Magecart Strikes Again
Ticketmaster, British Airways, and Newegg have all been compromised. Who’s next? Read our research to see how we discovered the breaches.
IDG Connect: 2017 State of Enterprise Digital Defense Report
Findings quantify the security management gap and business impact of external web, social, and mobile threats.
Get the Research Report
RiskIQ Digital Threat Management Platform Datasheet
Learn about our platform and products.
Read the Datasheet
Frost & Sullivan: The Digital Threat Management Platform Advantage
The material benefits of a platform-based approach to security outside the firewall.
Read the Report
Rackspace Accelerates External Digital Threat Investigation with RiskIQ PassiveTotal
Download Case Study
EMA Radar™ Q4 2017 Report
RiskIQ ranked a technology and value leader in digital threat intelligence management.
Get the Analyst Report
September 27, 2017, Andrew Geiger
Threat actors are always innovating, creating new methods to lure victims into gaining access to their financial information, PII, and user accounts. Any angle they can play to get their victims to enter their information, they’ll use.
In RiskIQ’s Q2 Phishing Roundup, we’ll overview our vast phishing data from Q2 2017, drawing upon data from Q1 to show significant trends in threat actor behavior. Understanding the latest phishing techniques and threat actor tendencies helps us position our clients to stay one step ahead of phishing threats targeting their organizations.
The data in this report, which is comprised of internally blacklisted resources—unique phishing URLs in this case—was aggregated exclusively by the RiskIQ team. It will focus on:
In Q2 2017, RiskIQ observed 39,320 unique phishing domains, which is down from an overall 45,025 back in Q1 2017. However, there were 316 targeted phishing brands in Q2, which is up 15.7% from the 273 brands in Q1.
From quarter to quarter, RiskIQ tends to observe many of the same brands in our most-phished list. Financial services and digital transaction brands continue to be a favorite target, which is not surprising—as threat actors involved in phishing campaigns attempt to trick users into providing sensitive data, which these companies collect in droves. As such, healthcare companies and major software providers are also regulars in the top-10 most-phished brands list.
Fig-1 Most-phished brands
Although obfuscated, all the brands in the graphs in figures 1 and 2 are extremely well-known. In Q1, the most-phished brand was a leading digital transaction provider followed by a multinational consumer electronics provider. In Q2, it was a major bank followed by the same consumer electronics provider.
The web hosters associated with phishing sites, many of which come from compromised websites, haven’t changed over the past few years. Typically, the largest web hosts are most often associated with phishing.
The top five phishing registrars (Figure 3.) observed by RiskIQ don’t often vary, with GoDaddy being the top affected registrar—a correlation between the size of the registrar and the number of affected phishing URLs. GoDaddy.com, LLC, ENOM, INC., and TUCOWS DOMAINS INC are all top-five registrars by volume in the world.
Fig-2 Most popular phishing registrars
Looking into registrant data (Figure 4.) is telling of how threat actors continue to rely more and more upon privacy protected and false Whois registrations. This has become standard practice for malicious domain registrations used for phishing to throw off threat researchers.
Fig-3 Most popular registrant emails
Lastly, we looked at the top-10 hosting providers from both Q1 (Figure 5) and Q2 (Figure 6). Again, as with our registrar and registrant data, the overall detections for our top 10 hosting providers went up. It’s worth noting, however, that in Q2, there is one clear outlier, Zenedge LLC, which was hosting significantly more phishing URLs than the second-highest hosting provider, CyrusOne LLC. Interestingly, the hosting provider data is not positively correlated with the domain volume of the hosting provider, which was the case with the registrar data.
Fig-4 most-phished hosting providers
RiskIQ provides access to our unique phishing detection capabilities with our External Threats product line. Knowing your phishing risk is only half the battle; our product line offers real-time monitoring and web enforcement capabilities. Protect your assets with RiskIQ’s industry-leading security intelligence.
Also be sure to check our RiskIQ’s Q2 Mobile Threat Landscape Report and Q2 Malvertising Roundup.