DNS Belgium and Dutch and Irish registries (SIDN and https://www.weare.ie/) carried out a large-scale study of the nature of phishing attacks in the .be, .nl and .ie zones. The aim was to gain an even better insight into how phishing works, how we can detect it better and how we can protect ourselves against it more efficiently.
Through phishing attacks, cybercriminals try to obtain the private details of their victims. It's an old problem that has been a major threat to online security for many years. According to reports of the FBI and the European Union Agency for Cybersecurity (ENISA) from 2023, phishing is the most common form of cybercrime.
We examined more than 28,000 domain names involved in phishing. Our analysis took into account the respective number of domain names in the three countries and the fact that Ireland – unlike Belgium and the Netherlands – doesn't have an open registration policy. Only companies and people with a link to Ireland are able to register an .ie-domain name.
Our analysis showed the following:
Global threat
The study identified two attack strategies. National companies are often imitated within their own ccTLD . A ccTLD - a country code top domain level - is associated with a country and thus inspires a lot of trust among residents of that country. Just think, are you more likely to place an order with www.coolepennenzakken.be or with www.coolepennenzakken.xyz.
We looked into whether hackers exploit this trust in order to carry out phishing attacks.
The survey showed that for the three ccTLDs, the most imitated companies are not based in Belgium, the Netherlands or Ireland, and that cybercriminals most often impersonate banks and financial institutions.
Phishing attacks using domain names from one of the three ccTLDs in this study cover 78 countries and span 114 market segments. This shows that cybercriminals' use of ccTLDs poses a global threat.
New and existing domain names compromised
Our study showed that 80% of phishing attacks use compromised websites and not newly registered domains.
Criminals most often use existing domain names to impersonate an international company. New domain names are more likely to be used for national phishing attacks.
This choice may also have financial reasons. It's cheaper to use an existing domain name for fraudulent activities than it is to pay for a new domain name and its hosting .
Financial activities and tech companies
Cybercriminals prefer to impersonate banks, financial institutions and big IT companies in phishing attacks. Microsoft is cybercriminals' unfortunate favourite in this respect. Microsoft, Google, Netflix and PayPal domain names are used in as many as 58% of all phishing attacks in the three studied zones.
The financial and technology sectors are attractive to cybercriminals because they have access to their customers' valuable data and financial resources.
Policy of registries proves to be crucial
The study highlights the importance of an effective policy and measures to prevent abuse. The way that DNS Belgium handles ccTLD registries plays a crucial role in limiting phishing attacks.
Phishing can be dealt with on two levels:
At DNS level there are three possibilities
- The registry deletes the abused domain name from the zone file and from the namespace.
- The registry suspends the abused domain name, thus removing it from the DNS zone, but not from the namespace.
- And lastly, the domain name can remain in the zone and namespace, but have its authoritative DNS servers (NS records) changed.
At web level, the phishing content can simply be removed from the website.
Through strict registration requirements and rapid responses to abuse reports, registries can help to reduce phishing. Each registry for a ccTLD is free to develop its own policies to counter abuse.
The study concluded that 75% of fraudulently registered domain names in the .be zone are addressed at DNS level. In 49.6% of cases, DNS Belgium does this directly. Our Dutch colleagues choose to have the abuse dealt with primarily by registrars .
Continuous action and raising awareness
Based on our study we can issue several recommendations to combat phishing more effectively.
- Registries should cooperate and share information both among themselves and with security organisations to respond quickly to new threats.
- We need to focus more on raising companies and consumers' awareness and knowledge about phishing.
This article is based on SIDN's original article, which discusses the conclusions of our study in detail: https://www.sidnlabs.nl/en/news-and-blogs/cctld-phishing-characterisation.