03:22 PM

Phishing Attackers Use Subdomain Registration Services

Online criminals doubled their use of unregulated subdomain registration services in the second half of 2010, according to a report by the Anti-Phishing Working Group.

Online criminals are increasingly using subdomain registration services to register the fake websites used to launch phishing attacks. Subdomain services are typically unregulated and focus on high-volume, low-cost transactions, meaning that they provide excellent cover for attackers.

That's a key finding of a report released Tuesday by the Anti-Phishing Working Group (APWG) that focuses on phishing trends for the second half of 2010.

"Over the past few years, we have documented many examples of e-criminals finding and heavily exploiting particular DNS-related service providers who were ill-prepared for the onslaught of abuse," said report co-author Rod Rasmussen, CTO of technology and services firm Internet Identity, in a statement. "Subdomain providers are a particularly tempting target, as they provide full DNS services with no oversight and low-to-no cost services."

All told, in the second half of 2010, subdomain services hosted nearly 11,768 phishing websites, a 42% increase from the first half of the year. Interestingly, 40% of attacks launched via subdomain services used the CO.CC domain, based in Korea.

According to the APWG report, "phishers are probably attracted to because registrations are free, easy to sign up for, come with DNS service, and there are features to assist with bulk signups." The report also said that while the domain administrators typically respond quickly to any reports of abuse, " supports more than 9,400,000 subdomains in more than 5,000,000 user accounts," which could make policing the influx of phishers difficult.

"Few such services take enough proactive measures to keep criminals from abusing their products in the first place," said report co-author Greg Aaron, director of key account management and domain security at Internet infrastructure services provider Afilias, in a statement.

But domain registrars that actively target phishers can help eliminate their threat. For example, according to the report,, a Russian provider of free email, "almost completely eliminated phishing on its service," reducing the number of attacks launched via its site from 189 in the first half of 2010 to just 14 in the second half of the year.

The growing use of subdomain registration services means that attackers currently register roughly an equal number of phishing websites via subdomains as top-level domains. Interestingly, the majority of phishing attacks are launched using a rather small subset of domains. For top-level domains, 60% of attacks originate from .com, .cc., .net, and .org domains. Meanwhile, 89% of subdomain attacks are launched from the .com, .tk, .net, and .info domains.

Compared with past years, attackers today are more likely to register the malicious sites used in their attacks, and especially if they're attacking Chinese websites, which are seeing increasing volumes of attacks. "Of the 42,624 phishing domains, we identified 11,769 (28%) that we believe were registered maliciously, by the phishers," said the report. "Of those, 6,382 were registered to phish Chinese targets. The other 30,855 domains were hacked or compromised on vulnerable Web hosting."

But there's good news from the report, in that the overall number of phishing attacks appears to be declining. In the second half of 2010, for example, the APWG saw 67,677 attacks--meaning "a phishing site targeting a specific brand or entity"--which was up from 48,244 in the first half of 2010. But that's still down from the 126,697 attacks seen in the second half of 2009. According to the report, "the decrease in attacks was due to reduced activity by the Avalanche phishing gang," which at its peak was the Internet's single most prolific phishing gang.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
DNS Threats: What Every Enterprise Should Know
Domain Name System exploits could put your data at risk. Here's some advice on how to avoid them.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio

The cybersecurity profession struggles to retain women (figures range from 10 to 20 percent). It's particularly worrisome for an industry with a rapidly growing number of vacant positions.

So why does the shortage of women continue to be worse in security than in other IT sectors? How can men in infosec be better allies for women; and how can women be better allies for one another? What is the industry doing to fix the problem -- what's working, and what isn't?

Is this really a problem at all? Are the low numbers simply an indication that women do not want to be in cybersecurity, and is it possible that more women will never want to be in cybersecurity? How many women would we need to see in the industry to declare success?

Join Dark Reading senior editor Sara Peters and guests Angela Knox of Cloudmark, Barrett Sellers of Arbor Networks, Regina Wallace-Jones of Facebook, Steve Christey Coley of MITRE, and Chris Roosenraad of M3AAWG on Wednesday, July 13 at 1 p.m. Eastern Time to discuss all this and more.