Fighting Cyber-Enabled Fraud 2025

Page 9 of 31 · WEF_Fighting_Cyber-Enabled_Fraud_2025.pdf

← Prev Next → Download original PDF
Phishing campaigns depend on a set of legitimate infrastructure services that have been repurposed for abuse. As discussed in more detail below, these include domain names (influenced by automation and low pricing), subdomains, reverse proxy services and delivery mechanisms. Malicious domain registration remains a persistent, large-scale problem: In 2024, cyber criminals used more than 8.6 million unique domain names in cyberattacks – an 81% increase over the previous year.16 The NetBeacon Institute recently observed “the largest month-on-month increase in unique domain names associated with phishing (63%). Most (87%) of this phishing was classified as ‘maliciously registered’. The bulk of this malicious phishing was concentrated among a few registrars […].”17 An Internet Corporation for Assigned Names and Numbers (ICANN)-funded study similarly found that a mere 20 registrars, out of the more than 3,000 accredited, accounted for nearly 84% of maliciously registered domains found within a sample set.18 ICANN further observed that “discounted pricing and bulk registration opportunities were strongly associated with abuse”.19 While it did not define a fixed numerical or time-based threshold for “bulk” registration, the study examined bulk-related features such as bulk discounts, free bulk search and prerequisite-free application programming interface (API) access as associated indicators. Services are a growing enabler of phishing: Subdomains (e.g. mail.example.com) – commonly offered through hosting providers, website builders and software-as-a-service (SaaS) platforms – are increasingly being exploited for phishing. Between roughly one-quarter (24%)20 and one-third (36.27%)21 of phishing attacks in recent years made use of subdomains, more than doubling between 2021 and 2024.22 Additionally, Interisle’s most recent phishing landscape report observed that “89% of the subdomain-provider attacks occurred on domains operated by just ten providers, which shows how the choices made by a few companies can affect the phishing landscape”.23 Any measures taken to prevent abuse are voluntary, unless required under the upstream registrar’s own terms of service or mandated by local regulations. When subdomain providers fail to act, registrars may be pressed to suspend the parent domain – but such steps carry the risk of extensive collateral damage, disabling hundreds or thousands of legitimate services at once.24 Automation in domain registration and configuration fuels the speed and scale of abuse: Bad actors leverage automation to create multiple accounts and register domains at speed and scale. The availability of unrestricted APIs enables large-scale, automated domain creation and configuration, which attackers use to rapidly deploy phishing infrastructure.25 ICANN found that registrars permitting API access saw a fourfold increase in malicious activity,26 and according to the NetBeacon Institute, introducing friction to slow abuse at scale, such as requiring new registrants to pass a basic trust threshold at the registrar before gaining access to programmatic registration tools, could be part of the solution.27 Domain hijacking through account takeover drives online fraud: Domain hijacking through account takeover is a major driver of online fraud, as attackers gain unauthorized access to domain registrant accounts – often using stolen or reused credentials – to seize control of valuable domains.28 Once hijacked, these domains can be exploited for malicious purposes such as phishing campaigns, spreading malware, impersonating legitimate brands or redirecting users to fraudulent websites. Strengthening authentication, monitoring suspicious activity and enforcing strict access controls are key to preventing such fraudulent takeover. Reverse proxy services can shield and legitimize phishing infrastructure: Reverse proxy services serve legitimate purposes – improving performance, providing protections against distributed denial of service (DDoS) attacks and enhancing security for websites worldwide. However, they also offer concealment advantages that criminals have been observed exploiting.29,30,31 By terminating encrypted TLS sessions at the proxy endpoint, they mask the true hosting origin of malicious websites, re-encrypt traffic and present only the proxy’s reputable infrastructure to victims and investigators. This provides anonymity, free TLS certificates (which enables the trusted padlock icon to appear in the user’s browser), high performance and resilience – key enablers for phishing. Many providers bundle reverse proxy, content delivery network (CDN) and security services, but it is the proxy function that most directly facilitates abuse.1.1 Criminals exploit digital infrastructure services at scale Fighting Cyber-Enabled Fraud: A Systemic Defence Approach 9
Ask AI what this page says about a topic: