New Chinese targets put phishing on the rise
Accurate figures for phishing attacks are hard to come by.
According to the most recent figures assembled by the Anti-Phishing Working Group, phishing peaked in late 2009, with a record 126,697 distinct attacks identified. The numbers for 2010 are well below that figure, but they were on the rise.
APWG is an international association of industry and law enforcement agencies targeting all types of e-mail spoofing used for fraud and identify theft. The group’s data goes back only to 2007, which might be a long time in Internet years but still is a short time for doing meaningful comparisons. Numbers are further skewed by the fact that baselines are changing. APWG’s most recent report, released in April and covering the last half of 2010, contains new data about Chinese phishing that elevates some numbers.
To defeat phishing, Energy learns to phish
After US crackdown on botnets, cyber criminals run to Canada
Still, the numbers are interesting. The organization identified 67,677 attacks worldwide in the last half of last year, up from 48,244 in the first half of 2010, though it cautions that the increase is mainly because of the new data about phishing attacks on Chinese targets. The report defines an attack as a phishing site that targets a specific brand or entity. One domain name can host multiple attacks, and APWG identified 42,624 domains used in phishing attacks during that period.
The challenge of defending against phishing is underscored by the fact that most of the domains being used for attacks were legitimate sites that had been compromised by bad guys, with only 28 percent of them being registered maliciously by the phishers. Overall, 60 percent of attacks identified by APWG occurred in four top-level domains: .com, .cc, .net and .org; and 89 percent of the malicious domains were registered in .com, .tk, .net and .info.
Sites hosting phishing attacks were longer-lived in 2010. Attack sites usually are identified quickly and are either blocked or taken off-line, so their uptime is typically fairly short — a matter of hours or days. But the average uptime for a site jumped from about 30 hours in late 2009 to about 58 hours in the first half of 2010, and it spiked to more than 73 hours in the last half of the year. This jump corresponds with the predominance of legitimate but compromised sites being used in 2010, which APWG notes are more difficult to mitigate or block than maliciously registered domain names.
More than 2,000 phishing attacks were hosted on sites using IP addresses rather than domain names, and all of these were in the traditional IPv4 address space with no phishing activity found using IPv6 addresses. That could change in the coming months with the exhaustion of the IPv4 address space and the growing adoption of IPv6.
William Jackson is a senior writer of GCN and the author of the CyberEye blog.