In a presentation at M3AAWG’s 56th general meeting in October 2022, security expert and partner Dave Piscitello at Interisle Consulting Group LLC shared incredible and disturbing data with attendees.

The session was based on two reports. The first, Phishing Landscape 2022, can be found here, https://interisle.net/PhishingLandscape2022.html. Key findings from that report included that three million phishing reports representing 1,123,000 phishing attacks, shows that phishing increased by 61 percent over the period 1 May 2021 through 30 April 2022. Piscitello commented that since the report, monthly phishing attacks continue to increase significantly, doubling since May 2020. 

He notes that phishing continues to pose a significant threat to millions of Internet users. Among the major findings in the study, Interisle reports that:

Phishers targeted over 2000 businesses and organizations during the 1 May 2021 to 30 April 2022 period. The majority of phishing attacks targeted just ten brands.

A small number of registrars dominate malicious domain registration in some TLDs. In four TLDs, more than 80 percent of the malicious domains were registered through just one registrar. 

Phishing attacks are disproportionately concentrated in new gTLDs. While the new TLDs’ market share decreased during our yearly reporting period, phishing among the new TLDs increased. It appears phishers also prefer free domain registrations, for example, domains available from commercialized TLDs operated by Freenom . 

Phishers deliberately registered 69 percent of all domains used in phishing attacks. 58 percent of all reported phishing attacks were hosted on these maliciously registered phishing domains.

Cryptocurrency phishing rose 257 percent. Nearly 80 percent of the gTLD domains reported for phishing were maliciously registered. Wallets were the most targeted brands.

The report also found that 10 hosting networks accounted for 47 percent of phishing attacks – with the top 4 accounting for an astounding 30 percent of attacks. Think cyber attackers come from overseas? Think again…86 percent of phishing attacks against the top 10 hosting networks were located in the U.S. Data also suggests that subdomain services are a “one-stop” shop for attackers. These services offer free or inexpensive domain registration, anonymity and the ability to impersonate brands and accounted for 13% of all phishing attacks.  

The second part of the session addressed data from an extensive malware report published in June 2022 by Interisle, available here:  https://interisle.net/MalwareLandscape2022.html. The report uniquely focused on the resources and hosting malware attackers use, rather than on the numbers of malware infections, which have been addressed in a number of other studies. 

Malware has become a major issue as it’s deployed by nation-states and organized crime and in fact has surpassed fraud as the top issue in corporate compliance offices  of all size companies globally. Ransomware and related attacks continue to wreak havoc and cost companies money and reputation. 

From the report, Interisle reported “…By capturing nearly five million malware reports collected by the Cybercrime Information Center over a 365-day period, Interisle has produced a comprehensive report quantifying how malware perpetrators use Internet resources for nefarious purposes.” Interisle's unique malware taxonomy allowed its team to accurately measure and study the most prevalent types of malware, determine where said malware was served from or distributed, and discover which resources criminals were using to carry out their attacks.

The report notes that the most frequently reported malware targets IoT (Internet of Things) devices and that the majority of IoT malware appears to be hosted on networks in the Asia-Pacific region. Per Interisle, networks in the United States and China host the most malware that targets user-attended devices. Information stealers, ransomware, and backdoors are the most prevalent "endpoint" malware, i.e., malicious software that targets tablets, mobile phones, laptops, and PCs.

As could be expected, malware attackers are using all available tools and services, including file sharing, code repositories and storage services, to support their efforts. The legitimate tools are used to distribute source code, attack code, and files with compromised credentials or cryptographic keys. Malware purveyors are even offering their nefarious wares “as a service”, leveraging bandwidth and other technology tools. 

In closing, Piscitello suggested, "Mitigating phishing and malware requires cooperation and determined efforts by all parties that comprise the naming, addressing, and hosting ecosystem exploited by cyberattackers" and that legislation or regulation may be necessary to effectively mitigate malware threats.”

More info, research and industry data can be found at the Cybercrime Info Center, https://cybercrimeinfocenter.org.

M3AAWG members continue their work against Internet threats. Best common practices addressing these issues can be found here: https://www.m3aawg.org/published-documents.

Interested in submitting an idea for a session at M3AAWG’s meetings? December 14, 2022 is the deadline for our 57th general meeting in San Francisco. See here for details: https://www.m3aawg.org/events/call-for-proposals.