NormShield Blog

Keynotes APWG Global Phishing Survey 2015-2016 – Malicious and Compromised Domains

Keynotes Phishing

Keynotes Phishing; APWG did an analysis of how many domain names were registered by phishers vs. phish that appeared on compromised (hacked) domains. (Why? Because both of them present different mitigation options for responders, and offer insights into how phishers commit their crimes.) A domain is flagged as malicious, if the domain was reported for phishing;

  • within a very short time of being registered,
  • and/or contained a brand name or misleading string,
  • and/or was registered in a batch or in a pattern that indicated common ownership or intent.

Keynotes, malicious

75% of the malicious domain registrations were made in just four TLDs: .COM, .CC, .PW, and .TK. More than 90% of malicious domains were found in just 14 TLDs, the top four plus .INFO, .NET, .GA, .TOP, .CF, .ML, .CN, .GQ, and .VE.

Keynotes, phishing

Of the 95,424 malicious domain registrations, 52,385 (55%) were registered to phish Chinese targets—services and sites in China that serve a primarily Chinese customer base.

Chinese phishers have always preferred to register domains, relying upon hacked domains and compromised Web servers less often than phishers elsewhere.

In 2016, with about 83% of phishing attacks targeting Chinese brands being launched via maliciously registered domains. It appears that some non-Chinese phishing groups are also registering malicious domains in increasing numbers.

Keynotes Phishing; Domain Aging

Phishers use their domains soon after they register them. The theory : phishers want to attack on these domains quickly, because the domains might be recognized for what they are, or the associated credit card purchases might be flagged as suspicious (especially if the card numbers are stolen).

But their data shows that some phishers are aging the domains they register, sometimes waiting weeks or months before using them. This may make sense because recently registered domains receive low reputation scores from security and anti-spam companies. Less than 10% of maliciously registered domains were used for attacks on the same day they were registered.It takes nearly a week for the median maliciously registered domain to start hosting a phishing site. And a quarter of all domains registered for phishing are used only after two or more weeks have elapsed since registration.

Keynotes, malicious, domains

This also hints at how phishers are paying for their domain names… Either the domains are paid for with legitimate means, or they are not purchased with stolen cards (because the fraud might be caught within the days immediately after purchase), or any payment fraud that did take place was never caught. Phishers may also be using alternate payment forms that make payment fraud difficult to detect.

The Rise of Domain Shadowing for Phishing

“Domain Shadowing” is a hybrid attack in which a phisher compromises a legitimate domain name’s DNS control in order to set up new subdomains; the new subdomains then point to the phisher’s malicious content.

What one sees in the DNS looks like this:

  • www.legitdomain.tld → Real website
  • mail.legitdomain.tld → Real e-mail service
  • stringthebadguysetup.legitdomain.tld → phishing site
  • phishedbrand.legitdomain.tld → phishing site

This technique was used for at least 1% of all phishing attacks in 2016.

A domain shadowing attack is carried out in this way:

  1. The phisher phishes domain name owners pretending to be their registrar or getting their registrar access credentials via some other common means.
  2. Phisher logs into the domain owner’s registrar or DNS management account.
  3. Phisher adds new DNS “A” records, pointing various subdomains (hostnames) at IP addresses under the miscreant’s control. The phisher may set up MX (Mail eXchange) records as well to create new hostnames that can be used for e-mail.
  4. Phisher leaves any pre-defined addresses and DNS records alone, so no one is aware that the domain has been compromised. The main domain name continues to function normally.
  5. Phisher spams or induces victims to come to the new hostnames he has created.

Why go through this complicated exercise?

  • The main reason is to work under a “known” domain and take advantage of its good reputation.
  • A further benefit is that it is more difficult to shut down of these bogus hostnames — that requires the careful cooperation of the registrar and/or DNS operator in order to cull the bad hostnames and shut off back-door access without affecting the legitimate domain that has been compromised.

There are some hackers concentrate on specific registrars that have robust APIs and other tools for managing customers’ domains. This allows the phishers to gain control over lots of domains that they can then easily manipulate via those handy tools.