The number of confirmed phishing sites declined as 2018 proceeded according to the latest Phishing Activity Trends Report, 4th Quarter 2018, from the Anti-Phishing Working Group. However this is balanced by the detection of phishing sites becoming harder because phishers are obfuscating phishing URLs with multiple redirections and phishing targeting SaaS and webmail services doubling in the quarter. The report also finds that legacy gTLDs are over-represented when it comes to phishing while new gTLDs and ccTLDs were under-represented.
The total number of phishing sites detected by APWG in the fourth quarter was 138,328. That was down from 151,014 in the third quarter, 233,040 in the second, and 263,538 in the first. The number of phishing sites dropped notably in November before returning to previous levels.
The report found that phishing targeting software as a service (SaaS) and Webmail services’ brands jumped from 20.1% of all attacks in the third quarter to almost 30% in the fourth. However attacks against cloud storage and file hosting sites continued to drop, decreasing from 11.3% of all attacks in the first quarter to 4% in the fourth.
For the report, RiskIQ analysed 6,718 confirmed phishing URLs reported to APWG in the fourth quarter and found that they were hosted on 4,485 unique second-level domains (and 100 were hosted on unique IP addresses, without domains). The report divided top-level domains (TLDs) into 3 categories for purposes of their report:
Apart from .com, the only TLDs with more than 100 unique domains used for phishing were .pw (Palau) with 374 domains, .net (175), .org (154) and .uk (121). There were a number of ccTLDs with low registration figures, often repurposed and given away for free, that figure highly on the list apart from .pw. These include .cf (Central African Republic) with 84, .ml (Mali, 78) and .ga (Gabon, 68). Another is .tk (Tokelau), the second largest ccTLD with 21.5 million registrations whose domains are given away for free and which has 40 unique domains used for phishing. European ccTLDs to appear in the top 20 list apart from .uk were .ru (Russian Federation) with 44, .it (Italy) with 37 and .pl (Poland) with 28.
Some new gTLDs also ranked high for phishing activity.
“.XYZ represented 8% of the registered new gTLD domain names in the world as of the beginning of the quarter, but 16.67% of the reported phishing new gTLDs in the quarter,” said Jonathan Matkowsky of RiskIQ. “.LOAN was a larger piece of the total new gTLD market than .XYZ as of the beginning of the quarter, but there was only one reported .LOAN domain used for phishing in our sample set. .TOP represented 14.4% of the total new gTLD market at the beginning of the quarter, but only 4.5% of the reporting phishing domains this quarter—half as many as in Q3.”
The report also found the default protocol HTTPs was used by 48.4% of all the websites in December 2018. Many phishing attacks are on hacked web sites, so it is not surprising that about the same percentage of phishing sites use the HTTPS encryption protocol.
The latest Phishing Activity Trends Report for the 4th Quarter of 2018 from the Anti Phishing Working Group is available for download.