Security Experts:

Connect with us

Hi, what are you looking for?



Use of Subdomains Leads to Increased Uptime for Phishing Attacks

The Anti-Phishing Working Group (APWG) released a new report at its conference taking place this week in Kuala Lumpur, Malaysia, revealing that use of subdomain services to host phishing sites almost doubled in the second half of 2010.

The Anti-Phishing Working Group (APWG) released a new report at its conference taking place this week in Kuala Lumpur, Malaysia, revealing that use of subdomain services to host phishing sites almost doubled in the second half of 2010.

As a result of the increased use of subdomains, cybercriminals running phishing campaigns are enjoying more uptime to landing pages used to capture user data. According to the APWG’s report, Global Phishing Survey: Trends and Domain Name Use in 2H2010, the average uptime of a phishing campaign during the time period was 73 hours, the longest average for any time period since it began tracking uptime three years ago. When it comes to the success of a phishing campaign the “uptime” or “live” times of phishing attack are a vital measure of how damaging phishing can be. The longer a phishing attack remains active, the more damage can be done.

Phishing Uptime

The APWG report identified 11,768 phishing websites hosted on subdomain services during the second half of 2010, up 42 percent from the first half of 2010, accounting for the majority of phishing in some Top Level Domains (TLDs). This number had been overall generally flat since the second half of 2008.

Subdomain registration services give customers subdomain “hosting accounts” beneath a domain name the provider owns. These services are sold, managed, and regulated differently from regular domain names, in that the person never really “owns” the domain it’s hosted on.

Rod Rasmussen, founder and CTO of Internet Identity, a SecurityWeek columnist, and co-author of the APWG study, said, “Over the past few years, we have documented many examples of e-criminals finding and heavily exploiting particular DNS-related service providers who were ill-prepared for the onslaught of abuse. Subdomain providers are a particularly tempting target, as they provide full DNS services with no oversight and low-to-no cost services.”

Phishing Trends CybercrimeOver 40 percent of attacks using subdomain services occurred on CO.CC, based in Korea, despite the fact that CO.CC is generally responsive to abuse reports. Phishers are probably attracted to CO.CC because CO.CC registrations are free, easy to sign up for, come with DNS service, and there are features to assist with bulk signups. At the time the APWG report was published, CO.CC supported more than 9,400,000 subdomains across more than 5,000,000 user accounts.

Additionally, the report notes that phishers made significant use of two free services in order to launch their phishing sites: the .TK domain registration service and the CO.CC subdomain service. Nearly 11 percent of all phishing attacks utilized these services.

“Few such services take enough proactive measures to keep criminals from abusing their products in the first place,” said Greg Aaron, Director of Key Account Management and Domain Security at Afilias and co-author of the study. “Hopefully the Internet can become a place where companies are less reactive and more proactive about e-crime,” said Greg Aaron.

Other interesting discoveries from the report include:

• Phishers are attacking Chinese e-commerce sites and banks aggressively, and are distinguished by preferentially registering new domain names, rather than using compromised Web servers like most phishers do.

• Shutting down the availability of .CN domain names did not stop phishing that victimizes Chinese Internet users and Chinese institutions. Rather, it seems to have merely shifted the phishing to other top-level domains.

• 18 percent of the malicious domains (2,066) were registered to phish World of Warcraft and (the online gaming service that supports Warcraft)

• Data shows a continuing trend of cybercriminals using “URL shortening” services to obfuscate phishing URLs.

The full report is available here.

Read More SecurityWeek Cybercrime Content 

Written By

For more than 10 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Click to comment

Expert Insights

Related Content


The North Korean APT tracked as TA444 is either moonlighting from its previous primary purpose, expanding its attack repertoire, or is being impersonated by...


The UK’s NCSC has issued a security advisory to warn about spearphishing campaigns conducted by two unrelated Russian and Iranian hacker groups.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...


The Single Most Important Part of Dealing with a Phishing Attack is Preparing for the Attack Before it Actually Happens.


The easiest way for a cyber-attacker to gain access to sensitive data is by compromising an end user’s identity and credentials. Things get even...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Software maker Adobe on Tuesday released security patches for 29 documented vulnerabilities across multiple enterprise-facing products and warned that hackers could exploit these bugs...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...