Most Phishing Attacks Use Compromised Domains and Free Hosting
To stage a phishing site, cybercriminals have several options. They can use a legitimate domain that has been compromised, they can abuse free hosting services, or they can register their own domain. Understanding the prevalence of each scenario is fundamental to detecting and mitigating these threats as early in the attack process as possible (including before they’ve been launched). PhishLabs recently analyzed more than 100,000 phishing sites to establish how many used compromised domains, free hosting, or maliciously-registered domains.
We analyzed 100,000 phishing sites over a three month period from December 2020 to February 2021. We found that:
38.3% used compromised websites
37.4% abused free hosting services
24.3% used maliciously-registered domain names
Discerning Compromised vs Malicious Domain Registration
Determining whether a phishing site uses a malicious domain or a compromised domain can be difficult to accomplish at a scale sufficient to accurately represent the phishing threat landscape. Prior research in this area has relied primarily on two factors:
Does the content of the domain string attempt to impersonate a legitimate brand or otherwise pose as a legitimate site?
How much time has taken place between domain registration and the use of the domain for phishing? The shorter the time frame, the more likely the phishing site was maliciously registered.
A benefit of using the second factor is that it can be used retroactively, even if the phishing site has been taken down. Also, it can be efficiently applied to a large dataset of phishing domains.
The drawback of the second factor is that it relies on the assumption that a site was registered by the threat actor if it was used for phishing within a defined period of time. Conservative research has used a timeframe of a few days while others have used several months. The “survival time” of vulnerable infrastructure on the internet is measured in minutes though, not days or months. This method inevitably leads to phishing sites being inaccurately labeled as maliciously registered.
PhishLabs’ research in this area foregoes this second factor and instead relies on more thorough analysis and review of phishing site content. If there is legitimate content elsewhere on the domain or if there is evidence that it was once used for legitimate purposes, it is designated as a compromised domain.
We are able to use this method because our analysis of phishing sites is conducted in real-time as part of our Digital Risk Protection operations prior to the sites being taken down. It is part of our process to curate threats, which ultimately provides fidelity necessary to streamline and automate takedowns with hosting providers, registrars, and others. This process has been continuously refined over years of experience and millions of phishing sites.
Free Hosting Abuse
Free hosting providers, dynamic DNS services, developer tools, file and code sharing sites, and other services allow users to easily host web content without needing to purchase a domain name. These services are often abused to carry out phishing attacks.
With free hosting abuse, the entire domain is not malicious. It is typically a subdomain or other component of the string outside of the second and top level domain that is malicious.
The fact that these sites live on legitimate domains means the intelligence collection and threat mitigation requirements are quite different than those in which attackers register their own domain names.
Why This Matters
How a phishing site is staged dictates the intelligence collection required to detect it early in the attack process:
For maliciously-registered domains, collection and analysis of new domain registrations can provide effective detection.
For phishing sites that abuse free hosting, detection is more reliant on sourcing and analyzing new hostnames, abuse reports, and spam data.
For compromised domains, extensive collection and analysis of spam and abuse data is necessary.
Our analysis demonstrates that each scenario is prevalent. Therefore, intelligence collection for phishing site detection must include sourcing capable of detecting each scenario.
This information can also help assess the potential impact of more systemic initiatives to reduce phishing attacks, including those aimed at improving the efforts of free hosting providers and domain registrars to keep their services from being abused. If successful, such initiatives could impact more than half of all phishing attacks.
That said, threat actors affected by such efforts could easily switch to using compromised sites. The barriers to doing so are low and there is ample supply of readily-exploitable websites that could be enlisted in phishing attacks. In the long-term, it could lead to the phishing landscape being heavily-tilted towards compromised sites without reducing the overall volume of phishing attacks.