Cybercriminals have been shifting their tactics markedly, by registering more and more domain names, rather using web servers and domains they have hacked into. These “malicious domain registrations” accounted for half of all the domain names used for phishing in 2016, according to APWG.
A new global phishing survey from APWG documents that in 2016 there were at least 255,065 unique phishing attacks worldwide – an all-time high. Of the 195,475 domains used for phishing, the authors identified 95,424 domain names that the authors believe were registered maliciously by phishers – almost three times as many as they found in 2015.
“It was disheartening to see the registration of so many malicious domain names to mount attacks, after all the great work that’s been done to curtail phishers in recent years,” said Rod Rasmussen, Founder of R2 Cyber and co-author of the study. “This should be a wake-up call for the domain name industry.”
The study also revealed that contrary to conventional wisdom, many domain names registered by phishers are being “aged” and are not used immediately after registration. Recently registered domains receive low reputation scores from security and anti-spam companies that prevent consumers from receiving phishing-lure emails. So some phishers are evading those security measures by registering domains and then waiting until the domains are older and have better reputation scores.
The study also examined the use of the new top-level domains that have been introduced over the past three years. Phishing in the new top-level domains is rising, but is not yet as pervasive as in other sectors of the domains name space. However, by the end of 2016, almost half of the new top-level domains that were available for general registration by the public had phishing in them, and the new top-level domains are a place where phishers are purchasing domain names for themselves.
“In the meantime, phishers are employing another new trick that uses the domain name system,” said Greg Aaron, VP of iThreat Cyber Group and co-author of the report. “We call this ‘domain shadowing’, and is when a phisher manipulates an unsuspecting company’s DNS settings to insert multiple phishing sites onto the company’s servers—often hundreds of sites at a time. As always, we emphasize that companies must take strong, professional measures to protect their web hosting and email services—otherwise criminals will break into them and use them for their own purposes.”