Q: What were the top registrars worldwide used by phishers to purchase domain names?
A: 21 registrars, several of them in China, accounted for 79% of the domains registered maliciously (a total of 2,991). These were Shanghai Yovole Networks; Chengdu West Dimension Digital technology; Hang Zhou E-Business Services; Jiangsu Bangning Science; Intenret.bs; Beijing Innovative; 1API; Bizcn.com; Directl/PDR; Hichina Zhicheng; Melbourne IT; Xin Net technology Corp; Regsiter.com; Name.com; Fast Domain; eNom Inc.; OVH; GoDaddy; Tucows; 1 and 1 Internet AG.
Q: What's being seen in the trend toward mass break-in techniques?
A: Instead of hacking sites one at a time, the phisher can infect dozens, hundreds or even thousands of websites at a time, depending on the server. In the second half of 2011, APWG identified 58,100 phishing attacks that used the mass break-in technique, representing 47% of all phishing attacks recorded worldwide at that time. In February 2012, attacks of this nature started up again, peaking in August 2012 with over 14,000 phishing attacks sitting on just 61 servers. Levels declined in late 2012 but are still high. These attacks, according to APWG, "turn compromised servers at hosting facilities into weapons" because hosting facilities contain large numbers of powerful servers with the type of network access that supports large amounts of traffic. This break-in tactic against virtual-server farms offers the attacker significantly more computing power and bandwidth that scattered home PCs.
Q: What more is evident about the link between shared hosting environments and phishing?
A: In late 2012 and into 2013, the APWG saw increasing use of tools targeting shared hosting environments, and particularly WordPress, cPanel and Joomla installations. For example, beginning in late 2012, criminals hacked into server farms to perpetrate extended DDoS attacks against American banks. In April 2013, there were brute-force attacks against WordPress installations at hosting providers in order to build a large botnet. Tens of thousands to hundreds of thousands of these shared servers have been cracked by such techniques. Access and use of these boxes is then metered out in the criminal underground for all sorts of activities, including DDoS, malware distribution, and phishing. It all highlights the vulnerability of hosting providers, the software they use and weak password management. Rod Rasmussen, president and CTO at Internet Identity and co-chair of the APWG's Internet Policy Committee, says unpatched open-source software is a popular target with attackers hitting the hosting providers that make the software available to their customers.
Q: How long do live phishing attacks typically last these days?
A: The average "uptime" as of the last half of 2012 was 26 hours and 13 minutes. The median uptime was 10 hours and 19 minutes -- said to be almost twice the historically low uptime of five hours and 45 minutes achieved in the first half of 2012. According to the AWPG, the longer a phishing attack remains active, the more money the victims and target institutions lose. The first day of a phishing attack is believed to be the most lucrative for the phisher. The virtual-server-related attacks tended to be mitigated more efficiently if only because they prompted many complaints to the hosting providers that were impacted.
Sign up for CIO Asia eNewsletters.