Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Phishing Attackers Use Subdomain Registration Services

Online criminals doubled their use of unregulated subdomain registration services in the second half of 2010, according to a report by the Anti-Phishing Working Group.

Online criminals are increasingly using subdomain registration services to register the fake websites used to launch phishing attacks. Subdomain services are typically unregulated and focus on high-volume, low-cost transactions, meaning that they provide excellent cover for attackers.

That's a key finding of a report released Tuesday by the Anti-Phishing Working Group (APWG) that focuses on phishing trends for the second half of 2010.

"Over the past few years, we have documented many examples of e-criminals finding and heavily exploiting particular DNS-related service providers who were ill-prepared for the onslaught of abuse," said report co-author Rod Rasmussen, CTO of technology and services firm Internet Identity, in a statement. "Subdomain providers are a particularly tempting target, as they provide full DNS services with no oversight and low-to-no cost services."

All told, in the second half of 2010, subdomain services hosted nearly 11,768 phishing websites, a 42% increase from the first half of the year. Interestingly, 40% of attacks launched via subdomain services used the CO.CC domain, based in Korea.

According to the APWG report, "phishers are probably attracted to co.cc because co.cc registrations are free, easy to sign up for, come with DNS service, and there are features to assist with bulk signups." The report also said that while the domain administrators typically respond quickly to any reports of abuse, "co.cc supports more than 9,400,000 subdomains in more than 5,000,000 user accounts," which could make policing the influx of phishers difficult.

"Few such services take enough proactive measures to keep criminals from abusing their products in the first place," said report co-author Greg Aaron, director of key account management and domain security at Internet infrastructure services provider Afilias, in a statement.

But domain registrars that actively target phishers can help eliminate their threat. For example, according to the report, Pochta.ru, a Russian provider of free email, "almost completely eliminated phishing on its service," reducing the number of attacks launched via its site from 189 in the first half of 2010 to just 14 in the second half of the year.

The growing use of subdomain registration services means that attackers currently register roughly an equal number of phishing websites via subdomains as top-level domains. Interestingly, the majority of phishing attacks are launched using a rather small subset of domains. For top-level domains, 60% of attacks originate from .com, .cc., .net, and .org domains. Meanwhile, 89% of subdomain attacks are launched from the .com, .tk, .net, and .info domains.

Compared with past years, attackers today are more likely to register the malicious sites used in their attacks, and especially if they're attacking Chinese websites, which are seeing increasing volumes of attacks. "Of the 42,624 phishing domains, we identified 11,769 (28%) that we believe were registered maliciously, by the phishers," said the report. "Of those, 6,382 were registered to phish Chinese targets. The other 30,855 domains were hacked or compromised on vulnerable Web hosting."

But there's good news from the report, in that the overall number of phishing attacks appears to be declining. In the second half of 2010, for example, the APWG saw 67,677 attacks--meaning "a phishing site targeting a specific brand or entity"--which was up from 48,244 in the first half of 2010. But that's still down from the 126,697 attacks seen in the second half of 2009. According to the report, "the decrease in attacks was due to reduced activity by the Avalanche phishing gang," which at its peak was the Internet's single most prolific phishing gang.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
What the FedEx Logo Taught Me About Cybersecurity
Matt Shea, Head of Federal @ MixMode,  6/4/2021
A View From Inside a Deception
Sara Peters, Senior Editor at Dark Reading,  6/2/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-13
The package studio-42/elfinder before 2.1.58 are vulnerable to Remote Code Execution (RCE) via execution of PHP code in a .phar file. NOTE: This only applies if the server parses .phar files as PHP.
PUBLISHED: 2021-06-12
Receita Federal IRPF 2021 1.7 allows a man-in-the-middle attack against the update feature.
PUBLISHED: 2021-06-12
In Apache PDFBox, a carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions.
PUBLISHED: 2021-06-12
In Apache PDFBox, a carefully crafted PDF file can trigger an infinite loop while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions.
PUBLISHED: 2021-06-12
It was discovered that read_file() in apport/hookutils.py would follow symbolic links or open FIFOs. When this function is used by the openjdk-16 package apport hooks, it could expose private data to other local users.