Improvements to the
Cybercrime Information Center
Contributed by Dr. Colin Strutt, Interisle Consulting Group
We have made some changes and improvements to the Cybercrime Information Center. These expand our analytics capabilities and allow us to provide more and broader insights regarding how and where criminals obtain the resources that they use to commit cybercrimes.
Domain registration data for ccTLDs
With our new collection system and database in production, we are now additionally collecting data from country code TLDs (ccTLDs) that make domain registration information available. We don’t use personal data, but we can now identify, where provided, non-personal data such as the business entity (e.g., a domain registrar) that processed the registration, when the domain name was registered, and certain DNS information.
We are now collecting registrar names for a number of ccTLDs. For our November 2021 – January 2022 TLD phishing reports, this gives us insights into 36 additional ccTLDs and a total of 73,198 additional phishing attacks, involving 66,981 phishing domains.
Some interesting factoids from our November 2021 – January 2022 TLD phishing activity:
| ccTLDs with most phishing attacks (for which we now have registration data) | Phishing Attacks |
| .cn | 20,543 |
| .tk | 11,036 |
| .ml | 8,507 |
| .ga | 7.092 |
| .gq | 5,409 |
| Registrar with most ccTLD attacks(for which we now have registration data) | Phishing Attacks |
| Freenom | 37,510 |
| 阿里云计算有限公司(万网 Alibaba Cloud Computing Co., Ltd., Wanwang | 17,786 |
| 阿里巴巴云计算(北京)有限公司 Alibaba Cloud Computing Co., Ltd., Beijing | 3,504 |
| 广州云讯信息科技有限公司 Guangzhou Yunxun Information Technology Co., Ltd. | 2,595 |
Targeted brand identification
We've enhanced the way that we make use of targeted brand identification our phishing feeds include in their reports.
Brand metadata is “free form”, and there is no assurance of consistency across the phishing feeds that we ingest. For example, the reporter may identify a brand by its full business name (e.g., Bank of America), a partial name (Bank America), or an acronym (BoA). They may mistype the brand. On occasion, an acronym, e.g., USAA, may have more than one expansion. We review brand metadata periodically to add rules to normalize the various strings that reporters use when naming targeted brands to obtain more accurate targeted brand measurements. The rules provide us with a set of brand equivalence strings that we use when we measure most targeted brands in our Phishing Landscape studies.
Malicious domain registration determination
We’ve improved our ability to discriminate domains that we believe were purposely registered for phishing attacks - malicious domain registrations - from domain names that were registered by legitimate purposes but misused or ompromised by criminals and used to perpetrate phishing.
We have expanded our analytics to include rules to determine whether a phishing domain is malicious versus compromised, based on label length and composition and the adjacency to other similarly composed labels in our data. Our analysis based on these new rules has found an additional 5% of domains that we believe were maliciously registered.
To Infinity… and beyond!
We’re excited to continue to contribute to and broaden the analytics capabilities of the Cybercrime Information Center. Much like curious photographers will adjust aperture to find the best light and focus, we’ll continue to adjust our lens to find, measure and gain better insights into cybercrime.
If you have a novel use for Cybercrime Information Center Data and are interested in sharing with
our community, contact us at
criminaldomainabuse@interisle.net