Cyber-Criminals Are Phishing From Free Domains

A survey finds phishing gangs’ abuse of free allocations has rocketed an atoll group to be a top country domain

Scammers have shifted tactics to use free domain services to launch phishing attacks, according to a research report.

A significant number of phishing attacks in the second half of 2010 originated from Tokelau’s .tk domain and Korea’s subdomain, according to the latest survey released by the Anti-Phishing Working Group on April 27. The report examined all phishing attacks from July 1 to December 31, 2010, collected by the Anti-Phishing Working Group and supplemented from multiple private sources.

By offering free domain names, Tokelau .tk has rocketed to become the third largest top-level country code  domain – after Germany’s .de and Britain’s .uk – despite it being a group of three tropical atolls forming a South Pacific territory of New Zealand with a population of 1,400 people. It seems that scammers are snapping up these free .tk domains in droves.

Four Dominant Phishing Domains

While there were phishing domains registered across 183 top-level domains, 89 percent were concentrated in just four: .com, .tk, .net and .info.

Phishing attacks occurred on 42,624 unique domain names and 2,318 unique IP addresses in the second half of 2010, the report found. To put it in context, there were 205.6 million domain names in October, according to VeriSign. Since the researchers defined an attack as a phishing site that targets a specific brand or entity, one domain name could host several discrete attacks against different banks.

Of the phishing domains, about 28 percent were registered specifically for malicious purposes, the researchers found. Nearly half of those malicious domains were registered specifically to phish Chinese targets. The remaining phishing domains were legitimate domains that have been compromised.

“Every .tk domain used for phishing was maliciously registered,” the researchers wrote.

Recent reports from major security firms, including Symantec, have noted that a significant amount of malware attacks originate from China. This is apparently not a one-way street, as attackers are also “aggressively” targeting Chinese e-commerce sites and banks as well, the APWG report found.

The APWG examined information from the Anti-Phishing Alliance of China and concluded that observers outside of China detected only 20 percent of the Chinese-target phishing attacks. “Security observers in Europe and the Americas are not receiving and/or parsing many of the Chinese-language phishing lure emails and instant messages,” the researchers wrote.

In December 2009, new rules went into effect that barred individuals from registering .cn domains and required applicants to submit a copy of the business licence during the registration process. While there were 2,826 attacks from 228 .cn domains in the second half of 2009, the number dropped to just 162 attacks on 120 domains in the same time period in 2010. However, this did not reduce the number of phishing attempts against Chinese Internet users and institutions as attackers shifted their campaigns to other top-level domains.

“The e-crime landscape is a constantly shifting battlefield, where phishers are always moving toward ripe targets and away from well-defended Internet assets,” the group wrote in its report.

Attackers targeting Chinese users were more likely to register their own domain names instead of compromising others. There were 12,282 attacks on Chinese institutions launched from 6,382 domain names and 4,737 subdomains. The report estimated that a mere seven percent of the domain names had been hacked.

Cyber-criminals are using subdomain services nearly as often as they register their own domain names, according to the report. The subdomain services make it harder for domain registrars and registry operators to take down the phishing sites, as any action against a site will impact other addresses on that domain. Korea offers free subdomain services, where applicants receive “hosting accounts” with full DNS services under an existing domain name. There are over 9.4 million subdomains on

There were at least 67,677 phishing attacks worldwide in the second half of 2010, a 40 percent increase from the 48,244 attacks found in the first half of the year. The increase was mainly due to the phishing attacks on Chinese targets. However, overall phishing attacks were dramatically less than the second half of 2009, when 126,697 phishing campaigns were found. Researchers did not observe any phishing on IPv6 addresses.

The report was presented at the Counter e-Crime Operations Summit, running April 27 to April 29, in Kuala Lumpur, Malaysia.