Q2 Phishing Roundup: Phishing is Down, but More Companies Targeted

RiskIQ’s Q2 Phishing Roundup: Total Phishing is Down, but More Companies Targeted

September 27, 2017, Andrew Geiger

Threat actors are always innovating, creating new methods to lure victims into gaining access to their financial information, PII, and user accounts. Any angle they can play to get their victims to enter their information, they’ll use.

In RiskIQ’s Q2 Phishing Roundup, we’ll overview our vast phishing data from Q2 2017, drawing upon data from Q1 to show significant trends in threat actor behavior. Understanding the latest phishing techniques and threat actor tendencies helps us position our clients to stay one step ahead of phishing threats targeting their organizations.

The data in this report, which is comprised of internally blacklisted resources—unique phishing URLs in this case—was aggregated exclusively by the RiskIQ team. It will focus on:

  • The number of phishing threats
  • The most targeted brands
  • The Whois characteristics of these phishing threats

Less Phishing, More Targets

In Q2 2017, RiskIQ observed 39,320 unique phishing domains, which is down from an overall 45,025 back in Q1 2017. However, there were 316 targeted phishing brands in Q2, which is up 15.7% from the 273 brands in Q1.

The Targeted Brands Remain Much the Same

From quarter to quarter, RiskIQ tends to observe many of the same brands in our most-phished list. Financial services and digital transaction brands continue to be a favorite target, which is not surprising—as threat actors involved in phishing campaigns attempt to trick users into providing sensitive data, which these companies collect in droves. As such, healthcare companies and major software providers are also regulars in the top-10 most-phished brands list.

In our Q2 Phishing Roundup, we'll overview our vast phishing data from Q2 2017, drawing upon data from Q1 to show significant trends in phishing tactics.

Fig-1 Most-phished brands

Although obfuscated, all the brands in the graphs in figures 1 and 2 are extremely well-known. In Q1, the most-phished brand was a leading digital transaction provider followed by a multinational consumer electronics provider. In Q2, it was a major bank followed by the same consumer electronics provider.

Most Popular Phishing Registrars: The Usual Suspects

The web hosters associated with phishing sites, many of which come from compromised websites, haven’t changed over the past few years. Typically, the largest web hosts are most often associated with phishing.

The top five phishing registrars (Figure 3.) observed by RiskIQ don’t often vary, with GoDaddy being the top affected registrar—a correlation between the size of the registrar and the number of affected phishing URLs. GoDaddy.com, LLC, ENOM, INC., and TUCOWS DOMAINS INC are all top-five registrars by volume in the world.

In our Q2 Phishing Roundup, we'll overview our vast phishing data from Q2 2017, drawing upon data from Q1 to show significant trends in phishing tactics.

Fig-2 Most popular phishing registrars

Looking into registrant data (Figure 4.) is telling of how threat actors continue to rely more and more upon privacy protected and false Whois registrations. This has become standard practice for malicious domain registrations used for phishing to throw off threat researchers. 

In our Q2 Phishing Roundup, we'll overview our vast phishing data from Q2 2017, drawing upon data from Q1 to show significant trends in phishing tactics.

Fig-3 Most popular registrant emails

Most Popular Hosting Providers: One Big Outlier

Lastly, we looked at the top-10 hosting providers from both Q1 (Figure 5) and Q2 (Figure 6). Again, as with our registrar and registrant data, the overall detections for our top 10 hosting providers went up. It’s worth noting, however, that in Q2, there is one clear outlier, Zenedge LLC, which was hosting significantly more phishing URLs than the second-highest hosting provider, CyrusOne LLC. Interestingly, the hosting provider data is not positively correlated with the domain volume of the hosting provider, which was the case with the registrar data.

In our Q2 Phishing Roundup, we'll overview our vast phishing data from Q2 2017, drawing upon data from Q1 to show significant trends in phishing tactics.

Fig-4 most-phished hosting providers

Knowing your Risk

RiskIQ provides access to our unique phishing detection capabilities with our External Threats product line. Knowing your phishing risk is only half the battle; our product line offers real-time monitoring and web enforcement capabilities. Protect your assets with RiskIQ’s industry-leading security intelligence.

Also be sure to check our RiskIQ’s Q2 Mobile Threat Landscape Report and Q2 Malvertising Roundup.

Share: