Chinese cybercriminals rely mostly on newly registered domains instead of hijacked sites

Apr 28, 2012 09:06 GMT  ·  By

APWG released its Global Phishing Survey: Trends and Domain Name Use in 2H2011. Besides the interesting trends in the phishing sector, the paper also shows that PayPal is no longer the favorite of cybercriminals, being replaced with the Chinese e-commerce site Taobao.com.

While in the first half of 2011 PayPal was still the number one target of phishers, from June to December things changed and for the first time in the past years, another site took the lead.

The report reveals that unlike other cybercriminals, the ones from China don’t rely so much on compromised domains. Instead, they set up their own ones.

Out of the 18,508 attacks launched against Taobao customers, only 639 used hijacked websites, the rest relying on domains and subdomains registered by the fraudsters.

The numbers show that most Chinese phishing domains were .tk (36.4%), followed by .pl, .cc, .com, and .info top-level domains (TDLs).

On a global scale, more than 50,000 domains were used for such attacks, out of which around 25% were registered by the cybercriminals, the rest comprising hijacked or hacked websites.

Worldwide, the most malicious domains that were set up to steal sensitive information were represented by .com TDLs, with almost 40%, followed by .tk, with 9.2%, and .pl, accounting for 7.4% of the total.

When it comes to the uptimes of phishing sites, the average in the second half of 2011 was 46 hours and 3 minutes. A considerable drop, if compared to the 73 hours that were recorded in the same period of 2010.

The figures also reveal that subdomain services were also utilized in such plots, around 4,500 attacks using the osa.pl domain provided by bee.pl. Other services include ce.ms, cx.cc, co.cc, cu.cc, bij.pl, cn.im, and altervista.org.

Shared virtual server hacking also played an important role. By taking over such servers, the phishers were able to update the webserver configuration and launch their campaign on multiple websites at a time.

The complete report is available here.