FraudWatch International Blog

You are here: Home » Blog » Insights from APWG’s 4th Quarter 2016

Insights from APWG’s 4th Quarter 2016

The Anti-Phishing Working Group (APWG) is the worldwide coalition unifying the global response to cyber-crime across industry, government and law-enforcement sectors. The information in this article is a description of what is trending, according to APWG recently published Phishing Activity Trends Report for 4th Quarter 2016.

The APWG recorded more phishing in 2016 than during any other year since 2004, when it began monitoring.

Phishing Activity Trends for 4th Quarter 2016:

  • In Q4 2016, 190,000 new malware samples were captured per day.
  • The world's most-infected countries are led by China, where 47.09% of computers are infected by malware, followed by Turkey (42.88%) and Taiwan (38.98%).
  • Scandinavian countries continued to have the lowest percentages of infection.
  • Phishers can fool victims without needing to register domain names.
  • The number of phishing websites observed in Q4 2016 by APWG dropped significantly to 277,693.
  • The number of brands targeted by phishers almost halved from previous quarters.
  • Social Media and traditional phishing are being used by scammers in Brazil to con Internet users.

Malware Infected Countries

PandaLabs (a member of APWG) discovered an average of 190,000 new malware samples per day between October and December 2016. This is the lowest recorded figure for 2016. Trojans continued to be the most prevalent type of malware in the fourth quarter of 2016 accounting for 70.03% of new malware strains detected. PandaLabs analysis found that infections were caused by Trojans in 74.99% of cases, while PUPs (Potentially Unwanted Programs) ranked second, accounting for 21.45% of infections (slightly less than in Q3).

China had the highest malware infection rate, with 47.09%, whilst at the other end of the scale, Sweden took back the title from Norway for the lowest infection rate, at 20.03%. (Note: Quite a few countries recorded a decrease in rate of infection for Q4, however a number of countries had a slight increase).

Highest Ranked     Lowest Ranked
Ranking Country Infection Rate     Ranking Country Infection Rate
1 China 47.09%     41 Japan 21.79%
2 Turkey 42.88%     42 Denmark 21.54%
3 Taiwan 38.98%     43 Finland 20.78%
4 Ecuador 36.54%     44 Norway 20.51%
5 Russia 36.02%     45 Sweden 20.03%


Use of Domain Names for Phishing – 4th Quarter 2016

Analysts examined the thousands of phishing attack URLs that were submitted to the APWG’s data clearinghouse in Q4 2016. This reveals where phishers obtained domain names and how they conducted their attacks.

Below are the top-5 Top-Level Domains (TLDs) where phishing attacks occurred in Q4 2016:

October November December
.com 6,317 .com 6,757 .com 6,579
.net 596 .net 604 .net 523
.org 570 .org 577 .tk 484
com.br 430 com.br 426 .org 432
.ru 349 .info 350 .info 398

Some of these domains were compromised (i.e. phishing URLs were planted on existing web sites after the phishers broke into the web servers). Other domains were likely registered by phishers specifically to support new phishing sites.

A surprisingly low number of phishers registered domain names that were ‘confusingly similar’ to the brands they were phishing.

Note: Examples of ‘confusingly similar’ domain names might be: pay5al.com, pay.pal.com, or
paypal.sign-in.online, which look like the legitimate site Paypal.com.

Users are instead being deceived by hyperlinks (which only reveal the true destination if hovered over), brand names inserted elsewhere in the URL or URL shorteners (which conceal the destination domain).

Phishing and Identity Theft Techniques in Brazil

A Brazilian APWG member company observed more than 2,000 fraud occurrences that targeted Brazilian companies and individuals. Most of these appeared as scams on social media (952), mobile apps scams (318), and traditional phishing sites (304). Very few of the targeted companies or users were hosted in Brazil. Most were hosted in the US, which is not surprising, given that a large portion of the world's web servers are located there.

The data shows that even when criminals target victims in a very specific region, they use Internet infrastructure around the globe in order to carry out their attacks. The only way to disrupt this cross-border crime is by timely cooperation between the private entities that can detect and shut down the problems: hosting providers, victim companies, security response companies, and domain registries and registrars.

Phishing Site Trends

The total number of unique phishing websites observed by APWG in Q4 dropped significantly from the previous quarter to 277,693. The volume of Phishing attacks in the second half of 2016 was roughly the same as the second half of 2015, compared to the exorbitantly high volumes of attacks in the first 6 months of 2016.

Unique phishing campaigns received by APWG from consumers – in which multiple users receive emails with a common subject line, directing them to a specific phishing site – decreased slightly with 211,032 reports submitted during Q4, compared to the Q3 figure of 229,251 reports. The peak was recorded in December with 95,555 reports.

To visualise how high the phishing activity was in 2016, below is a comparison of phishing attack statistics for 2015 and 2016. The phishing activity in early 2016 was the highest ever recorded by the APWG since it began monitoring in 2004. Phishing activity in Q4 2016 was higher than any quarter in 2015. There was a 65% increase compared to 2015, with 2016 recording a total number of 1,220,523 phishing attacks.

Over the 12 years that APWG have been monitoring phishing attacks, there has been a monumental increase in the figures they have presented. In the fourth quarter of their first year, back in 2004, APWG found 1,609 phishing attacks per month, compared to an average of 92,564 phishing attacks per month, in the 4th Quarter of 2016. That is a 5,753% increase.

Brand Attacks

In the first three quarters of 2016, the number of brands targeted by phishers remained steady at around 400 per month. However, this figure dropped significantly down to 264 unique brands in December 2016. This shows that phishers targeted less brands throughout the holiday season and didn't bother with low-yielding or experimental targets.

The Retail and Financial service sectors remained as the top-most targeted industries in 4th Quarter 2016.

Receive Blog updates to your Inbox! Subscribe Now

Sales Enquiry