Chinese cyber-criminals are driving an uptick in malicious domain registration and account for the vast majority of the world’s phishing attacks, according to new stats from an industry body.
Chinese phishers were responsible for a massive 85% of domains registered for the sole purpose of lifting user credentials and PII, and are the main cause of “historically high levels” of malicious domain and subdomain registrations, according to the Global Phishing Survey: Trends and Domain Name Use report from The Anti Phishing Working Group.
The report, which covers the first half of the year, claimed that of 22,679 malicious domain registrations, 19,356 were registered to “phish Chinese targets,” that is “services and sites in China that serve a primarily Chinese customer base.”
It adds:
“Chinese phishers tend to register domain names for their phishing, and use Chinese registrars regularly. Domains registered at the Chinese registrars were often used to phish Chinese targets such as Alibaba, Taobao.com, and CCTV, but were also used to occasionally phish outside targets such as Facebook and PayPal. Chinese phishers also registered at registrars outside the country, in order to attack targets within China, but the majority took place at registrars within China.”
The reason APWG reckons that they’re aimed at a Chinese “customer base” is that the lures are written in “Chinese” – presumable Mandarin – and sent by email, as well as SMS to Chinese phone numbers and via IM clients popular in the PRC like Tencent QQ.
Elsewhere, APWG claimed that Apple has now become the world’s “most phished brand” and that the introduction of new gTLDs, despite hysterical media coverage, has not led to a noticeable increase in phishing.
However, this will change, the group warned:
“As autumn 2014 begins, the new gTLD market is becoming more crowded and competitive, and some registries have begun to compete aggressively on price. As prices drop and the new gTLDs gain more adoption, we are seeing an increase in phishing on new gTLD domains, due to both malicious registrations and compromised domains on hacked servers. Anecdotal discussions in the security community also indicate that malware authors and other miscreants are experimenting with registering domains in some of the new gTLD domains for various malicious activities.”