Phishing Gangs Finding New Ways to Exploit Domain Name Registrations to Avoid Detection and Frustrate Takedowns

Share Article

Brand-holders' names often deployed not in domain names - but in subdomains and subdirectories to deceive consumers.

News Image
Global Phishing Survey: Domain Name Use and Trends in 2007

APWG researchers at the second annual Counter eCrime Operations Summit (CeCOS II) revealed how the Internet's domain name system is being manipulated to dupe consumers into falling victim to phishing attacks, and to complicate the task of taking down phishing sites. The researchers also found that at least one in five domain names used in phishing attacks in 2007 was registered specifically for criminal enterprise.

Surveying more than 51,989 unique domain names and 11,553 IP addresses from a 2007 data archive of phishing-related URLs, Greg Aaron of Afilias and Rod Rasmussen of Internet Identity found at least 10,773 maliciously registered domains, which were created specifically to host counterfeit websites designed to deceive consumers into revealing their personal financial information. Of that sample, 10,515 had their phishes hidden on subdomains or in subdirectories - and few of the domain names themselves contained brand names.

"If the Internet community understands what the phishers have been doing, and why, we can create improved anti-phishing measures," said Greg Aaron, Director of Domain Security at Afilias and visiting research fellow at the APWG. "That will make things safer for Internet users, and harder for the criminals."

As part of their research, the pair created a new index for measuring the relative incidence of phishing in the various top-level domains (TLDs) throughout the world. This index revealed that several country-level domain systems were exploited systematically by phishers over the course of the year. Actions taken by some domain registries to improve their response to phishing had a measurable positive impact on the problem and hence the reputation of their domain name space.

"Domain name registrations made by phishers are a big part of the current problem," said Rod Rasmussen, President of Internet Identity and an APWG industry liaison. "Domain name registries and registrars are in an excellent position to curb that activity, and contribute to overall Internet safety."

Rasmussen and Aaron found several other ways that electronic crime gangs are using domain name registrations and domain name syntax to fool consumers and to make phishing harder to detect. They found a substantial number of phishing sites placed on subdomain registration services, which offer hosting and DNS redirection services under a second-level domain, e.g. "customer_term.service_provider_sld.TLD."

The researchers found some 11,443 subdomain sites/accounts used for phishing, under 448 such domains. The authors concluded, "If we had counted these unique subdomains as "regular" domain names, then these types of domains would represent at least 18% of all domains involved in phishing - a significant percentage." Of the sample, many were created using free subdomain services. Such services are largely automated and operate with limited staffing, and are therefore difficult to reach when a phishing site needs to be removed from the Internet.

Rasmussen and Aaron's survey was completed as project of the APWG's Internet Policy Committee, a volunteer corps of APWG members dedicated to developing original research and analysis to inform industrial and public policy regarding electronic crime. Their report, "Global Phishing Survey: Domain Name Use and Trends in 2007," is available online at:

Part of Rasmussen and Aaron's presentation at CeCOS II was broadcast during the NHK network's evening news in Japan on Monday, May 26. Video of that broadcast news segment is available here:

Media Contacts:
APWG Secretary General Peter Cassidy - TEL: +1 617 669 1123 Email:
APWG CeCOS II Coordinator Kana Shinoda - TEL: +81 70 6643 0539 Email:

About the APWG: The APWG, founded in 2003 as the Anti-Phishing Working Group, is an industry, law enforcement, and government coalition focused on eliminating the identity theft and fraud that result from the growing problem of phishing, email spoofing, and crimeware. Membership is open to qualified financial institutions, online retailers, ISPs, the law enforcement community and solutions providers. There are more than 1,800 companies and government agencies participating in the APWG and more than 3,000 members. The APWG's Web site ( offers the public and industry information about phishing and email fraud, including identification and promotion of pragmatic technical solutions that provide immediate protection.

APWG's corporate sponsors include: 8e6 Technologies, AT&T (T), Able NV, ActivCard (ACTI), Adobe (ADBE), Afilias Ltd., AhnLab, Anakam, BBN Technologies, BlueStreak, BrandMail, BrandProtect, Bsecure Technologies, Cisco (CSCO), Clear Search, Cloudmark, Comodo, Corillian (CORI), Cydelity, Cyveillance, DigiCert, DigitalEnvoy, DigitalResolve, Digital River, Earthlink (ELNK), eBay/PayPal (EBAY), Entrust (ENTU), Experian, eEye Fortinet, FrontPorch, F-Secure, Grisoft, GeoTrust, GlobalSign, GoDaddy, Goodmail Systems, GuardID Systems, IronPort, HitachiJoHo, ING Bank, Iconix, Internet Identity, Internet Security Systems, IOvation, IS3, IT Matrix, Kaspersky Labs, Lenos Software, LightSpeed Systems, MailFrontier, MailShell, MarkMonitor, McAfee (MFE), MasterCard, MessageLevel, Microsoft (MSFT), Mirapoint, MySpace (NWS), MyPW, MX Logic, NameProtect, National Australia Bank (ASX: NAB) Netcraft, NetStar, Panda Software, Phoenix Technologies Inc. (PTEC), Quova, RSA SalesForce, Security (RSAS), SAIC, SecureBrain, Secure Computing (SCUR), S21sec, Sigaba, SoftForum, SOPHOS, SquareTrade, SurfControl, Symantec (SYMC), TDS Telecom, Telefonica (TEF), Trend Micro (TMIC), Tricerion, TriCipher, Tumbleweed Communications (TMWD), SurfControl (SRF.L), Vasco (VDSI), VeriSign (VRSN), Visa, Websense Inc. (WBSN), WholeSecurity, and Yahoo! (YHOO)


Share article on social media or email:

View article via:

Pdf Print

Contact Author

Visit website