National and International Phishing Attackers revealed

News - 26 September 2024 - Communication EWI

Phishing attacks, which trick users into sharing private data, have been a major online security threat for years. According to a 2023 FBI report, it is the top digital crime type. Assistant Professor Giovane Moura and Prof. Georgios Smaragdakis, from the Intelligent Systems department have collaborated with three European country-code top-level domains (ccTLDs) to characterize phishing attacks, focusing on the Netherlands’ .nl, Belgium’s .be, and Ireland’s .ie. By understanding these patterns, the research aims to enhance security measures and protect internet users from phishing threats.

Two types of attacker groups

The study identifies two main types of attacker groups operating in the Netherlands’ .nl and Belgium’s .be zones:

  • Local attackers: These attackers register new, carefully chosen domain names to impersonate local companies, such as update-your-card.nl to impersonate ING bank. They account for 20% of phishing attacks and require attackers to pay for and configure domain names. They speak the countries' languages.
  • International attackers: Instead of registering new domain names, these attackers compromise any vulnerable website, such as those running outdated Content Management Systems (CMS) like WordPress. This method is relatively easy to execute with automated tools, leading to a large population of attackers preying on any vulnerable domain name. For example, a website like flowers-delft.nl could be used for a phishing attack targeting a Tanzanian bank. They account for 80% of phishing attacks.

Significant policy and security implications

These differences are crucial for mitigating these attacks. Local attackers’ domain names can be quickly deleted and removed from the DNS, but compromised websites present a more complex challenge, given they cannot be mitigated at the DNS level (it would remove legitimate websites from the Internet) and require mitigation at hosting providers.

The peer-reviewed study has significant policy and security implications, which are currently being discussed within the three European ccTLDs. Policy adjustments are expected as a result of this study.

The results of this research will be presented at the forthcoming 2024 ACM Conference on Computer and Communications Security (ACM CCS 2024).