The Anti-Phishing Working Group (APWG) regularly publishes a Phishing Activity Trends Report which analyses phishing attacks reported to them by its member companies and its Global Research Partners, through the organisation’s website.
In the last quarter of 2017 the APWG released its Phishing Trends Report for H1 2017 and indicated some key findings:
- Hundreds of companies are being targeted regularly, at least every few weeks, while a smaller number of companies are attacked intermittently.
- Phishing attacks occurred most frequently in the payment, financial and webmail sectors.
- There has been an increase in the number of phishing attacks using free hosting providers or website builders.
- In the new generic Top Level Domains (gTLDs) and country code Top Level Domains (ccTLDs), much of the phishing activity was concentrated in a small number of domains.
The .NL registry operator SIDN also recently published an article on the subject called “A fight on three fronts”. Abuse is a growing problem, according to Lilian van Mierlo, the Registration & Service Manager at SIDN, who states:
“There are some types of abuse that we used to get reports about maybe ten times a year, and now we’re getting a thousand reports about. Or more! It’s not just that there’s more abuse going on. The abuse is also becoming more sophisticated. Most phishing sites used to stand out a mile, with clumsy layouts and machine-translated text. Whereas a lot of them nowadays are hard to tell apart from the real thing”.
The article talks about the three measures that SIDN have implemented to fight abuse:
1) Fighting phishing and malware
SIDN has implemented Abuse204.nl (“abuse to zero for .nl”), a programme designed to combat phishing and malware. The article reports that “at the heart of the system is a feed provided by Netcraft, an international company that tracks malware and phishing“. Websites are regularly scanned for the Abuse204.nl programme and if malware or phishing is found on a website, then Netcraft emails the domain name registrant so that they can take steps to get rid of malicious files. Lilian van Mierlo points out that “since [they] started abuse204.nl, [they] have managed to cut the average time-to-live of phishing and malware sites substantially.”
2) Shutting down fake webshops
The increasing number of fake webshops is another concern. Lilian van Mierlo notes that “interestingly, sham webshops often use domain names that don’t match what they’re supposedly selling. So you might get shoes being sold using an address that looks as if it belongs to a housing advice service. The logic seems to be that a domain name that’s been in use before will feature higher in search results. And the more visitors the scammers can attract, the more they can earn“. SIDN combats this by checking the registration data of domain names that are used for dubious webshops, as it is often false, and contacting the registrants. If the registrants are unable to provide valid data, then SIDN cancels the domain names. As a consequence the fake webshops can no longer be accessed using these domain names.
3) Fighting botnets
Botnets are networks of infected computers used by crooks to launch DDoS attacks, commit identity fraud and send spam. To fight this, SIDN has created The Abuse Information Exchange. Via the Exchange’s platform, the AbuseHUB, ISPs and others can share information about botnets to limit abuse.
According to Lilian van Mierlo, .NL is one of the most secure TLDs in the world. She is however realistic: “It’s impossible to eliminate abuse completely. Crooks are getting smarter all the time and we will always be one step behind“.
Authored by David Taylor and Laetitia Arrault