APWG Report: Rising Subdomain-based Attacks a Filter-Evasion Ploy

December 8, 2006; 02:14 AM
The Anti-Phishing Working Group (APWG) announced today that the number of distinct spoof Web sites rose 52% in October 2006 to a record-shattering of 37,444, up from 24,565 a month earlier. The statistics reflect a substantial increase in the use of subdomain-based attacks, which primarily affect the most frequently-targeted financial services organizations. This new phishing technique aims to thwart recent advances in anti-phishing technology, including spam filters and URL-based blocking technology.

By creating several subdomains on the same domain, such as www.bank.com.543756.bankphish.com/login.php and www.bank.com.233966.bankphish.com/login.php, phishers are attempting to subvert both spam filters and the URL-based browser blocking technologies.

"We have seen literally as many as several thousand subdomains hosted on the same domain," said Dr. Laura Mather, senior scientist for MarkMonitor, which contributes data and analysis to APWG's monthly reports. "It can be difficult for current anti-phishing technologies to block hundreds or thousands of URL variations associated with each phish attack since they have to be aware of all possible variations of the URL. Some technology can block using wildcards which helps address this problem, but both the blocking technology and the companies providing the block lists need to move towards providing URLs with wildcards to mitigate this technique."

APWG Chairman David Jevans concluded, "While the overall volume of phishing emails is increasing somewhat, the number of unique domains that are being employed in those email lures is growing much more quickly. This is an attempt to evade spam filters and anti-phishing toolbars and blacklists. As ever, the phishers continue to innovate and expand their efforts to defraud consumers and businesses."

Meanwhile, APWG researchers from the group's PROJECT: Crimeware initiative report that detected crimeware variants rose substantially for the second straight month, with the number of crimeware variants rising to break records - in October hitting 237 unique variants, up 38 percent from August, 2006.

Dan Hubbard, Vice President of Security Research at Websense, and an APWG contributing researcher, said that a good deal of the increase in crimeware detected can be accounted for in greater volume of variations coming from Brazilian malicious code authors.

For more information and analysis, please download a free copy of the "Phishing Attack Trends Report" for September and October 2006 at www.antiphishing.org/reports/apwg_report_september_october_2006.pdf

About the Anti-Phishing Working Group

The Anti-Phishing Working Group (APWG) is an industry association focused on eliminating the identity theft and fraud that result from the growing problem of phishing, email spoofing and crimeware. Membership is open to qualified financial institutions, online retailers, ISPs, the law enforcement community and solutions providers. There are more than 1,500 companies and government agencies participating in the APWG and more than 2,500 members. The APWG's web site (http://www.antiphishing.org) offers the public and industry information about phishing and email fraud, including identification and promotion of pragmatic technical solutions that provide immediate protection. APWG's corporate sponsors include: 41st Parameter, 8e6 Technologies, Able NV, ActivCard (ACTI), Adobe (ADBE), AhnLab, Aladdin Knowledge Systems (ALDN), Anakam, Anonymizer, BBN Technologies, BlueStreak, Brandimensions, Clear Search, Cloudmark, Comodo, Corillian (CORI), Cydelity, Cyveillance, DigitalEnvoy, DigitalResolve, Earthlink (ELNK), eBay/PayPal (EBAY), Entrust (ENTU), Experian, eEye Digital Security, F-Secure, GeoTrust, GoDaddy, ING Bank, Iconix, InternetIndentity, Internet Security Systems, IOvation, IS3, Kaspersky Labs, Lenos Software, LightSpeed Systems, MailFrontier, MarkMonitor, McAfee (MFE), MasterCard, MessageLevel, Microsoft (MSFT), Mirapoint, MX Logic, NameProtect, Netcraft, NetStar, PassMark, Panda Software, Phoenix Technologies, Inc. (PTEC), Quova, RSA Security (RSAS), SAIC, SecureBrain, Sigaba, SOPHOS, SquareTrade, SurfControl, Symantec (SYMC), The 41st Parameter, Trek Blue, Trend Micro (TMIC), Tricerion, TriCipher, Tumbleweed Communications (TMWD), SurfControl (SRF.L), Vasco (VDSI), VeriSign (VRSN), Visa, Websense, Inc. (WBSN), WholeSecurity and ZixCorp.

APWG, Peter Cassidy, +1 617-669-1123, [email protected], or MarkMonitor, Mary Roach, +1 415-278-8470, [email protected], or Websense, Inc., Ronnie Manning +1 858-320-9274, [email protected]