Phishing attack spiked to 67,677 during the last half of 2010, up from 48,244 in the first half of last year, according to the Global Phishing Survey 2H2010 report published today.

The Anti-Phishing Working Group (APWG), which issues the bi-annual reports, says the increase is largely due to better information it now has about attacks on Chinese targets. That data was contributed by the China Internet Network Information Centre (CNNIC), which operates the .CN domain registry, and is also the secretariat of the Anti-Phishing Alliance of China, with its 140 member institutions, such as Chinese banks, e-commerce sites, and domain registrars.

"We had only about 20 percent of the data they gave us," said Rod Rasmussen, co-author of the APWG report who is also president and CTO at Internet Identity, about CNNIC's research contributions related to phishing in China.

The history of .CN domains is that in December 2009, "new rules in China barred individuals from registering .CN domains, and required all potential registrants to present a paper application form with a copy of a company business licence and a copy of the registrant's personal identification", the APWG report notes. The result is that "the .CN registry fell from 13.5 million in late 2009 to just 3.4 million in March 2001".

Although historically about 80 percent of phishing attacks around the world appear to have used the hacked web servers of innocent domain registrants, "in contrast, the Chinese phishers prefer to register domain names and subdomains for their malicious work", the report notes.

"Phishing hadn't hit China until recently," explains Rasmussen, noting that about five years ago phishers in the US and Europe also preferred to use registered domain names but over time realised "no one cares about the URL" and shifted more to breaking into websites.

By APWG's reckoning, there were 12,282 attacks on Chinese institutions in the second half of 2010, utilising 6,382 unique domain names "plus a staggering 4,737 free CO.CC subdomains. Of the 6,382 domain names, just 487 looked hacked".

Out of the 12,282 attacks on Chinese institutions in the second half of 2010, about 75 percent of them targeted Taobao.com, the Chinese-language website for shopping and auctions such as eBay, the report states.

Wherever they may be, phishers also like to phish for the online credentials of those playing online games, mainly World of Warcraft and Battle.net, with about 18 percent of worldwide phishing attacks going after that group, in order to sell user game credentials on the black market

Another indicator measured by the report is the average and median uptimes of phishing attacks. According to the Global Phishing Survey 2H2010, that rose to an average uptime of 72 hours, "the longest average for any time period since we began our uptime measurements three years ago", according to the report. The median uptime of a phishing site was 15 hours and 19 minutes.

Uptime matters because "the longer a phishing attack remains active, the more money the victims and target institutions lose. The first two days of a phishing attack are believed to be the most lucrative for the phisher, so quick take-downs are essential", says the report. 

Rasmussen says there's no obvious or simple explanation for why uptime is now greater. He points out the majority of phishing attacks do appear to be against a few hundred companies, especially the larger banks, e-commerce and big name brands, along with gaming sites such as World of Warcraft. For example, gaming sites do not yet appear to move as quickly as banks in taking steps to make sure that phishing sites get shut down.

According to the APWG report, over half of phishing attacks worldwide makes use of namespaces in .com, .net, .TK and .CC. The report also points out that the exploitation of subdomain services for phishing purposes continues to grow, nearly doubling to 11,768 in the second half of 2010, 40 percent of them associated with the CO.CC service based in Korea. A shift in activity is that the Russian free email provider Pochta.ru, which had once been "a perennial abuse target", almost eliminated phishing from its service in the second half of 2010, the report says.