APWG Detects 46% Rise in Phishing Websites in Q1, 2018

The Anti-Phishing Working Group has released its Q1, 2018 Phishing Activity Trends Report which shows there was a substantial increase in unique phishing sites detected in the first few months of 2018 compared to the final quarter of 2017.

The report explores phishing attacks and methods used between January 1 and March 31, 2018.

In Q1, 263,538 unique phishing sites were identified – a 46% increase from the 180,577 unique sites identified in Q4, 2017 and a 38% increase from the 190,942 sites detected in Q3, 2017. There were 60,887 unique phishing sites detected in January 2018 which was on a par with December 2017, although a substantial increase in February (88,754) and a further major increase in March (113,897).

The number of unique phishing campaigns reported by APWG customers remained broadly the same in January (89,250) and February (89,010) with a slight fall in March (84,444). 235 brands were spoofed in January, rising to 273 in February, and falling to 238 in March.

APWG member MarkMonitor tracked the industry sectors that were most heavily targeted in phishing campaigns. Its figures show online payment services topped the list in Q1, 2018, accounting for 39% of all reported phishing attacks. Attacks involving SAAS and webmail providers accounted for 18.7% of the total, following by financial institutions (14.2%) and file hosting and cloud storage services on 11.3%.

As businesses have moved over to HTTPS sites, the phishers have followed. Each quarter has seen a substantial rise in the percentage of phishing sites that use HTTPS and secure the connection between the site and the browser. APWG member PhishLabs has been tracking the use of HTTPS on phishing sites and its figures show a third (33%) of all phishing sites were on HTTPS infrastructure in Q1, 2018 compared to just 10.5% in Q1, 2017.

Many consumers still believe that a website starting with HTTPS means the site is legitimate, when that is certainly not the case. It only means that the connection between the browser and the site is secured. If the site is owned by a phisher, or if a legitimate site has been hijacked, any information entered can be captured. Many phishers are registering their own domains and are taking advantage of the free SSL certificates that are offered to make their sites look more legitimate.

RiskIQ’s figures show that the phishing URLs used by phishers closely match TLD market share, with .com’s the most widely used TLD’s by phishers. dotcoms accounted for 6,608 of the 13,594 unique domains used in phishing attacks in Q1, 2018. Those domains were widely distributed among different domain registrars.

Brazilian cybersecurity firm Axur provided a breakdown of internet-based attacks on individuals and companies in Brazil. The firm’s data show scam websites were the leading threat and accounted for 9,061 of the 17,065 attacks in Q1, 2018. They were followed by social media scams (4,209), mobile app scams (1,840) and phishing scams (1,816). 350 redirection URLs were detected that sent visitors to exploit kits and phishing sites and 257 URLs were being used to deliver malware.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.