Expansion is also apparent in the range of domains used: the phishing sites discovered in 2015 were spread across 280 TLDs, but last year 432 TLDs were involved. The trend was linked mainly to the availability of very cheap domain names under new TLDs (nTLDs). Compared with 2015, the number of phishing attacks from nTLDs was up fourteen-fold. In 2016, 2 per cent of all attacks were linked to new extensions.
More phishing from nTLDs
Expansion is also apparent in the range of domains used: the phishing sites discovered in 2015 were spread across 280 TLDs, but last year 432 TLDs were involved. The trend was linked mainly to the availability of very cheap domain names under new TLDs (nTLDs). Compared with 2015, the number of phishing attacks from nTLDs was up fourteen-fold. In 2016, 2 per cent of all attacks were linked to new extensions.
.com is biggest TLD by volume
While the nTLDs may be the growers, .com remains the biggest source of phishing attacks in volume terms. More than 51 per cent of incidents were linked to .com in 2016. The TLD is therefore slightly overrepresented, since 48 per cent of all the world’s domain names are .com names.
Cheap ccTLDs also popular with phishers
On the list of ccTLDs used, a few stand out for their relative significance. National extensions overrepresented in the phishing stats include:
- Brazil (.br): 1.8 per cent of all domain names, 5.7 per cent of all attacks
- Tokelau (.tk): 0.1 per cent of all domain names, 0.7 per cent of all attacks
- Mali (.ml): <0.1 per cent of all domain names, 0.4 per cent of all attacks
Tokelau’s domain offers free registrations, subject to certain conditions. For phishers, it’s therefore attractive, because they don’t need to provide any bank details. Mali’s prominence is linked to the fact that .ml is easily mistaken for .nl.
Results in the Netherlands
Where the Netherlands is concerned, the PhishLabs report contains both welcome and unwelcome findings. As a hosting nation, the Netherlands is a big player in the global phishing trade. Of all the phishing attacks detected, 3 per cent were hosted here. And 92 per cent of Dutch-hosted attacks are targeted more widely than just at the Netherlands. Our prominence as a hosting location for phishing probably reflects the size of the Dutch hosting industry, which is used by many non-Dutch website owners.
When it comes to Dutch domain names associated with phishing, the Netherlands has more to be proud of. In 2016, PhishLabs discovered just 1,066 unique .nl URLs in use for phishing. That is just 0.6 per cent, even though .nl accounts for roughly 2 per cent of the global domain name market. It’s hard to be sure of the reason, but our own data indicates that, last year, a relatively large number of .nl phishing sites were detected early using Abuse204.nl. Because many registrars now have active abuse policies as well, sites get taken down quickly under the notice-and-take down procedure. Such sites have little chance to cause problems and don’t therefore figure much in the stats.
Download the rapport
Want to know more about the PhishLabs study? You can request the full report here.