The Anti-Phishing Working Group (APWG) has released its latest Phishing Activity Trends Report, which shows that the number of fraudulent websites designed to steal people’s sensitive data fell as 2018 went on. The drop – from some 263,000 such sites flagged by the consortium in the first quarter of last year to around 138,000 in the last quarter – may be thanks to anti-phishing efforts and/or it may be “the result of criminals shifting to more specialized and lucrative forms of e-crime than mass-market phishing”, reads the report.
Having said that, APWG also notes a rise in concerns that the lower numbers may just as well be partly due to under-detection. This may be caused by criminals’ use of techniques that are intended to shield phishing URLs from discovery, which may involve utilizing multiple redirections that take victims through multiple URLs before they land on the phishing destination. Indeed, the increasing trend towards such redirections is also noted in the report.
And just as the number of phishing sites fell, so did the number of fraudulent sites with legitimate SSL certificates that enable HTTPS connections – for the first time ever. That said, roughly every second phishing site has the green padlock that may lure some people into complacency by adding some sense of legitimacy to the site. In addition, APWG said that the number of ‘conventional’ email campaigns that aim to lure people to bogus sites also dropped towards the end of the year – from 264,000 to just under 240,000.
Meanwhile, APWG has also found that phishing attacks are increasingly targeting users of software-as-a-service (SaaS) systems and webmail services. Attacks against them rose from just over 20 percent of all such incidents in the third quarter to almost 30 percent between October-December.
By contrast, and in a continuation of a trend from the previous months, attacks targeting the users of cloud storage and file-hosting sites dropped sharply – from over 11 percent of all attacks in the first quarter of 2018 to 4 percent in the last quarter.
Nevertheless, payment processing sites continue to lead the way, with phishers using their names in a third of attacks. Meanwhile, a review of a sample set of over 6,700 phishing URLs showed that many of the widely used top-level domains (TLDs) – such as .com, .net and .org – were also often used in phishing attacks. Among other things, the sense of familiarity may cause intended victims to drop their guards.
However, the list of the 10 most prevalent TLDs used in phishing attacks includes several TLDs that are far less familiar for typical internet users – country code domains associated with Palau (.pw), the Central African Republic (.cf), Mali (.ml), and Gabon (.ga). Oftentimes, the allure of domain name registrations under these TLDs lies in their easy and free availability, hence no need for attackers to hijack legitimate sites or to buy new domains.