03:22 PM

Phishing Attackers Use Subdomain Registration Services

Online criminals doubled their use of unregulated subdomain registration services in the second half of 2010, according to a report by the Anti-Phishing Working Group.

Online criminals are increasingly using subdomain registration services to register the fake websites used to launch phishing attacks. Subdomain services are typically unregulated and focus on high-volume, low-cost transactions, meaning that they provide excellent cover for attackers.

That's a key finding of a report released Tuesday by the Anti-Phishing Working Group (APWG) that focuses on phishing trends for the second half of 2010.

"Over the past few years, we have documented many examples of e-criminals finding and heavily exploiting particular DNS-related service providers who were ill-prepared for the onslaught of abuse," said report co-author Rod Rasmussen, CTO of technology and services firm Internet Identity, in a statement. "Subdomain providers are a particularly tempting target, as they provide full DNS services with no oversight and low-to-no cost services."

All told, in the second half of 2010, subdomain services hosted nearly 11,768 phishing websites, a 42% increase from the first half of the year. Interestingly, 40% of attacks launched via subdomain services used the CO.CC domain, based in Korea.

According to the APWG report, "phishers are probably attracted to because registrations are free, easy to sign up for, come with DNS service, and there are features to assist with bulk signups." The report also said that while the domain administrators typically respond quickly to any reports of abuse, " supports more than 9,400,000 subdomains in more than 5,000,000 user accounts," which could make policing the influx of phishers difficult.

"Few such services take enough proactive measures to keep criminals from abusing their products in the first place," said report co-author Greg Aaron, director of key account management and domain security at Internet infrastructure services provider Afilias, in a statement.

But domain registrars that actively target phishers can help eliminate their threat. For example, according to the report,, a Russian provider of free email, "almost completely eliminated phishing on its service," reducing the number of attacks launched via its site from 189 in the first half of 2010 to just 14 in the second half of the year.

The growing use of subdomain registration services means that attackers currently register roughly an equal number of phishing websites via subdomains as top-level domains. Interestingly, the majority of phishing attacks are launched using a rather small subset of domains. For top-level domains, 60% of attacks originate from .com, .cc., .net, and .org domains. Meanwhile, 89% of subdomain attacks are launched from the .com, .tk, .net, and .info domains.

Compared with past years, attackers today are more likely to register the malicious sites used in their attacks, and especially if they're attacking Chinese websites, which are seeing increasing volumes of attacks. "Of the 42,624 phishing domains, we identified 11,769 (28%) that we believe were registered maliciously, by the phishers," said the report. "Of those, 6,382 were registered to phish Chinese targets. The other 30,855 domains were hacked or compromised on vulnerable Web hosting."

But there's good news from the report, in that the overall number of phishing attacks appears to be declining. In the second half of 2010, for example, the APWG saw 67,677 attacks--meaning "a phishing site targeting a specific brand or entity"--which was up from 48,244 in the first half of 2010. But that's still down from the 126,697 attacks seen in the second half of 2009. According to the report, "the decrease in attacks was due to reduced activity by the Avalanche phishing gang," which at its peak was the Internet's single most prolific phishing gang.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.