Phishing still on the decline, despite Whois privacy
The number of detected phishing attacks almost halved last year, despite the fact that new Whois privacy rules have made it cheaper for attackers to hide their identities.
There were 138,328 attacks in the fourth quarter of 2018, according to the Anti-Phishing Working Group, down from 151,014 in Q3, 233,040 in Q2, and 263,538 in Q1.
That’s a huge decline from the start of the year, which does not seem to have been slowed up by the introduction in May of the General Data Protection Regulation and ICANN’s Temp Spec, which together force the redaction of most personal data from public Whois records.
The findings could be used by privacy advocates to demonstrate that Whois redaction has not lead to an increase in cybercrime, as their opponents had predicted.
But the data may be slightly misleading.
APWG notes that it can only count the attacks it can find, and that phishers are becoming increasingly sophisticated in how they attempt to avoid detection. The group said in a press release:
There is growing concern that the decline may be due to under-detection. The detection and documentation of some phishing URLs has been complicated by phishers obfuscating phishing URLs with techniques such as Web-spider deflection schemes – and by employing multiple redirects in spam-based phishing campaigns, which take users (and automated detectors) from an email lure through multiple URLs on multiple domains before depositing the potential victim at the actual phishing site.
It also speculates that criminals once involved in phishing may have moved on to “more specialized and lucrative forms of e-crime”.
The Q4 report (pdf) also breaks down phishing attacks by TLD, though comparisons here are difficult because APWG doesn’t always release this data.
The group found .com to still have the most phishing domains — 2,098 of the 4,485 unique domains used in attacks, or about 47%. According to Verisign’s own data, .com only has 40% market share of total registered domains.
But new, 2012-round gTLDs had phishing levels below their market share — 4.95% of phishing on a 6.83% share. This is actually up compared to the 3% recorded by APWG in Q3 2017, the most recent available data I could find.
Only two of the top 20 most-abused TLDs were new gTLDs — .xyz and .online, which had just 70 attack domains between them. That’s good news for .xyz, which in its early days saw 10 times as much phishing abuse.
After .com, the most-abused TLD was .pw, the ccTLD for Palau run by Radix as an unrestricted pseudo-gTLD. It had 374 attack domains in Q4, APWG said.
Other ccTLDs with relatively high numbers included several African zones run as freebies by Freenom, as well as the United Kingdom’s .uk and Brazil’s .br.
Phishing is only one form of cybercrime, of course, and ICANN’s own data shows that when you take into account spam, new gTLDs are actually hugely over-represented.
According to ICANN’s inaugural Domain Abuse Activity Reporting report (pdf), which covers January, over half of cybercrime domains are in the new gTLDs.
That’s almost entirely due to spam. One in 10 of the threats ICANN analyzed were spam, as identified by the likes of SpamHaus and SURBL. DAAR does not include ccTLD data.
The takeaway here appears to be that spammers love new gTLDs, but phishers are far less keen.
ICANN did not break down which gTLDs were the biggest offenders, but it did say that 52% of threats found in new gTLDs were found in just 10 new gTLDs.
This reluctance to name and shame the worst offenders prompted one APWG director, former ICANN senior security technologist Dave Piscitello, to harshly criticize his former employer in a personal blog post last month.
If you find this post or this blog useful or interestjng, please support Domain Incite, the independent source of news, analysis and opinion for the domain name industry and ICANN community.
Note that while the report has a per-TLD division, it includes both domains registered to perform phishing and compromised websites. Registries and registrars would seldom take-down a domain containing a compromised website due to collateral damage. In previous reports APWG published the two numbers separately, and that would give a better figure of how the domain players respond.
Yeah, I really wish the APWG would make its mind up from quarter to quarter what data it publishes. Reading the tea leaves is a pain.
Dear Kevin:
I’m the editor of the APWG reports. Thanks for noticing the report. The article’s title points to a fallacy, and away from more important issues. The amount of WHOIS data that’s available is not a major determinant of how many domain names criminals use, how many criminals there are, or the methods they use. The real story is more about how ICANN’s handling of GDPR is making it unnecessarily harder to detect crime and to appreciate how many domains are being used. Detection and mitigation efforts are suffering, leading to an under-count of how bad things are. The big question is whether ICANN will now deliver a better solution under the law, which explicitly allows a balancing of interests.
The majority of phishing sites sit on compromised web sites, where the phisher has broken into someone’s hosting and put the phish on an innocent registrant’s site. What’s needed here is to contact the registrant and hosting provider and tell them they have a problem. But ICANN’s Temp Spec policy has made it harder to contact victim registrants. Phishers do register some domain names themselves for phishing, and the lack of WHOIS data makes it hard to find those. Criminals often do a poor job of faking WHOIS data. In any case, without WHOIS data the good guys can’t do correlation and find the bad guys’ additional domains. So time-to-mitigate is an important metric, and the lack of WHOIS data makes things worse, no matter whose domain name’s being used. Cheap domain name prices are probably a bigger driver of how many domains get registered, and where.
While phishing generally consumes a certain number of domains each year (on the order of hundreds of thousands), criminals consume many millions per year to advertise in spam, to lead people to malware, illegal pharma sites, phishing, and so on. Finding those huge batches of domains has gotten much harder too.
ICANN’s handling of GDPR has been unbalanced, and now we’re gaining an appreciation of how badly.
Regarding analyses of things like maliciously registered versus compromised domain — that takes time and money to do correctly. Industry would do well to fund the APWG’s efforts in areas like this; volunteerism only goes so far.
–Greg Aaron
Thanks for the feedback Greg.
Hello Greg, last time I reported a phisher and the domain name used on the page dedicated to this on the APWG website, absolutely nothing happened and I did not even receive an answer.
What’s supposed to happen when someone reports there: https://www.antiphishing.org/report-phishing/ ?
Hosting providers are the ones listed in IP address WHOIS records, not in domain registration WHOIS records. There is nothing GNSO can do to hurt or preserve IP address WHOIS, which is the realm of RIRs. Please move on data addiction, folks.
Sounds like a step in the right direction would be.
A database with IP addresses of content and hosting providers with correct info to contact them.
A variety of trusted reporters who can report in an automated manner to the hosting company.
Hosting providers can automate the received report and automatically place the malicious URL in the firewall.
The domain name keeps operating, but the abusive content is no longer reachable.
A notification to their customer to clean up the mess.
This sounds eminently reasonable. I’d love to have an authoritative list of hosting companies, too, as content complaints should be directed to them.
RIRs currently operate their WHOIS services in “Joint WHOIS” mode, meaning that asking any RIR WHOIS will point to the right information regardless of which WHOIS you enter the query into.
Try https://search.arin.net/rdap/?query=200.160.0.10 to see information for an address not managed by ARIN (the North American RIR).
I asked some sources in the security field, and they confirmed the decline in phishing numbers from their own statistics, adding that malware numbers declined as well.
There doesn’t seem to be a good grasp on why that happened and to what crimes perpetrators moved to, though.