A new phishing survey found that phishing gangs are abusing free subdomain services. They are also likely to register new domains instead of hacking an existing one.
Scammers
have shifted tactics to use free domain services to launch phishing attacks,
according to a research report.
A
significant number of phishing attacks in the second half of 2010 originated
from Tokelau's .tk domain and Korea's .co.cc subdomain, according to the latest
survey released by the Anti-Phishing Working Group on April 27. The report
examined all phishing attacks from July 1 to Dec. 31, 2010, collected by the
Anti-Phishing Working Group and supplemented from multiple private sources.
By
offering free domain names, .tk has become the third largest country-code
top-level domain after Germany's .de and Great Britain's .uk. Scammers are
snapping up the free .tk domains in droves.
While
there were phishing domains registered across 183 top-level domains, 89 percent
were concentrated in just four: .com, .tk, .net and .info. Tokelau is a
group of three tropical atolls in the South Pacific Ocean with a population of
1,400 people that is a territory of New Zealand.
Phishing
attacks occurred on 42,624 unique domain names and 2,318 unique IP addresses in
the second half of 2010, the report found. To put it in context, there were
205.6 million domain names in October, according to VeriSign. Since the
researchers defined an attack as a phishing site that targets a specific brand
or entity, one domain name could host several discrete attacks against
different banks.
Of
the phishing domains, about 28 percent were registered specifically for
malicious purposes, the researchers found. Nearly half of those malicious
domains were registered specifically to phish Chinese targets. The remaining
phishing domains were legitimate domains that have been compromised.
"Every
.tk domain used for phishing was maliciously registered," the researchers
wrote.
Recent
reports from major security firms, including Symantec, have noted that a
significant amount of malware attacks originate
from China. This is apparently not a one-way street, as attackers are also
"aggressively" targeting
Chinese e-commerce sites and banks as well, the APWG report found.
The
APWG examined information from the Anti-Phishing Alliance of China and
concluded that observers outside of China detected only 20 percent of the
Chinese-target phishing attacks. "Security observers in Europe and the Americas
are not receiving and/or parsing many of the Chinese-language phishing lure
e-mails and instant messages," the researchers wrote.
In
December 2009, new rules went into effect that barred individuals from
registering .cn domains and required applicants to submit a copy of the business
license during the registration process. While there were 2,826 attacks from
228 .cn domains in the second half of 2009, the number dropped to just 162
attacks on 120 domains in the same time period in 2010. However, this did not
reduce the number of phishing attempts against Chinese Internet users and
institutions as attackers shifted their campaigns to other top-level domains.
"The
e-crime landscape is a constantly shifting battlefield, where phishers are
always moving toward ripe targets and away from well-defended Internet assets,"
the group wrote in its report.
Attackers
targeting Chinese users were more likely to register their own domain names
instead of compromising others. There were 12,282 attacks on Chinese
institutions launched from 6,382 domain names and 4,737 .co.cc subdomains. The
report estimated that a mere 7 percent of the domain names had been hacked.
Cyber-criminals
are using subdomain services nearly as often as they register their own domain
names, according to the report. The subdomain services make it harder for
domain registrars and registry operators to take down the phishing sites, as
any action against a site will impact other addresses on that domain. Korea
offers free subdomain services, where applicants receive "hosting accounts"
with full DNS services under an existing domain name. There are over 9.4
million subdomains on .co.cc.
There
were at least 67,677 phishing attacks worldwide in the second half of 2010, a
40 percent increase from the 48,244 attacks found in the first half of the
year. The increase was mainly due to the phishing attacks on Chinese targets.
However, overall phishing attacks were dramatically less than the second half
of 2009, when 126,697 phishing campaigns were found. Researchers did not
observe any phishing on IPv6 addresses.
The
report was presented at the Counter e-Crime Operations Summit, running April 27
to April 29, in Kuala Lumpur, Malaysia.
Email
Print
