Findings of the latest Global Phishing Survey

The new Global Phishing Survey released by the Anti-Phishing Working Group (APWG) this month reveals that phishing gangs are concentrating their efforts within specific top level domains (TLDs), but also that anti-phishing policies and mitigation programs by domain name registrars and registries can have a significant and positive effect.

For this new study, covering the first half of 2008, Rod Rasmussen of Internet Identity and Greg Aaron of Afilias surveyed 47,324 unique phishing attacks located on 26,678 unique domain names.

The number of TLDs abused by phishers for their attacks expanded 7 percent from 145 in H2/2007 to 155 in H1/2008. The proportion of Internet-protocol (IP) number-based phishing sites decreased 35 percent in that same period, declining from 18 percent in the second half of 2007 to 13 percent in the first half of 2008.

The report finds some correlations between registry policies and the prevalence and duration of phishing activity in their TLDs. The APWG researchers’ analysis of phishing site uptime and other metrics showed that anti-phishing policies can help reduce phishing activity. Specifically, the .CN, .INFO, and .BIZ TLDs, whose managers have implemented counter-phishing programs, had phishing site uptimes notably below the industry average.

The authors track the improvement in reduction of phishing activity at the .INFO TLD specifically to an anti-phishing program established in January 2008. More dramatically, the investigators found that after anti-phishing measures went into place in March 2008 at the .HK registry, “the number of phishing domains in .HK quickly went from more than 1,000 per month to virtually nothing.”

The survey also identified 4,512 subdomain sites/accounts used for phishing under 274 unique second-level domains. These were established on “subdomain registration services” in which customers set up a subdomain under a secondary level domain owned by the service provider (e.g. ..TLD).

To determine the intensity or pervasiveness of phishing activities in a TLD relative to others, the authors established two metrics. The first compares the number of established phishing domains to the total number of registered domain names in that TLD.

The other, Phishing Attacks per 10,000, helps indicate which TLDs are predominantly used by phishers who employ subdomain services, or place multiple phish sites on a single domain. The top twelve TLDs in this statistical category ran from .HK (Hong Kong) with 142.1 phishing attacks per 10,000 domains to .BE (Belgium) with 8.7. The authors found that .SU (Soviet Union), .RU (Russia), and .FR (France) received high Attack Scores because phishers launched large numbers of attacks in these TLDs via subdomain hosting services.