The Cybercrime Information Center’s most current report highlights the fact that monthly phishing attacks have doubled since May 2020.
Dave Piscitello has been involved in the internet for more than four decades and has worked tirelessly toward improving overall security and operations, both as an independent consultant as well as a major figure in various organizations. His current work, which grew out of a project he began at the Internet Corporation for Assigned Names and Numbers (ICANN), is to publish quarterly reports of phishing and malware (and soon, spam) at the Cybercrime Information Center.
The most current report is on phishing, highlighting the fact that monthly attacks have doubled since May 2020. What makes Piscitello’s report especially powerful is that it includes data from four commercial information sources, which collected more than a million unique attacks and published their own blocklists.
The four providers involved in the report are the Anti-Phishing Working Group’s (APWG) eCrime eXchange (eCX) phishing feed, OpenPhish Phishing Intelligence (premium feed), Cisco’s PhishTank API, and Spamhaus Domain Block List.
For many years, Dave was Vice President of Security at ICANN until he retired in 2018. While at ICANN, he participated in global collaborative efforts by security, operations, and law enforcement communities to mitigate Domain Name System (DNS) abuse and malicious uses of domain names. His research covers a wide range of security topics, including proxy and private domain registration abuse, internet directory services, domain seizures, and DNS abuse investigative techniques.
He’s also a member of the board of directors for two leading international organizations that are helping to improve security: the Coalition Against Uncommercial Solicited Email, which began fighting against spam in 1997 and has since broadened its work to advocate internet privacy, and the Anti-Phishing Working Group, who assists law enforcement organizations in cyber investigations.
The majority of the attacks detailed in Piscitello’s latest report targeted ten brands, as is shown in the diagram below.
Image credit: Cybercrime Information Center
Given that the phishing around these popular brands continues to grow, our best advice is to be extra vigilant about reacting to messages that mention these brands.
The report found that 41% of domains reported for phishing were used within 14 days following registration and that the majority of these were reported within 48 hours. This means this group is purposefully used to support phishing attacks, and once used, they are discarded and decommissioned.
“Most people don’t understand that phishing is detected through various sensor networks, and these detect different things,” Piscitello said in an interview. “It is impossible to cover the entire globe and every phishing list has its own regional strengths. What this means is that if you are relying on one phishing list, you are only getting a partial view. If you are using two lists, you are less exposed.”
Commercial antivirus software, such as Avast One, incorporate their own blocklists based on instrumenting their own networks. But still it is useful to examine these public providers because it can show larger trends in attack patterns.
Anyone looking to protect themselves and get an early warning on phishing — which basically means any operating business — should pay careful attention to these trends and understand how phishing works. The problem, as Dave said to me, is “that no matter how small your business is, there is some phisher who has already identified you as a target, either because you are about to launch a new product or service or because you are running some website or merchant software that they can exploit. Phishing is not a problem exclusive to the Fortune 1000. Everyone is a target, and smaller businesses are especially vulnerable to social engineering attacks and because people for the most part lack sufficient security training.”
One of the interesting results from the analysis is that they didn’t find any evidence of phishers running their attacks from any IPv6 websites. “I guess they stick with the easiest and cheapest stuff, and that is IPv4,” he said. Another interesting result is that most attacks originate inside the US.
Finally, for someone who worked for a long time at ICANN, Dave is frustrated with the lack of interest from the domain registrars to combat the bulk domain creation problem. He comments, “You can routinely see patterns where someone is registering hundreds or thousands of domains in a matter of minutes. No human does that, so you have to ask yourself what is the real business purpose? There is none, and it should be stopped.”