Cyber threat actors are always innovating, creating new methods to lure victims into gaining access to their financial information, PII, and user accounts. Any angle they can play to get their victims to enter their information, they'll use.
In RiskIQ's Q2 Phishing Roundup, we'll overview our vast phishing data from Q2 2017, drawing upon data from Q1 to show significant trends in cyber threat actor behavior. Understanding the latest phishing techniques and cyber threat actor tendencies helps us position our clients to stay one step ahead of phishing threats targeting their organizations.
The data in this report, which is comprised of internally blacklisted resources—unique phishing URLs in this case—was aggregated exclusively by the RiskIQ team. It will focus on:
- The number of phishing threats
- The most targeted brands
- The Whois characteristics of these phishing threats
Less Phishing, More Targets
In Q2 2017, RiskIQ observed 39,320 unique phishing domains, which is down from an overall 45,025 back in Q1 2017. However, there were 316 targeted phishing brands in Q2, which is up 15.7% from the 273 brands in Q1.
The Targeted Brands Remain Much the Same
From quarter to quarter, RiskIQ tends to observe many of the same brands in our most-phished list. Financial services and digital transaction brands continue to be a favorite target, which is not surprising—as cyber threat actors involved in phishing campaigns attempt to trick users into providing sensitive data, which these companies collect in droves. As such, healthcare companies and major software providers are also regulars in the top-10 most-phished brands list.
Although obfuscated, all the brands in the graphs in figures 1 and 2 are extremely well-known. In Q1, the most-phished brand was a leading digital transaction provider followed by a multinational consumer electronics provider. In Q2, it was a major bank followed by the same consumer electronics provider.
Most Popular Phishing Registrars: The Usual Suspects
The web hosters associated with phishing sites, many of which come from compromised websites, haven’t changed over the past few years. Typically, the largest web hosts are most often associated with phishing.
The top five phishing registrars (Figure 3.) observed by RiskIQ don’t often vary, with GoDaddy being the top affected registrar—a correlation between the size of the registrar and the number of affected phishing URLs. GoDaddy.com, LLC, ENOM, INC., and TUCOWS DOMAINS INC are all top-five registrars by volume in the world.
Looking into registrant data (Figure 4.) is telling of how cyber threat actors continue to rely more and more upon privacy protected and false Whois registrations. This has become standard practice for malicious domain registrations used for phishing to throw off threat researchers.
Most Popular Hosting Providers: One Big Outlier
Lastly, we looked at the top-10 hosting providers from both Q1 (Figure 5) and Q2 (Figure 6). Again, as with our registrar and registrant data, the overall detections for our top 10 hosting providers went up. It’s worth noting, however, that in Q2, there is one clear outlier, Zenedge LLC, which was hosting significantly more phishing URLs than the second-highest hosting provider, CyrusOne LLC. Interestingly, the hosting provider data is not positively correlated with the domain volume of the hosting provider, which was the case with the registrar data.
Knowing your Risk
RiskIQ provides access to our unique phishing detection capabilities with our External Threats product line. Knowing your phishing risk is only half the battle; our product line offers real-time monitoring and web enforcement capabilities. Protect your assets with RiskIQ’s industry-leading security intelligence.