09/25/2024 | Press release | Distributed by Public on 09/24/2024 17:23
Thomas Daniels, Maarten Bosteels, Sebastian Castro, Moritz Müller, Thymen Wabeke, Thijs van den Hout, Maciej Korczyński, and Georgios Smaragdakis contributed to this work.
Phishing attacks, which trick users into sharing private data, have been a major security threat for years. According to a 2023 FBI report, it is the top digital crime type. In Europe, ENISA states in its 2023 report that "phishing is once again the most common vector for initial access ".
In a recent peer-reviewed paper, researchers from DNS Belgium, SIDN Labs, .IE Registry, University of Grenoble Alps, Delft University of Technology, and I carried out a longitudinal study characterizing phishing attacks observed at three European ccTLDs - the Netherlands' .nl (managed by SIDN), Ireland's .ie (managed by the .IE Registry), and Belgium's .be (managed by DNS Belgium).
While the ancient Romans loved to mix various fish to create the infamous fish sauce called Garum, we instead combined more than 28,000 phishing domain names with the goal of improving the registries' detection and mitigation policies - the largest study to date. Let's dive into our findings.
ccTLDs compared
The ccTLDs we evaluate in this study have different characteristics, as shown in Table 1.
The differences shown in Table 1 are taken into account during our analysis.
Phishing datasets
Table 2 presents the phishing datasets we evaluated for each ccTLD. The phishing URLs were obtained from Netcraft, a commercial phishing blocklist provider used by all our registries. Each registry has only access to domain names in their respective ccTLD and possesses access to historical data. There are other phishing blocklists, and we evaluated a second one in the paper - however, we chose Netcraft in our paper for its coverage and low false positive rates.
Do ccTLDs matter when choosing who to impersonate?
ccTLDs are closely tied to their economies, with governments, individuals, and businesses frequently using them for their domain names. In a way, a ccTLD can be seen as a brand, and humans assign trust levels to brands. We explore whether attackers exploit this trust for phishing attacks.
Table 3 shows that for the three ccTLDs most of the impersonated companies are international rather than based in the ccTLD's economy. For instance, we see phishing attacks targeting Asian and African banks using .nl domains, and Microsoft is the most frequently impersonated company across all three ccTLDs. These domains cover up to 78 economies and span 114 market segments, indicating that ccTLDs are being used for global impersonation.
Figure 1 highlights the most targeted market segments in ccTLDs, based on the number of Second-Level Domains (SLDs). Banking and financial services top the list across all three ccTLDs. Interestingly, these segments were also offered by LabHost, a phishing-as-a-service provider that was shut down in April 2024.
One might conclude that attackers don't care which ccTLD they use for phishing attacks. But is that really the case?
Two attack strategies
That doesn't hold up to close scrutiny when considering the domain name's age at the time of the phishing notification. A clear pattern emerges for both the .be and .nl ccTLDs - new domains tend to target national companies, while older domains are used to target international companies.
Why is there such a clear difference?
We hypothesize that there are two distinct attack strategies:
This distribution boils down to the attacker's choice. They either pay for a domain name, hosting, and DNS service to get a cherry-picked name, or go cheap and use someone else's resources?
As Table 4 shows, 20% of phishing attacks use new (maliciously registered) domain names, targeting less than 5% of companies, mostly local. Meanwhile, 80% of attacks use old (likely compromised) domain names, targeting most companies.
Table 5 shows the economy of origin of impersonated companies, for both .nl and .be.
But what about .ie domain names? Why doesn't this apply to them? .ie has a restricted registration policy, which prevents attackers from easily registering new domains for abuse (though they have done so in the past using forged documents). This policy effectively inhibits phishing attacks using new domains but, unfortunately, doesn't help with compromised domain names.
Takeaway: Phishers can be classified into two groups based on the domain names they use:
For our ccTLDs, most attacks actually use old, likely compromised domain names.
Comparing targeted brands across ccTLDs
Figure 5 shows a comparison of the brands impersonated in each ccTLD.
In Figure 5, we can observe that 139 companies, representing 11% of the total, are found across all ccTLDs. These include global Internet giants like Microsoft, Google, Netflix, and PayPal, which account for 58% of all second-level domains (SLDs) used in attacks. Additionally, 247 companies are impersonated using both .nl and .be domains. The cultural, linguistic, and financial ties between the Netherlands and Belgium likely explain why companies often operate in both economies, making .nl and .be domains attractive for impersonation. The remaining companies appear randomly. The .nl domain has 639 more companies targeted than the others, likely due to its larger attack surface (with 6.1 million domain names) and the use of nearly 10 years of data, compared to just four years for the other ccTLDs.
Mitigation
Phishing mitigation can occur at the DNS or web application levels, or both. At the DNS level, the domain name used in phishing can be deleted from the namespace and from the zone file. It can also be suspended, where it is deleted ('delisted') from the DNS zone but not from the namespace. Lastly, it can remain in the zone and namespace but have its authoritative DNS servers (NS records) changed to a safe server. At the web level, it can simply be removed from the website.
Each ccTLD has its own abuse mitigation policy (see .nl and .ie for complete policies).
If a phishing attack is confirmed, for new domain names:
We examined the mitigation of phishing domain names for the ccTLDs.
So, the type of domain name also influences how it is mitigated:
Figure 3 shows the mitigation chain for all new domain names (<7 days old) for both .nl and .be (recall .ie has a restricted registration policy). The impact of the registry's policy is clear. For .nl:, 55% of maliciously registered domain names are mitigated at the DNS level, mostly by registrars (48.2%), and for .be, 75% of maliciously registered domain names are mitigated at the DNS level, mostly by the registry (49.6%).
In other words, .be actively removes these domains, while .nl relies on registrars to handle most mitigation first.
Mitigation times
Time is of the essence when mitigating phishing. In Figure 4, the left plot shows that at the DNS level, more than 60% of .be domains are mitigated on the first day, whereas for .nl, that figure is around 40%. However, when considering both DNS and web mitigation together (as reported by Netcraft, available only for .nl and .ie as an extra service), the right plot shows that roughly 80% of domains are mitigated on the first day for .nl, for both new and old domains, and almost at the same rate for .ie.
So, what can we conclude from this? Phishing mitigation is not a single event carried out by one actor. In practice, actions are taken independently by registrars, registries, hosting providers, and webmasters to mitigate phishing attacks. The plot on the right in Figure 4 shows the impact of this collaborative effort - phishing sites are mitigated much faster than they could be by a registry acting alone.
What's next
Our study is the first to compare abuse across three registries with different registration policies. We have demonstrated the impact of registration and abuse mitigation policies on overall phishing mitigation. Some hackers leverage the ccTLDs' brand to impersonate national companies, while most attackers act as freeloaders, exploiting others' resources - specifically, their vulnerable websites.
We propose the following action points from our study:
For more details on this research and other results, please refer to the peer-reviewed paper that will appear in the 2024 ACM Conference on Computer and Communications Security (CCS 2024).
Giovane Moura is a Data Scientist with SIDN Labs and an Assistant Profesor at TU Delft.
The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.