New research from the Anti-Phishing Working Group (APWG) has found that up to 81% of domain names used for phishing are legitimate domains that have been hacked. More specifically, out of the 30,454 phishing domains under observation, only 5,591 domain names (18.5%) were registered by phishers according to APWG. The remaining small percentage of the domains used in phishing belonged to subdomain resellers such as ISPs and other web-based services.
\"Phishing most often takes place on compromised Web servers, where the phishers place their phishing pages unbeknownst to the site operators,\"\" says APWG. \"This method gains the phishers free hosting, and complicates take-down efforts because suspending a domain name or hosting account also disables the resolution of the legitimate user\'s site. Phishing on a compromised Web site typically takes place on a subdomain or in a subdirectory, where the phish is not easily noticed by the site\'s operator or visitors.\"
Major findings include:
1. Phishers are increasingly using subdomain services to host and manage their phishing sites. This trend shows phishers migrating to services that cannot be taken down by registrars or registry operators, thereby frustrating some takedowns and extending the uptimes of attacks.
2. Phishers continue to target specific TLDs and specific domain name registrars, and shift their preferences over time.
3. The amount of Internet names and numbers used for phishing has remained fairly steady over the past two years.
4. Anti-phishing programs implemented by domain name registries can have a remarkable effect on the up-times (durations) of phishing attacks.
5. There are decreases in phishing on IP addresses and the use of brand names in domain names to fool users. Phishers are not using IDNs (Internationalized Domain Names).
To download the full report from APWG click here (PDF).
