A new phishing survey released by the Anti-Phishing Working Group (APWG) reveals that while the uptime of phishing websites dropped during the first half of 2012, cybercriminals were driving substantial increases in the numbers of phishing websites they established to steal from consumers.

Meanwhile, cybercriminals are increasingly using hacked web servers of existing, legitimate websites to host phishing websites, pointing up the need for website owners and hosting services need to be on guard.

APWG found that average uptimes of phishing attacks dropped to a record low of 23 hours and 10 minutes in 1H2012, about half of what it was in late 2011, and by far the lowest since the report series was inaugurated in January 2008.

The uptimes of phishing attacks are a vital measure of how damaging they are, and are a measure of the success of mitigation efforts. The longer a phishing attack remains active, the more money the victims and target institutions lose.

However, the study’s authors also found that there were more phishing attacks in the period – at least 93,462, up 12 percent from 2H2011.

"Phishers seem to be concentrating their efforts on compromising legitimate websites using automated attack tools, or purchasing access to them on the burgeoning underground market," said Rod Rasmussen, CTO of Internet Identity and co-author of the report. "This allows them to leverage the good reputation of a website's domain name, making it harder to block in either spam filters or via suspension, and makes takedown of that domain impractical."

The report highlights a major increase in the use of tactic that allows a criminal phisher to create hundreds of phish at once.

“Some of the increased phishing activity is due to an especially virulent method that some phishers have been using more often,” said Greg Aaron of Afilias, the study’s other co-author. "Instead of hacking websites one at a time, phishers are breaking into shared hosting -- web servers that host large numbers of domains. This way, a phisher can infect dozens, hundreds, or even thousands of websites at one time."

Other major findings of the report include:

• Phishers registered more subdomains than regular domain names. The number of domain names registered by phishers dropped by almost half since early 2011.
• The number of targeted institutions has dropped; phishers continue to target larger or more popular targets.
• Only about 2 percent of all domain names that were used for phishing contained a brand name or variation thereof.
• Phishers attacking Chinese institutions are an exception – they prefer to register domain names rather than hacking into servers. Phishers attacking Chinese institutions were responsible for two-thirds of all malicious domain name registrations made in the world. These phishers use both Chinese and non-Chinese domain registrars.
• Domain name owners in South America had their web servers compromised by phishers in growing numbers.