Pierluigi Paganini April 30, 2013

APWG issued the new edition of its APWG Global Phishing Survey report that identifies trends and their significance by quantifying the scope of the global phishing problem.

The APWG Global Phishing Survey report analyzes phishing attacks detected in the second H2 2012, the overall data for the study was collected by the Anti-Phishing Working Group, and supplemented with information provided by several phishing feeds, CNNIC, and private sources.

APWG unifies the various entities and organizations, including security vendors, financial institutions, retailers, ISPs, telecommunication companies, defense contractors, law enforcement agencies, government agencies and more.

The APWG phishing repository is considered the biggest archive of phishing and e-mail fraud activity, the APWG Global Phishing Survey report revealed that attackers increasingly target shared Web hosting servers for involve in fraudulent activities such as mass phishing attacks.
Phishers appear active as never before breaking into hosting providers with unprecedented success and abusing of their resources to conduct large scale phishing attacks.

APWG Global Phishing Survey report states that the number of phishing attacks that targeted shared Web hosting represented 47% of overall phishing attacks, attackers registered principal subdomains than regular domain names but fortunately The average and median uptimes of phishing attacks remained lower than the historical average.

The ingenious techniques adopted by attackers appears very efficient, they hack shared Web hosting server and update its configuration so that phishing pages are displayed from a particular subdirectory of each domain hosted on the server, in this way compromising a single shared hosting server it is possible to exploit hundreds or even thousands of websites at a time for the attacks.

According the APWG Global Phishing Survey report the peak of this type of attacks has been recorded during August 2012, when APWG detected over 14,000 phishing attacks originated from 61 servers.

“So instead of hacking sites one at a time, the phisher can infect dozens, hundreds, or even thousands of web sites at a time, depending on the server. In 2H2011, we identified 58,100 phishing attacks that used this mass break-in technique, representing 47% of all phishing attacks recorded worldwide. We started 2012 with no attacks of this nature, but beginning in February, these attacks started reappearing, peaking in August 2012 with over 14,000 such phishing attacks sitting on 61 different servers. Levels did decline in late 2012, but still remained troublingly high.” APWG Global Phishing Survey report states.

In the above table are proposed interesting statistics of the phishing attacks, in H2 2012 were detected 123,486 unique phishing attacks worldwide that involved 89,748 unique domain names, registering an increase of 32% in the number of attacks respect previous quarter (H1).

APWG Global Phishing Survey report  revealed that the majority of phishing attacks continues to be concentrated in just a few namespaces taking place on compromised domain names, and so the distribution by Top Level domain (TLD ) roughly parallels TLD market share.

APWG discovered that only 5,835 domain names were maliciously registered for the 89,748 attacks in H2, remaining domains were almost all hacked or compromised on vulnerable Web hosting.

As described in my previous article on Apache backdoors the hackers exploit vulnerabilities in Web server administration panels such as cPanel or Plesk or hack popular Web applications like WordPress or Joomla.

The APWG Global Phishing Survey report highlighted the fact that cybercriminal hack shared virtual servers for various purposes like bot recruiting and malware distribution, following an excerpt from the study:

“In late 2012 into 2013, we have seen increasing use of tools targeting shared hosting environments, and particularly WordPress, cPanel, and Joomla installations. For example, beginning in late 2012 criminals hacked into server farms to perpetrate extended DDoS attacks against American banks. And in April 2013, a perpetrator launched wide-scale brute force attacks against WordPress installations at hosting providers in order to build a large botnet. Tens of thousands to hundreds of thousands of these shared servers have been cracked by such techniques. Access and use of these boxes is then metered out in the criminal underground for all sorts of activities, including DDoS, malware distribution, and of course, phishing. These attacks highlight the vulnerability of hosting providers and software, exploit weak password management, and provide plenty of reason to worry.”

Other interesting data provided in the survey are:

• The number of target institutions, including bank users, ISP and government tax bureaus,  is equal to 611 registering an increase of 26% respect H1 2012.
• Only about 1.4% of all domain names used for phishing attacks contained a brand name or variation thereof.
• On 5,835 domain registered maliciously by attackers around 2,800 (48%) were registered to phish Chinese targets. This is down from 1H2012, when two-thirds of the world’s malicious registrations targeted Chinese institutions.
• Chinese phishers use hacked domains and compromised Web servers less often than phishers elsewhere. Those phishers tended to registered widely-available gTLD domain names using registrars inside or and outside of China. The ccTLD of China, .CN, had only 16 malicious registrations during the report period.

These and many other information are available in the APWG Global Phishing Survey report  that I would strongly urge you to read.

Pierluigi Paganini

(Security Affairs – Phishing)