Security Experts:

Phishers Hit Hosting Providers to Launch Attacks: APWG

Phishers remain focused on compromising web servers that host large numbers of domains, according to the Anti-Phishing Working Group (APWG).

In a report on phishing attacks during the first half of 2014, the APWG identified 215 mass break-ins of this type, resulting in 24,662 phishing attacks. This represented 20 percent of the phishing attacks APWG analyzed worldwide during the period.

"Versus 2H2013, both break-ins (178 in 2H2013) and attacks (20,911 in 2H2013) were up noticeably," according to the AWPG report. "They resulted in about 20 percent of all phishing attacks, versus 18 percent in 2H2013. This trend is interesting and it is unclear whether these attacks are more effective and are thus being run more often to capitalize, or whether the technique is less effective so attackers need to launch more in order to reap the same number of credentials."

APWG identified sets of attacks by analyzing the IP addresses of the machines used the timing of the attacks and the telltale URL paths that the phish shared.

"Breaking into such hosting is a high-yield activity, and fits into a larger trend where criminals turn compromised servers at hosting facilities into weapons," according to the report. "Hosting facilities contain large numbers of powerful servers, and have large "pipes" through which large amounts of traffic can be sent. These setups offer significantly more computing power and bandwidth than scattered home PCs."

APWG reported that there were at least 123,741 unique phishing attacks worldwide during the first six months of 2014.

"Most of the growth in attacks came from increases in attacks against vulnerable hosting… and also increased use of maliciously registered domains and subdomains," according to the APWG report. "An attack is defined as a phishing site that targets a specific brand or entity. A single domain name can host several discrete phishing attacks against different banks, for example."

So far, APWG believes the growth in new generic top-level domains (gTLDs) has not resulted in a surge in phishing, the report notes. Some of that may be due to the fact that many of the new gTLDs available to the general public for purchase are more expensive than .com and other legacy top-level domains. Also, phishers often don't use brand names in the domains they register. Most maliciously registered domain names offer nothing to confuse a potential victim, the report states.

"Placing brand names or variations thereof in the domain name itself is not a favored tactic, since brand owners are proactively scanning Internet zone files for their brand names," APWG explains in the report. "As we have observed in the past, the domain name itself usually does not matter to phishers, and a domain name of any meaning, or no meaning at all, in any TLD, will usually do. Instead, phishers often place brand names in subdomains or subdirectories. This puts the misleading string somewhere in the URL, where potential victims may see it and be fooled. Internet users are rarely knowledgeable enough to be able to pick out the “base” or true domain name being used in a URL."

The APWG also found that banks (25.7 percent) and e-commerce sites (32.4 percent) were the most targeted industries in the first half of the year.

A new phishing report from EMC's RSA Security Division reported that U.S. banks saw an increase in phishing volume in August from 59 percent to 72 percent. Phishing attacks against credit unions from five percent to 12 percent last month. All totaled, RSA identified 33,145 phishing attacks in August, representing a 22 percent decrease from the attacks they identified in July.

In the APWG report, the organization said the attacks it analyzed occurred on 87,901 unique domain names, an increase from 82,163 domains used in the second half of last year. Of these 87,901 phishing domains, APWG identified 22,679 domain names that it believes were registered maliciously by phishers. The remaining 65,222 domains were almost all hacked or compromised on vulnerable web hosting.

According to the RSA report, the U.S. was the top hosting country for phishing in August, while Hong Kong was second.

"If a site takes in personal data like passwords or credit card information, then phishers may want to exploit it,” said Greg Aaron, president of Illumintel and co-author of the APWG report. "We're seeing an unprecedented breadth of targets -- cloud storage sites, utility companies, business service providers, and real estate brokerages."

view counter