Press Releases

APWG Report: Phishing Websites Proliferate at Record Speed in First Half of 2012


Cybercrime Gangs Focus on Co-opting Existing Websites to Host Phishing Attacks

LAS CROABAS, Puerto Rico--(BUSINESS WIRE)-- A new phishing survey released by the Anti-Phishing Working Group (APWG) at their conference here this week reveals that while the uptime of phishing websites dropped during the first half of 2012, cybercriminals were driving substantial increases in the numbers of phishing websites they established to steal from consumers.

Meanwhile, cybercriminals are increasingly using hacked web servers of existing, legitimate websites to host phishing websites, pointing up the need for website owners and hosting services need to be on guard.

The Global Phishing Survey: Trends and Domain Name Use in 1H2012 authors found that average uptimes of phishing attacks dropped to a record low of 23 hours and 10 minutes in 1H2012, about half of what it was in late 2011, and by far the lowest since the report series was inaugurated in January 2008.

The uptimes of phishing attacks are a vital measure of how damaging they are, and are a measure of the success of mitigation efforts. The longer a phishing attack remains active, the more money the victims and target institutions lose.

However, the study’s authors also found that there were more phishing attacks in the period – at least 93,462, up 12 percent from 2H2011.

"Phishers seem to be concentrating their efforts on compromising legitimate websites using automated attack tools, or purchasing access to them on the burgeoning underground market," said Rod Rasmussen, CTO of Internet Identity and co-author of the report. "This allows them to leverage the good reputation of a website's domain name, making it harder to block in either spam filters or via suspension, and makes takedown of that domain impractical."

The report highlights a major increase in the use of tactic that allows a criminal phisher to create hundreds of phish at once.

“Some of the increased phishing activity is due to an especially virulent method that some phishers have been using more often,” said Greg Aaron of Afilias, the study’s other co-author. "Instead of hacking websites one at a time, phishers are breaking into shared hosting -- web servers that host large numbers of domains. This way, a phisher can infect dozens, hundreds, or even thousands of websites at one time."

The other major findings of this report include:

  • Phishers registered more subdomains than regular domain names. The number of domain names registered by phishers dropped by almost half since early 2011.
  • The number of targeted institutions has dropped; phishers continue to target larger or more popular targets.
  • Only about 2 percent of all domain names that were used for phishing contained a brand name or variation thereof.
  • Phishers attacking Chinese institutions are an exception – they prefer to register domain names rather than hacking into servers. Phishers attacking Chinese institutions were responsible for two-thirds of all malicious domain name registrations made in the world. These phishers use both Chinese and non-Chinese domain registrars.
  • Domain name owners in South America had their web servers compromised by phishers in growing numbers.

The report is available at:

About the APWG

The APWG, founded in 2003 as the Anti-Phishing Working Group, is the global industry, law enforcement, and government coalition focused on unifying the global response to electronic crime. Membership is open to qualified financial institutions, online retailers, ISPs and Telcos, the law enforcement community, solutions providers, multi-lateral treaty organizations, research centers, trade associations and government agencies. There are more than 2,000 companies, government agencies and NGOs participating in the APWG worldwide. The APWG's and websites offer the public, industry and government agencies practical information about phishing and electronically mediated fraud as well as pointers to pragmatic technical solutions that provide immediate protection. The APWG is co-founder and co-manager of the Stop. Think. Connect. Messaging Convention, the global online safety public awareness collaborative and founder/curator of the eCrime Researchers Summit, the world’s only peer-reviewed conference dedicated specifically to electronic crime studies

Among APWG's corporate sponsors are as follows: Afilias Ltd., AhnLab, AT&T(T), Avast!, AVG Technologies, BBN Technologies, Barracuda Networks, BillMeLater, Bkav, Booz Allen Hamilton, Blue Coat, BrandMail, BrandProtect, Bsecure Technologies, Check Point Software Technologies, Comcast, CSIRTBANELCO, Cyber Defender, Cyveillance, Domain Tools,, Easy Solutions, eBay/PayPal (EBAY), eCert, EC Cert, ESET, EST Soft, Facebook, Fortinet, FraudWatch International, F-Secure, GlobalSign, GoDaddy, Google, GroupIB, Hauri, Hitachi Systems, Ltd., Huawei Symantec, ICANN, Iconix, IID, IronPort, ING Bank, Intuit, IT Matrix, Kindsight, LaCaixa, Lenos Software, MailShell, MarkMonitor, M86Security, McAfee (MFE), Melbourne IT, MessageLevel, Microsoft (MSFT), MicroWorld, Mirapoint, MyPW, nProtect Online Security, Netcraft, Network Solutions, NeuStar, Nominet, Nominum, Public Interest Registry, Panda Software, Phishlabs,, Phorm,, Prevx, Proofpoint, QinetiQ, Return Path, RSA Security (EMC), RuleSpace, SAIC (From Science to Solutions), SalesForce, SecureBrain, S21sec, SIDN, SoftForum, SoftLayer, SoftSecurity, SOPHOS, SunTrust, SurfControl, Symantec (SYMC), Tagged, TDS Telecom, Telefonica (TEF), TransCreditBank, Trend Micro (TMIC), Vasco (VDSI), VeriSign (VRSN), Websense Inc. (WBSN), Wombat Security Technologies, Yahoo! (YHOO), zvelo and ZYNGA.

Peter Cassidy, +1-617-669-1123
Greg Aaron
Internet Identity
Andrew Goss, +1-253-444-5446

Source: APWG