only because they prompted many complaints to the hosting providers that were impacted.

Q: The APWG points out that malicious domain registrations remained under 10% of all phishing domains for the last three quarters of 2012. Any idea why?

A: Some factors may be contributing to the trend -- reputation services are blocking domains and subdomains quickly, registrars and registries are more responsive to malicious registrations and have better fraud controls, and phishers may be relying more on automated scripts to exploit large numbers of Web servers using known vulnerabilities.

Ellen Messmer is senior editor at Network World, an IDG publication and website, where she covers news and technology trends related to information security. Twitter: @MessmerE. Email: emessmer@nww.com.

Insider Shootout: Best security tools for small business
Join the discussion
Be the first to comment on this article. Our Commenting Policies