Untitled Document
Untitled Document
www.expresscomputeronline.com WEEKLY INSIGHT FOR TECHNOLOGY PROFESSIONALS
18 January 2010  
Untitled Document
Sections

Cover Story
Review
Trend
News
Interview
Product
Case Study
CIO Profile

Express Intelligent Enterprise

Events

Technology Senate
Technology Sabha
Services
Subscribe/Renew
Archives
Search
Contact Us
Network Sites
Exp.Channel Business
Express Hospitality
Express TravelWorld
Express Pharma
Express Healthcare
Group Sites
ExpressIndia
Indian Express
Financial Express

Untitled Document
 

Security Bytes

Russian freemail provider hosts maximum domains used for hosting phishing, APWG report

In an industry advisory, the Anti-Phishing War Group (APWG) has summarized its findings on trends in phishing attacks in first half of 2009.

Overall, there were 288 different providers of subdomain registrations who had phishing subdomains on their services in H1 2009. The Russian freemail provider Pochta.ru continued to lead the industry with at least 17 domains that were used to host phishing in H2009, and those domains were used to mount at least 822 phishing attacks. The good news is that this provider continues to quickly mitigate phish when reported.

For the second survey period in a row, second place belongs to the French hosting provider Wistee.fr, with four domains that hosted 475 phishing attacks during the first half of 2008.

Because of the impact that subdomain resellers and specific virtual hosting providers can have on an individual TLD's score, the report has taken a deeper look at a few TLDs (top level domains) that saw a prevalence of alternative phishing attack activities in this period. This includes phishing via subdomain resellers and virtual private hosting companies that provide personal Web hosting accounts that were fraudulently purchased by phishers - typically in great numbers.

This subcategory of attacks does seem to have a consistent impact over time and can affect a specific TLD's score. The impact can be either positive or negative, though, depending on the responsiveness of the individual providers involved, and a single provider can have a major impact upon an entire TLD. For comparison, .COM was looked into, as there are many such providers in that dominant TLD. The impact on .COM was significantly negative, with average uptimes nearly 7 hours longer with those attacks included in .COM's overall average. However, in .FR and .RU, the providers were actually significantly faster than their counterparts at removing phishing sites. So while they contributed large numbers of phishing sites to their respective TLDs, they improved the uptime scores for those TLDs, the report said.

Breaking out the individual attack types by TLD shows the opposing impacts the various providers can have on a TLD's score. Some hosting companies are very quick to mitigate attacks, while others take many days in some cases. Subdomain resellers tend to do a better job, but can still have an impact in average uptime for a TLD.

Overall, in order for a TLD registry operator to understand how its overall score is affected by these specialized operators, it is important for the registry to know about these services within their TLD. Working with them when there is a persistent problem can sometimes quickly improve the situation.

The report concluded that the size of the battlefield - at least as measured by domain names and number of attacks - has remained nearly constant. On average, the attacks are not lasting as long as previously, indicating improving success by responders, domain registrars and registries, ISPs, and Web hosting providers. Phishers are still obtaining take down resistant resources at subdomain resellers and by hacking domains, but they are also being denied resources by some major domain name registry operators and vigilant registrars.

And the continued good efforts of spam filtering providers, browser manufacturers, and antivirus software vendors are undoubtedly aiding Internet users.

High scoring TLDs almost invariably suffered from systematic exploitation by phishers. Some of the cases are:

(i) .EU and .BE: The "Avalanche" phishing gang registered large numbers of .EU and .BE domains, and this is reflected in those TLDs' elevated Attack Scores. Avalanche began attacks in December 2008 and ramped up significantly in early 2009, quickly becoming the most prolific and dangerous phishing operation on the Internet.

(ii) .TH (Thailand): Phishing here takes place entirely on compromised Web sites in the AC.TH (academic) zone and the GO.TH (government) zone, and has been occurring regularly for two years.

(iii) .SU (Soviet Union) and .RU (Russia). .SU and .RU remain high in the rankings due to phishing at subdomain resellers.

 


Untitled Document
Untitled Document

FEEDBACK: We would love to hear from you -- what you like about our content, what you dont, and even how you think we can improve. Please send your feedback to: prashant.rao@expressindia.com

© Copyright 2001: The Indian Express Limited. All rights reserved throughout the world. This entire site is compiled in Mumbai by the Business Publications Division (BPD) of The Indian Express Limited. Site managed by BPD.