Phishing is an efficient method for an attacker to deliver malware or harvest credentials from unsuspecting victims. By sending out a mass or targeted email designed to look like it came from a bank or other legitimate source, an attacker can acquire a fair number of user credentials or deliver malware. Credentials can be used for identity theft, additional compromise or to send more seemingly legitimate phishing emails and convincing a user to install malware can give attackers access to a system.
To get an idea of what kinds of domains phishing attacks are using at present Josh Pyorre, security analyst of OpenDNS Security Labs, analysed the last month’s reported phishing messages. The following is a graphical view of the top 10 organisations with the most phishing content :
Looking at the data in a little more detail, Josh has uncovered one domain that appears to have been purchased specifically for use in targeted PayPal phishing attacks with the goal of acquiring credentials and stealing money from PayPal customers.
Josh explains, “Serviceyourpaypal[.]com was registered on September 14, 2014 at launchpad[.]com. It’s using domain privacy services provided by privacyprotect[.]org to hide administrative and technical details for the person or organization who bought the domain name. It is hosted at Hostgator, a well known and inexpensive hosting provider and is using a shared host at the IP address of 192.185.4.25. This IP address is hosting a total of 369 domain names.”
While the domain is not serving any useful content at present, Josh adds, “Serviceyourpaypal[.]com could be re-activated at any time and used in future PayPal-themed phishing campaigns.”
Another worrying domain identified by Josh looks to be used for a Lloyds Banking scam. Josh explains, “Applesverifications[.]com was registered on September 2, 2015 at launchpad[.]com and does not hide it’s whois information behind a privacy service. That doesn’t necessarily mean it’s factual. In some cases, adding whois privacy costs extra when registering a domain. The domain is hosted with Hostgator and its IP address hosts a total of 907 domains.”
This is a screen shot of the content when last analysed:
Josh continues, “The DNS traffic had a very suspicious spike in traffic on May 10, 2015 after small and consistent amounts of DNS traffic, potentially indicating other campaigns or testing prior to this specific phishing campaign.”
Josh has published a blog posting detailing this and his analysis of the other top 10 organisations with the most phishing content which you can see here.