The Anti-Phishing Working Group (APWG)'s Global Phishing Survey: Farsight's Take On A Terrific Report



I. Introduction

While malware, distributed denial-of-service attacks (DDOS), and spam often grab the cybersecurity spotlight, phishing continues to be a major problem for Internet users. One of the best data-driven/boots-on-the-ground summary reports about phishing is the report that's periodically issued by the Anti-Phishing Working Group ("APWG"). We strongly believe in the APWG's work, and we're proud to be a corporate member of that organization, just as we're also a supporting member of M3AAWG, the Messaging, Malware and Mobile Anti-Abuse Working Group.

APWG's most recent report, "Global Phishing Survey: Trends and Domain Name Use in 2016", is full of excellent insights and well worth a read, particularly if you're deeply interested in domain names as we are.

We're just going to mention a few of the findings from that report that we found particularly interesting, in the hope that we can "wet your whistle" to read the whole report.

II. Rise In Maliciously-Registered Domains Used For Phishing

Cybercriminals focused on perpetrating phishing attacks typically need to have web pages hosted on some site. Historically, this may have included compromised hosts that were repurposed to support phishing pages, or domains registered and controlled by the phishers specifically for phishing-related purposes.

The APWG's new report explains that of 195,475 unique domain names used for phishing, 95,424 (~49%) were maliciously registered by phishers, while the other 100,051 (~51%) were hosted on already existing domains associated with hacked/compromised servers. Other findings include:

  • Three quarters of the malicious domains were reportedly registered in one of just four top level domains (TLDs): dot com, dot cc, dot pw and dot tk.

  • Over 90% of all maliciously registered domains were in just 14 TLDs – check the report to see the other ten.

Seeing dot com among the most popular phishing TLDs is not surprising, given the high number of total domains it contains. Other heavily-hit domains seem to share one common characteristic: they're free or at least very cheap from at least some registrars.

  • New gTLDs were also seen in use by phishers according to the report. One new gTLD, in particular, was particularly-heavily abused. If you think you know which one that might be, check the APWG report to see if you were right!

III. "Domain Aging"

We were also very intrigued by a section of this APWG report entitled "Domain Aging." We quote:

	It has been conventional wisdom that phishers use their 
	domains soon after they register them. The theory has 
	been that phishers want to attack on these domains 
	quickly, because the domains might be recognized for 
	what they are, or the associated credit card purchases 
	might be flagged as suspicious (especially if the card
	numbers are stolen). But our data shows that some phishers 
	are aging the domains they register, sometimes waiting 
	weeks or months before using them. This may make sense 
	because recently registered domains receive low 
	reputation scores from security and anti-spam companies. 

	Less than 10% of maliciously registered domains were used 
	for attacks on the same day they were registered 

Some readers may know that Farsight Security offers a Newly Observed Domains (NOD) feed containing domains that were used for the first time on the Internet AND a 2nd related data feed of domains that already exist but haven’t been used for at least ten days (this second feed is known as Newly Active Domains).

NOD is a special purpose solution that targets the unwanted traffic that other conventional blocklists might miss – such as the "Maliciously registered domains that were used for attacks on the same day they were registered," to use the phrase from the APWG report. NOD also provides visibility to domains when they are first utilized, regardless of when they were registered; unless they were previously seen in a zone file (not all TLDs offer Zone File Access programs). The APWG report reinforces the role of Farsight's NOD feed, validating our assertion that there ARE some domains that get registered and then immediately exploited by bad guys.

Security experts recommend having redundant, or "layered" defenses. When it comes to tackling phishing, Farsight offers Brand Sentry as an additional anti-phishing defense. Brand Sentry watches domains in real time and can alert when a company's name or marks show up in unexpected contexts, regardless of when those domains were registered.

IV. Registrars That Seem To Have a Disproportionate Number of Maliciously Registered Domains Used For Phishing

Another example of a fascinating finding is the report's identification of registrars who seem to have "more than their share" of maliciously registered domains used for phishing.

As noted on PDF page 19 of the report, over 3/4ths of identified registrars had zero maliciously-registered phishing domains. Those registrars are doing a great job of keeping phishers off their service.

Unfortunately, 24% of identified registrars DO have one or more maliciously registered phishing domain and six of the top 10 most-abused registrars are located in China; primarily servicing Chinese customers (see the pie chart on PDF page 19 of the APWG report). Fortunately, anti-phishing work is increasing in China. Hopefully this will bring Chinese registrars more into line with worldwide registrar norms.

APWG also reported on a newly created metric that's rather clever. Given that phishing domains are nearly equally divided between maliciously registered domains and legitimate domains that have been hacked by phishers, the authors looked to see how closely each registrars' domains followed that distribution. The argument is that while there's little that registrars can do about legitimate domains getting compromised, they should at least be able to promptly take down maliciously registered domains when they are brought to their attention.

Unfortunately, a number of registrars have thousands of phishing domains, with virtually all of them consisting of maliciously registered domains (see the table on PDF page 20 in the APWG report).

V. The APWG's Report Is Rich With Additional Topics of Interest

In addition to the few areas already mentioned, the report has many other fascinating insights, including:

•   A discussion of "Domain Shadowing," whereby phishers 
    sneak additional records into an otherwise-legitimate 
    domain's DNS
•   Use of subdomain services for phishing
•   Use of Internationalized Domain Names (IDNs) for phishing
•   Use of URL shorteners for phishing

Truly, if you can find a little time, this is one report you really don't want to miss.

Joe St Sauver, Ph.D. is a Scientist with Farsight Security, Inc.