Most phishing attacks use compromised domains and free hosting

To stage a phishing site, cyber criminals have several options. They can use a legitimate domain that has been compromised, abuse free hosting services, or register their own domain. Understanding the prevalence of each scenario is fundamental to detecting and mitigating these threats as early as possible in the attack process (including before they are launched). PhishLabs recently analyzed over 100,000 phishing sites to determine how many compromised domains, free hosting, or maliciously registered domains were used.

—Read more—

We analyzed 100,000 phishing sites over a three month period, from December 2020 to February 2021. We found that:

  • 38.3% used compromised websites
  • 37.4% abused free hosting services
  • 24.3% used registered domain names maliciously

Discern compromised or malicious domain registration

Determining whether a phishing site is using a malicious domain or a compromised domain can be difficult to accomplish on a scale sufficient to accurately represent the phishing threat landscape.
Previous research in this area is mainly based on two factors:

  1. Is the content of the domain string trying to impersonate a legitimate brand or impersonate a legitimate site?
  2. How long did it take between registering the domain and using the domain for phishing? The shorter the delay, the more likely the phishing site is to be malicious.

One of the advantages of using the second factor is that it can be used retroactively, even if the phishing site has been deleted. Besides, it can be applied effectively to a large dataset of phishing domains.

The downside of the second factor is that it is based on the assumption that a site has been registered by the threat author if it has been used for phishing within a defined period of time. Conservative research used a time frame of a few days while
others used several months. However, the “survival time” of vulnerable Internet infrastructure is measured in minutes, not days or months. This method inevitably leads to phishing sites being wrongly labeled as malicious registered.

PhishLabs’ research in this area forgoes this second factor and instead relies on a more in-depth analysis and review of the content of phishing sites. If there is legitimate content elsewhere on the domain or if there is evidence that it has already been used for a legitimate purpose, it is referred to as a compromised domain.

We may use this method because our analysis of phishing sites is conducted in real time as part of our Digital Risk Protection operations before sites are closed. This is part of our threat prevention process, which ultimately provides the loyalty needed to streamline and automate withdrawals with hosting providers, registrars, and others. This process has been continuously refined over years of experience and millions of phishing sites.

Abuse of free hosting

Free hosting providers, dynamic DNS services, developer tools, file and code sharing sites, and other services make it easy for users to host web content without having to purchase a domain name. These services are often abused to carry out phishing attacks.

With the abuse of free hosting, the entire domain is not malicious. Usually this is a subdomain or other component in the chain outside of the second and top level domain that is malicious.

The fact that these sites live on legitimate domains means that the requirements for intelligence gathering and threat mitigation are very different from those in which attackers register their own domain names.

Why it matters

The way a phishing site is organized dictates the intelligence gathering needed to detect it early in the attack process:

  • For maliciously registered domains, collecting and analyzing new domain registrations can provide effective detection.
  • For phishing sites that abuse free hosting, detection relies more on finding and analyzing new host names, abuse reports, and spam data.
  • For compromised domains, extensive collection and analysis of spam and abuse data is required.

Our analysis shows that every scenario is prevalent. Therefore, the collection of intelligence for the detection of phishing sites must include sourcing capable of detecting each scenario.

This information can also help assess the potential impact of more systemic initiatives to reduce phishing attacks, including those aimed at improving the efforts of free hosting providers and domain registrars to prevent abuse. of their services. If successful, such initiatives could impact more than half of all phishing attacks.

That said, threat actors affected by such efforts could easily switch to using compromised sites. The barriers to this end are low, and there is a plentiful supply of easily exploitable websites that could be enlisted in phishing attacks. In the long run, this could lead to a sharp tilt in the phishing landscape towards compromised sites without reducing the overall volume of phishing attacks.

Additional Resources:

*** This is a Syndicated Security Bloggers Network blog by The PhishLabs blog written by Stacy Shelley. Read the original post on: https://info.phishlabs.com/blog/most-phishing-attacks-use-compromised-domains-and-free-hosting