Security Experts:

Phishing Sites: Lifespan Decreases, Population Grows at Record Speed, Says APWG

According to a new report from the Anti-Phishing Working Group (APWG), an industry organization focused on combating phishing and cybercrime, the average uptime of phishing websites dropped during the first half of 2012. That’s a good thing, as the longer a site hosting phishing attack remains online and accessible, the more money and data cybercriminals can pilfer from victims.


According to the APWG’s Global Phishing Survey: Trends and Domain Name Use in 1H2012, the average uptime of phishing attacks dropped to a record low of 23 hours and 10 minutes in the first half of 2012. This number, the APWG says, it about half of what it was in late 2011, and by far the lowest since the report first started back in January 2008. 

While the lifetime of a phishing site has decreased, the report showed an increase in the number phishing attacks during the period – at least 93,462 by the APWG’s count, a 12 percent bump from the same period last year.

On the tactics side, the anti-cybercrime organization warned that cybercriminals are increasingly using hacked web servers that host legitimate websites on reputable domains to host their phishing websites.

"Phishers seem to be concentrating their efforts on compromising legitimate websites using automated attack tools, or purchasing access to them on the burgeoning underground market," said Rod Rasmussen, SecurityWeek columnist and CTO of Internet Identity, who is a co-author of the report. "This allows them to leverage the good reputation of a website's domain name, making it harder to block in either spam filters or via suspension, and makes takedown of that domain impractical."

The report also noted a major increase in ways a cybercriminal can generate hundreds of phishing attacks at the same time.

“Some of the increased phishing activity is due to an especially virulent method that some phishers have been using more often,” explained Greg Aaron of Afilias, the report's other co-author. "Instead of hacking websites one at a time, phishers are breaking into shared hosting -- web servers that host large numbers of domains. This way, a phisher can infect dozens, hundreds, or even thousands of websites at one time."

Other key discoveries from the APWG 2H2012 report include:

• Phishers registered more subdomains than regular domain names. The number of domain names registered by phishers dropped by almost half since early 2011.

• The number of targeted institutions has dropped; phishers continue to target larger or more popular targets.

• Only about 2 percent of all domain names that were used for phishing contained a brand name or variation thereof.

• Phishers attacking Chinese institutions are an exception – they prefer to register domain names rather than hacking into servers. Phishers attacking Chinese institutions were responsible for two-thirds of all malicious domain name registrations made in the world. These phishers use both Chinese and non-Chinese domain registrars.

• Domain name owners in South America had their web servers compromised by phishers in growing numbers.

The full report from the APWG is available here in PDF format. 

view counter
For more than 10 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.