Security Experts:

Phishing Attacks on Chinese Businesses Surge, Says APWG

A new report coming from the Anti-Phishing Working Group (APWG) reveals that phishing attacks against Chinese banking and e-commerce Web sites soared by 44 percent in the first half of 2011. According to the report, 70 percent of all maliciously registered domain names in the world were established by Chinese cybercriminals for use against Chinese brands and enterprises.

Phishing ReportResearchers working alongside the APWG uncovered that Chinese cybercriminals setup 11,192 unique domain names and 3,629 .CC subdomains for these attacks, up from the 6,382 unique domain names plus 4,737 CO.CC subdomains deployed for such attacks in the second half of 2010.

Chinese phishers seem to be taking a different approach in their attacks, from what the APWG has seen. Contrasting what many phishers often do, Chinese phishers don’t focus on hosting their attack pages on hacked domains. Instead, they continue to register new domains to set up their phishing pages.

"The majority of Chinese phishing appears to be perpetrated by Chinese criminals attacking Chinese companies, with 88% of such attacks targeting a single service:," said Greg Aaron, a co-author of the report for Afilias. "With .CN domains difficult for criminals to obtain these days, these phishers had a major impact on other TLDs, where domains and subdomains are often easier and cheaper to obtain."

Cybercriminals also optimized their attack tactics durning the first half of 2011, often taking over shared server environments and leveraging every Web site hosted on it, multiplying the number of domains that can be used to host pages for phishing attacks. This indicates that phishers in China may have a higher level of technical skill, as taking over servers requires more “hacking” knowledge rather than simply registering domains and setting up small sites—something that can be done by just about anyone.  

"By utilizing hundreds of sites on a web server with a single compromise, phishers can greatly leverage stolen resources to create a wide web of phishing sites," said Rod Rasmussen, President and CTO of Internet Identity and co-author of the report. "This also allows them to spam lures using a wider variety of 'good reputation' domain names which can help evade anti-spam systems. Fortunately, these sites last shorter than others given the level of compromise, so in the end the technique is of dubious efficacy."

APWG researchers counted 42,448 unique attacks that utilized this tactic, each using a different domain name, representing 37 percent of all phishing attacks worldwide.

While the report showed cybercrime gangs advancing on a number of technical fronts, statistics show that the response and measures taken by the security industry appear to be working.

After peaking during the second half of 2010, the average uptimes of phishing attacks dropped notably during the first half of 2011 to 54 hours and 37 minutes, compared to 73 hours in during the second half of 2010. This represents a decrease of over 25 percent from half to half. The median uptime in the first half of 2011 was 10 hours and 44 minutes, the lowest median recorded in four years.

"We are happy to see that phishing times came down over the first half of the year due to a variety of factors," said Aaron. "This means that criminals must work harder to keep their attacks in front of potential victims. Raising the cost that criminals incur is a goal that all anti-abuse forces share."

Other highlights of the report include:

• The APWG counted at least 112,472 unique phishing attacks, across 200 top-level domains in the first half of 2011. The number was a big jump over the 42,624 attacks they counted in the first half of 2010, but less than the record 126,697 observed in the second half of 2009, the height of the phishing onslaught being propelled by the Avalanche botnet.

• The attacks used 79,753 unique domain names, representing a high for reports that go back as far as 2007

• 2,960 attacks were detected on 2,385 unique IP addresses, rather than on domain names, the highest number since early 2009.

520 institutions were targeted with Phishing attacks. Top targets included banks, e-commerce sites, social networking services, ISPs, lotteries, government tax bureaus, postal services, and securities companies.

• 93 percent of the malicious domain registrations used just four TLDs: .TK, .INFO, .COM, and .NET.

The fill report is available here 

view counter
For more than 10 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.