03:22 PM

Phishing Attackers Use Subdomain Registration Services

Online criminals doubled their use of unregulated subdomain registration services in the second half of 2010, according to a report by the Anti-Phishing Working Group.

Online criminals are increasingly using subdomain registration services to register the fake websites used to launch phishing attacks. Subdomain services are typically unregulated and focus on high-volume, low-cost transactions, meaning that they provide excellent cover for attackers.

That's a key finding of a report released Tuesday by the Anti-Phishing Working Group (APWG) that focuses on phishing trends for the second half of 2010.

"Over the past few years, we have documented many examples of e-criminals finding and heavily exploiting particular DNS-related service providers who were ill-prepared for the onslaught of abuse," said report co-author Rod Rasmussen, CTO of technology and services firm Internet Identity, in a statement. "Subdomain providers are a particularly tempting target, as they provide full DNS services with no oversight and low-to-no cost services."

All told, in the second half of 2010, subdomain services hosted nearly 11,768 phishing websites, a 42% increase from the first half of the year. Interestingly, 40% of attacks launched via subdomain services used the CO.CC domain, based in Korea.

According to the APWG report, "phishers are probably attracted to because registrations are free, easy to sign up for, come with DNS service, and there are features to assist with bulk signups." The report also said that while the domain administrators typically respond quickly to any reports of abuse, " supports more than 9,400,000 subdomains in more than 5,000,000 user accounts," which could make policing the influx of phishers difficult.

"Few such services take enough proactive measures to keep criminals from abusing their products in the first place," said report co-author Greg Aaron, director of key account management and domain security at Internet infrastructure services provider Afilias, in a statement.

But domain registrars that actively target phishers can help eliminate their threat. For example, according to the report,, a Russian provider of free email, "almost completely eliminated phishing on its service," reducing the number of attacks launched via its site from 189 in the first half of 2010 to just 14 in the second half of the year.

The growing use of subdomain registration services means that attackers currently register roughly an equal number of phishing websites via subdomains as top-level domains. Interestingly, the majority of phishing attacks are launched using a rather small subset of domains. For top-level domains, 60% of attacks originate from .com, .cc., .net, and .org domains. Meanwhile, 89% of subdomain attacks are launched from the .com, .tk, .net, and .info domains.

Compared with past years, attackers today are more likely to register the malicious sites used in their attacks, and especially if they're attacking Chinese websites, which are seeing increasing volumes of attacks. "Of the 42,624 phishing domains, we identified 11,769 (28%) that we believe were registered maliciously, by the phishers," said the report. "Of those, 6,382 were registered to phish Chinese targets. The other 30,855 domains were hacked or compromised on vulnerable Web hosting."

But there's good news from the report, in that the overall number of phishing attacks appears to be declining. In the second half of 2010, for example, the APWG saw 67,677 attacks--meaning "a phishing site targeting a specific brand or entity"--which was up from 48,244 in the first half of 2010. But that's still down from the 126,697 attacks seen in the second half of 2009. According to the report, "the decrease in attacks was due to reduced activity by the Avalanche phishing gang," which at its peak was the Internet's single most prolific phishing gang.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Latest Comment: nice one good
Current Issue
E-Commerce Security: What Every Enterprise Needs to Know
The mainstream use of EMV smartcards in the US has experts predicting an increase in online fraud. Organizations will need to look at new tools and processes for building better breach detection and response capabilities.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
Join Dark Reading community editor Marilyn Cohodas in a thought-provoking discussion about the evolving role of the CISO.