Latest news of the domain name industry

Recent Posts

Only 2% of phishing attacks use cybersquatted domain names

Kevin Murphy, October 25, 2012, Domain Registries

The number of cybersquatted domain names being used for phishing is falling sharply and currently stands at just 2% of attacks, according to the Anti-Phishing Working Group.

The APWG’s first-half 2012 report (pdf) identified 64,204 phishing domains in total.

Of those, the group believes that only 7,712 (12%) were actually registered by the phishers themselves. The rest belonged to innocent third parties and had been compromised.

That’s a steep drop from 12,895 domains in the second half of 2011 and 14,650 in the first half of 2011.

Of the 7,712 phisher-owned domains, about 66% were being use to phish Chinese targets, according to the APWG.

The group’s research found only 1,350 that contained a brand name or a misspelling of a brand name.

That’s down from 2,232 domains in the second-half of 2011, representing just 2% of all phishing domains and 17% of phisher-owned domains.

The report states:

Most maliciously registered domain strings offered nothing to confuse a potential victim. Placing brand names or variations thereof in the domain name itself is not a favored tactic, since brand owners are proactively scanning Internet zone files for such names.

As we have observed in the past, the domain name itself usually does not matter to phishers, and a domain name of any meaning, or no meaning at all, in any TLD, will usually do.

Instead, phishers almost always place brand names in subdomains or subdirectories. This puts the misleading string somewhere in the URL, where potential victims may see it and be fooled. Internet users are rarely knowledgeable enough to be able to pick out the “base” or true domain name being used in a URL.

Taken as a percentage of attacks, brand-jacking is clearly a pretty low-occurrence offence, according to the APWG’s numbers.

In absolute numbers, it works out to about 7.5 domain names per day that are being use to phish and contain a variation of the brand name being targeted.

Unsurprisingly, the APWG found that Freedom Registry’s .tk — which offers free registration — is the TLD being abused most often to register domains for phishing attacks.

More than half of the phisher-owned domains were in .tk, according to the report.

Will new gTLDs really increase phishing?

Kevin Murphy, December 17, 2011, Domain Policy

The US Federal Trade Commission has come out swinging against ICANN’s new generic top-level domains program, saying it will increase online fraud and should be scaled back.

In an open letter to ICANN’s top brass yesterday, the FTC’s four commissioners claimed that “the dramatic introduction of new gTLDs poses significant risks to consumers”.

Saying that more gTLDs will make it easier for scammers to acquire domain names confusingly similar to existing brands, the commissioners said the program should be rolled out as a limited pilot.

The FTC commissioners wrote (pdf):

A rapid, exponential expansion of gTLDs has the potential to magnify both the abuse of the domain name system and the corresponding challenges we encounter in tracking down Internet fraudsters. In particular, the proliferation of existing scams, such as phishing, is likely to become a serious challenge given the infinite opportunities that scam artists will now have at their fingertips. Fraudsters will be able to register misspellings of businesses, including financial institutions, in each of the new gTLDs, create copycat websites, and obtain sensitive consumer data with relative ease before shutting down the site and launching a new one.

The letter demands better Whois accuracy enforcement, better ICANN compliance programs, and a cap on approved new gTLDs in the first round perhaps as low as a couple dozen.

The FTC’s claims that new gTLDs will increase phishing may not be supported by reality, however.

The latest data (pdf) from the Anti-Phishing Working Group shows that in the first half of the year only 18% of domain names used in phishing attacks were registered by the attacker.

That was down from 28% in the second half of 2010. Phishers are much more likely to compromise a domain belonging to somebody else – by hacking a web server, for example.

Of the 14,650 maliciously registered domains 10,444 (70%) were used to phish Chinese targets, “overwhelmingly” the e-commerce site Taobao.com, the APWG found.

Furthermore, only 2% of these domains – just 1,816 over six months – were judged to have been registered due to their confusing similarity with the brands they target.

The APWG said (emphasis in the original):

These are the lowest numbers we have observed in the last past four years, and show that using domain names containing brand strings has fallen further out of favor among phishers.

the domain name itself usually does not matter to phishers, and a domain name of any meaning, or no meaning at all, in any TLD, will usually do. Instead, phishers almost always place brand names in subdomains or subdirectories

The APWG found only one gTLD that ICANN has introduced – .info, with 4.5% – in its top ten phishing TLDs. The .com space accounts for 48.9% of all phishing domains.

Will the increase in the number of gTLDs reverse these trends? The FTC seems to think so, but the claims in its letter appear to be based largely on guesswork and fear rather than data.

I suspect that the FTC’s letter is more concerned with ICANN’s ongoing bilateral talks with registrars over law enforcement-demanded amendments to the Registrar Accreditation Agreement.

These talks are completely separate and distinct from the new gTLDs program policies, but in the last few weeks we’ve seen them being repeatedly conflated by US lawmakers, and now the FTC.

This may be ignorance, but it could just as well be an attempt to apply political pressure on ICANN to make sure the RAA talks produce the results law enforcement agencies want to see.

ICANN does not want to be forced into an embarrassing retreat on its hard-fought gTLD expansion. By producing a strong RAA, it could deflect some of the concerns about the program.

  • Page 2 of 2
  • <
  • 1
  • 2