About Us

Afilias' specialized technology makes Internet addresses more accessible and useful through a wide range of applications, including Internet domain registry services, Managed DNS and award-winning mobile Web services.

Which Domains Stand the Strongest Against Phishing Attacks?

Highlights from the latest research published by the Anti-Phishing Working Group (APWG)

Criminals behind phishing attacks are constantly looking for new vulnerabilities.

The latest Anti-Phishing Working Group (APWG) Global Phishing Survey, which analyzed over 100,000 phishing attacks in the first half of 2014, examines the progress that top level domains (TLDs) are making in responding to phishing attacks that use their TLDs.

The report finds the .INFO domain has the lowest average phishing uptimes as compared to other TLDs, such as .COM and .NET.


Key Findings

1.    Apple became the world’s most-phished brand in 2014

2.    The introduction of new top-level domains did not have an immediate major impact on phishing

3.    Chinese phishers were responsible for 85% of the domain names registered for phishing

4.    Malicious domains and subdomain registrations continue at historically high levels, largely driven by Chinese phishers

5.    The average uptimes of phishing attacks remain at historic lows, pointing to some success by anti-phishing responders

6.    The companies and brands targeted for phishing were diverse, with many new targets, suggesting that e-criminals are looking for new opportunities in new places

7.    Mass hackings of vulnerable shared-hosting providers accounted for 20% of all phishing attacks


Quick Phishing Takedowns Matter

The first day of a phishing attack is the most lucrative for the phisher, so quick takedowns are critical. Large, generic top-level domains are usually big targets for phishers, because these TLDs are the most familiar to the average Internet user. Among these domains, .INFO (owned and operated by Afilias), .ORG (owned by PIR and operated with Afilias technology), and .BIZ (operated by Neustar) have formal notification and takedown programs in place, according to the APWG report.  

With .INFO and .ORG, Afilias proactively monitors and looks for malicious or compromised domains (see next section for more details), allowing for efficient detection, analysis, and confirmation of phishing. Evidence of the phishing is then immediately reported to registrars to quickly mitigate the abuse.

.INFO has the shortest average phishing uptimes in June 2014:

Source: Anti-Phishing Working Group (APWG) Global Phishing Survey – Trends and Domain Name Use report


Rigorous Scrubbing Matters

While the majority of attackers use compromised websites to host their attacks, a quarter of all attacks (25.8%) are carried out via domain names registered by phishers. Rigorously watching domain name portfolios, and scrubbing them quickly to get rid of phishing domains, makes a big difference. For example, Afilias uses proprietary abuse-detection and pattern-recognition systems to monitor registrations, usage, and queries, on a daily basis, along with alarms and alerts. Other registries use different methods to achieve similar end-goals. Strong working relationships with registrars are crucial, since they have the ability to respond quickly to problems.

The APWG reports use two particularly useful metrics:

Phishing Domains per 10,000.This ratio shows how many domain names were used for phishing in a TLD as compared to the total number of registered domain names in that TLD, revealing whether a given TLD has a higher or lower incidence of phishing relative to others.

Malicious Domains per 10,000 Domains. This ratio reveals how many domains in a TLD were “malicious” registrations (domains reported for phishing shortly after being registered) as compared to the total number of registered domains names in that TLD, revealing whether a TLD has a higher or lower incidence of malicious registrations relative to others.

New TLDs Not (Yet?) Attractive to Phishers

Source:Anti-Phishing Working Group (APWG) Global Phishing Survey – Trends and Domain Name Use report


The introduction of hundreds of new generic TLDs in 2014 did not create a new phishing haven. In fact, most of the new generic TLD domains used for phishing were not themselves malicious domains, but were on compromised web sites. As the APWG report points out, phishers usually don’t register domains that contain brand names, since most brand owners proactively scan internet zone files for their brand names and can quickly identify these phishing sites.

Some of the new “restricted” generic TLDs offer an additional layer of protection against malicious registrations – with their verification requirements. The .ORGANIC domain, for example, is available only to producers of organic products and services, andto others who serve the organic community. Similarly, .NGO and .ONG will be available only to qualified NGO organizations. Few, if any, phishing criminals will pass the verification process, and most won't even try.



Registries must stay on top of the new tricks and tactics employed by phishers, and constantly improve their security measures to make top-level domains safe.