A new phishing survey released by the Anti-Phishing Working Group (APWG) revealed that phishing attacks perpetrated against Chinese e-commerce and banking sites soared by 44% in the first half of 2011.

According to the APWG report, some 70% of all maliciously registered domain names in the world were established by Chinese cybercriminals for use against Chinese brands and enterprises. However, Chinese phishers do not use many hacked domains like most phishers, but register instead new domains on which they set up their phishing pages. The report reveals that Chinese cybercriminals established 11,192 unique domain names and 3,629 CO.CC subdomains for these attacks, up from the 6,382 unique domain names plus 4,737 CO.CC subdomains deployed for such attacks in the second half of 2010.

"The majority of Chinese phishing appears to be perpetrated by Chinese criminals attacking Chinese companies, with 88% of such attacks targeting a single service: Taobao.com," said Greg Aaron, a co-author of the report. "With .CN domains difficult for criminals to obtain these days, these phishers had a major impact on other TLDs, where domains and subdomains are often easier and cheaper to get."

Cybercrime gangs in the first half of 2011 also optimized a previously obscure tactic, namely taking over a virtual shared server and leveraging every website on it by massively multiplying the number of landing domains available for phishing attacks.

"By utilizing hundreds of sites on a web server with a single compromise, phishers can greatly leverage stolen resources to create a wide web of phishing sites," said Rod Rasmussen, President and CTO of Internet Identity, as well a co-author of the report. "This also allows them to spam lures using a wider variety of 'good reputation' domain names which can help evade anti-spam systems. Fortunately, these sites last shorter than others, given the level of compromise, so in the end the technique is of dubious efficacy."

The researchers reported counting 42,448 unique attacks that utilized this tactic, each using a different domain name, representing 37% of all phishing attacks worldwide. This large number of domain names accounts for much of the increase in phishing seen versus the second half of 2010.

Though the report found cybercrime gangs advancing on a number of technical fronts, some metrics indicated that cybercrime was also being partly suppressed by a number of preventative measures and the application of routinized responses to cybercrime events by industry.

After reaching highs in the second half of 2010, the average and median uptimes of phishing attacks dropped notably in the first half of 2011. The average uptime in the first half of 2011 was 54 hours and 37 minutes, compared to 73 hours in the second half of 2010 - a decrease of more than 25%. The median uptime in the first half of 2011 was 10 hours and 44 minutes, the lowest median recorded in four years.

"We are happy to see that phishing times came down over the first half of the year due to a variety of factors," said Greg Aaron. "This means that criminals must work harder to keep their attacks in front of potential victims. Raising the cost that criminals incur is a goal that all anti-abuse forces share."

Other highlights of the report include:

  • There were at least 112,472 unique phishing attacks worldwide, in 200 top-level domains (TLDs). This is far greater than the 42,624 attacks observed in the second half of 2010, but less than the record 126,697 observed in the second half of 2009 at the height of the phishing onslaught being propelled by the Avalanche botnet. The increase in the first half of 2011 consists largely of phishing attacks on Chinese targets and attacks that leverage shared virtual servers to infect multiple domains at once.
  • The attacks used 79,753 unique domain names. This is a high for reports going back to 2007, and the increase is primarily due to the same two factors cited above.
  • In addition, 2,960 attacks were detected on 2,385 unique IP addresses, rather than on domain names, which is the highest number since early 2009.
  • The researchers counted phishing attacks against 520 target institutions, including banks, e-commerce sites, social networking services, ISPs, lotteries, government tax bureaus, postal services, and securities companies.
  • Some 93% of the malicious domain registrations were made in just four TLDs: .TK, .INFO, .COM, and .NET. (Source: Anti-Phishing Working Group)

The report is available at http://www.apwg.org/reports/APWG_GlobalPhishingSurvey_1H2011.pdf

By MediaBUZZ