Chinese phishers attacking Chinese targets, says Anti-Phishing Working Group


Attacks by Chinese phishers on Chinese targets were up significantly during the first half of 2011, says a new biannual report from the Anti-Phishing Working Group, an international consortium of companies, associations and government agencies.

Chinese phishers in particular attacked, one of China's largest e-commerce sites, the report says. "It appears that is now the world's second-most phished target, after PayPal," it adds.

Unlike most phishers, Chinese phishers do not use many hacked domains, preferring instead to register new ones, the report adds; Chinese phishers were responsible for "a startling 70 percent" of the at least 10,179 maliciously registered domain names during the first half of 2011. (The group counts 11,192 total new domains registered during that time period.)

Most--about 54 percent--malicious registrations occurred in the .tk top level domain, which offers free registrations, while another 31 percent were in the .INFO top level domain.

"All of these domains were obtained through just one American registrar, which offers steep discounts on .info, often as cheap as US$0.79 per domain," the report notes. The country code top level domain for China, .cn, was hardly used at all for phishing attacks during the first half of 2011, the report also says--101 attacks on 61 domains--noting that beginning in December 2009, "new rules made it very difficult to register .cn domains."

The report also notes the revival of an old attack method, whereby a phisher breaks into a shared virtual server that hosts a large number of domains, uploading a single copy of his phishing content. The phisher then reconfigures the web server to add that content to every hostname served by it, so that all those websites display the phishing pages via a custom subdirectory. In doing so, phishers take advantage of a standard capability for web servers that allows webmasters to set up shared info pages, 404 pages, etc., the paper adds.

"So instead of hacking sites one at a time, the phisher can infect dozens, hundreds, or even thousands of websites at a time, depending on the server," the paper adds. Consumer web hosting servers are more likely to be susceptible to this attack, it adds, since most enterprise, government and university servers are on dedicated rather than virtual hosts.

For more:
- download the APWG November 2011 phishing report (.pdf)

Related Articles:
'Nitro' hackers target chemical and defense companies, says Symantec 
Q&A: David Jevans on phishing attacks