Phishing Trends: November 2023 - January 2024

Phishing ended 2023 with a bang

For the 3-month period ending January 31, 2024, we processed a staggering 1M reports from our phishing feeds (a 19% increase over the prior quarter). These resources abetted over 500,000 phishing attacks (a 37% increase over the prior quarter). Phishers changed tactics… again. We observed an 85% increase oin domain names used in phishing attacks, and a 24% decrease in the use of subdomain service provider accounts to host phishing web pages.

See the measurements at Key Statistics, TLD, Registrar, and Hosting Networks for a fuller picture.

85% increase in unique domains reported for phishing

The most disturbing trend as we entered 2024?
77% of unique domains reported for phishing were registered for phishing, by phishers (maliciously registered).

Spotlight: Impersonation phishing using exact match hostnames

Phishers have long embedded exact matches of brands in domain names that they register for phishing. Company, service, or product names in domains continue to deceive less technically savvy members of society. Phishers are increasingly using exact match strings to compose hostnames at free web sites for phishing.

For the period, impersonation attacks against two brands stood out: United States Postal Service (USPS) and Facebook. Looking closely at these two brands, we are able to illustrate how phishers employ these different naming methods.

United States Postal Service (USPS)

We identified 5,405 phishing attacks that impersonated USPS by using hostnames that contained the string “usps”. These attacks used 3,647 registered domain names. Few subdomains were delegated from the registered domain name.

The top 5 TLDs where these 3,647 domains were registered were .com (1,604), .top (1,068), .org (177), .shop (160), and .xyz (106). Three domain registrars had over 400 of these domains under management: ALIBABA.COM SINGAPORE E-COMMERCE (1,114), NameSilo (600), and Gname.com (416).

Facebook

We identified over 44,750 phishing attacks impersonating Facebook. Among these, 1,921 attacks used hostnames that contained the exact string “facebook”. However, unlike USPS, where thousands of registered domain names were used, these attacks were launched from only 272 unique domain names. Here, 1,386 phishing attacks were launched from hostnames created at subdomain service providers (web hosting services), where phishers create accounts for free, using an email address and password. The majority of these 1,386 attacks were hosted at blogspot domains. The blogspot label is delegated in the .com TLD as well as many ccTLDs (e.g., blogspot.it, blogspot.se, blogspot.be, blogspot.com.br, etc.). We determined that 1,179 of the 1,386 attacks (80%) were launched from blogspot domains in 67 Top-level Domains. These were mostly in .com and a long list of ccTLDs.

Misuse of subdomain services is not new. Interisle’s Dave Piscitello and Rod Rasmussen exposed this threat in an APWG Industry Advisory in 2008, see Making Waves in the Phisher’s Safest Harbor: Exposing the Dark Side of Subdomain Registries.

In these cases, early intervention applies to user account creation rather than domain registration. To protect the less technically savvy members of society from deceptive attacks, free web site operators could also filter for suspected criminal or misuse at time of account creation.

Tackle the problem at registration or account creation time!

USPS impersonation is especially toxic during holiday periods and November-January in any year is one such period. But the USPS brand is a strong candidate for early intervention. USPS is one of the simplest strings to filter for suspected criminal or misuse at the time of registration.There’s only one English word, cusps, that would be a false positive.

While some might argue that adjacent words can also include the string, e.g., cannibuspsychotic, we believe that the prevention of phishing attacks would benefit Internet users more than the inconvenience to the small population whose domain name might include USPS.

Interisle strongly encourages domain registrars, domain registries and subdomain registries to tackle impersonation at time of creation.

Delayed Delegation in Practice Today

Suspect registrations could be delayed while the registrar investigates the registrant to check whether the registration is legitimate. Interisle notes that the .EU registry currently screens registered domains based on lexical features and similarity to known brands. If the string is suspiciously composed, the requested domain name is delayed from delegation by the registry until it can be further investigated.

.EU’s policy is effective. ICANN gTLDs and ccTLDs alike should adopt such a policy as a recommended practice. So should subdomain registries.

Final Comments

The case for mitigating Facebook impersonation goes beyond infringement of Meta’s brand. Government agencies (DISA), Fortune 100 companies (Cisco), financials (Wells Fargo), millions of individuals, clubs, and diversity groups can be more easily impersonated in a phishing attack where the exact string of the organization, product, or service appears in a URL.

These are but two examples where society at large would benefit if web hosting services, registrars and registries were to filter exact matches and delay a registration process while they investigate the registrant to check whether the registration is legitimate. The argument is even stronger when the registry or registrar observes tens, hundreds or even thousands of exact matches of brands.

These examples also make a strong case for a uniform and obligatory validation of domain registration contact data by all domain registrars and registry operators.