Phishing Landscape 2020: A Study of the Scope and Distribution of Phishing

Phishing is a significant threat to millions of Internet users. Phishing attacks lure victims to a website purportedly run by a trusted entity, such as a bank or other service the victim uses, and the victim is fooled into entering sensitive information. These bogus websites are actually run by criminals, and they steal extensive financial and personal information from the victims, leading to large aggregate financial losses and identity theft. At the same time, phishing inflicts financial costs and reputational damage to the targets, which are companies, government entities such as tax authorities, and universities. Phishing also inflicts damage on the systems of compromised web hosts, on the email providers who must defend against phishing spam, and on responders charged with protecting users and networks.

Our goal in this study was to capture and analyze a large set of information about phishing attacks, to better understand how much phishing is taking place and where it is taking place, and to see if the data suggests better ways to fight phishing. To do so we looked at when phishers launch attacks, to determine when attacks occur and how quickly phishers act. We studied where phishers are getting the resources they need to perpetrate their crimes — where they obtain domain names, and what web hosting is used. This analysis can identify where additional phishing detection and mitigation efforts are needed and can identify vulnerable providers. We also report on the wide range of brands targeted by phishers, and how often they take advantage of the unique properties of internationalized domain names (IDNs).

To assemble a deep and reliable set of data, we collected URLs, domain names, IP addresses, and other data about phishing attacks from four widely used and respected threat data providers: the Anti-Phishing Working Group (APWG), OpenPhish, PhishTank, and Spamhaus. Over a three-month collection period, we learned about more than 100,000 newly discovered phishing sites.

Our major findings and conclusions are based on the data we collected (phishing numbers vary based on the data sources used, the measurement period, and other factors):

1. Most phishing is concentrated at small numbers of domain registrars, domain registries, and hosting providers.

2. Phishers themselves register more than half of the domain names on which phishing occurs.

3. Domain name registrars and registry operators can prevent and mitigate large amounts of phishing by finding and suspending maliciously registered domains.

4. Registries, registrars, and hosting providers should focus on both mitigation and prevention.

5. The problem of phishing is bigger than is reported, and the exact size of the problem is unknown.

6. Sixty-five percent of maliciously registered domain names are used for phishing within five days of registration.

7. New top-level domains introduced since 2014 account for 9% of all registered domain names, but 18% of the domain names used for phishing.

8. About 9% of phishing occurs at a small set of providers that offer subdomain services.

Comments can be submitted to feedback@interisle.net

The opinions, findings, and conclusions or recommendations expressed in this report are the product of independent work conducted by Interisle Consulting Group, without direction or other influence from any outside party, including parties that may have provided funding to support the work.