NormShield Blog

Keynotes APWG Global Phishing Survey 2015-2016 – Attack Motivation

Keynotes Phishing

Keynotes, Phishing;

  • Attacks where money is handled or moves in commerce are typically designed to directly defraud victims.
  • Attacks on social networks, e-mail systems usually are attempts to harvest credentials for further use.
  • There are continued attacks on ISP’s and other Internet services companies to obtain Internet resources to launch further attacks.
  • There are also interesting attacks on File Transfer/Storage services which may well be tied towards attempted data breach.

Keynotes, phishing attacks

Phishers target wide-ranging targets for several reasons :

  • To perform credit card theft, and hitting new targets may lull consumers into a false sense of security.
  • The phishers can also monetize stolen data through reshipping fraud.
  • Phishers also steal usernames and passwords from one site to try those credential on other sites. (Many consumers re-use usernames and passwords.)

If a site is getting phished for the first time, it may have been targeted by a more sophisticated phisher, who had the skill to design a new phishing template.

Keynotes; Prevalence of Phishing by Top-Level Domain (TLD)

Most phishing continues to be concentrated in just a few namespaces, with some TLDs having much more prevalent problems than others. Domain name space can be divided into four categories :

  • The .COM and .NET registries are operated by Verisign and represented 43% of the domains in the world.
  • Country-code domains (ccTLDs) represented another 43%.
  • The legacy generic TLDs introduced before 2013 represented 6%,M (other “legacy” gTLDs : .AERO, .ASIA, .BIZ, .CAT, .COOP, .INFO, .JOBS, .MOBI, .MUSEUM, .NAME, .ORG, .PRO, .POST, .TRAVEL, .TEL, and .XXX)
  • The new gTLDs (nTLDs) introduced from 2014 to the present were the remaining 8%.

Keynotes, phishing

Keynotes, phishing

56% of the domains were in .COM and .NET. This happened for two reasons:

  1. There are many .COM web sites to hack and place phish on, Phishers also register large numbers of .COM domains.
  2. Phishers register smaller numbers of ccTLD domains. → This may be because ccTLD domains generally tend to be more expensive than gTLD domains.

On the other hand, the new gTLDs have often been priced more cheaply than any other sector. Looking at the numbers for the past five years, we can see how the new gTLDs have recently  contributed more phishing domains, while the legacy gTLDs contributed fewer:

Keynotes, phishing

Keynotes, phishing

Keynotes; The new Top-Level Domains

Most new gTLDs (nTLDs) have now been out on the market for more than two years. Our observations are:

  • Phishing in the new top-level domains (nTLDS) is rising, but is not yet as pervasive as it is in the domain space as a whole.
  • By the end of 2016, almost half of the nTLDs that were available for open registration had phishing in them.
  • The nTLDs are also a place where phishers are purchasing domain names for themselves.

The number of nTLDs that contain phishing is rising steadily:

Keynotes, phishing

Of the 6,549 domains used for phishing in the 228 nTLDs, 86% (5,633) were registered maliciously. 71% of those malicious registrations were found in just ten nTLDs:

Keynotes, phishing

The TLD market is now more crowded and competitive than at any time in history, some nTLD registries have been competing aggressively on price. → Low prices and sometimes lax practices are allowing nTLD domains to be used abusively. In April 2017, SURBL alone listed one million new gTLD domains on its spam/phishing/malware blocklist.