Resources > Blog > Panama's abundance of phish!

Panama's abundance of phish!

A thumbnail of the Netcraft logo

According to tradition, the country of Panama was named after a former indigenous fishing village and its nearby beach called Panamá, meaning “an abundance of fish”; but today, it looks like Panama has an abundance of phish!

Netcraft has blocked nearly 5,000 phishing sites in Panama over the past three months, which is an astounding amount considering Panama hosts fewer than 13,000 active websites in total.

Nearly 4,000 phishing sites are still blocked, making Panama the phishiest country in the world at the present moment. To give these figures some perspective, only 0.007% of the world’s active sites are hosted in Panama, yet it hosts 1.0% of all phishing sites that are currently blocked.

An Apple ID phishing site currently hosted by Offshore Racks in Panama. An Apple ID phishing site currently hosted by Offshore Racks in Panama.

Around 1.9 million people are estimated to use the internet in Panama, but most of the phishing sites hosted there are clearly aimed at foreigners, as the majority are not written in Panama’s official language of Spanish. In fact, most of the currently blocked phishing sites target customers of Italian banks, and a large proportion of new phishing sites found in Panama over the past month were written in English and targeted Apple customers.

Most of the Apple phishing attacks make use of domain names that have been registered specifically to carry out these attacks, with many containing obvious references to Apple, Apple ID, or iCloud.

A handful of the domains used by Apple phishing attacks last month. A few examples of the domains used by Apple phishing attacks last month.

The majority of these phishing sites are hosted by Offshore Racks, a Panamanian hosting company that offers “high privacy” anonymous hosting and accepts payment in Bitcoins – ideal for fraudsters who do not want to be traced easily.

As the phishing sites make use of domain names that have been registered specifically for phishing, this suggests the fraudsters have purposely sought their own hosting arrangements, rather than adopting the more common method of deploying phishing kits on compromised web servers. While this eliminates the risk of the phishing content being deleted by the disgruntled owner of a compromised site, the obvious disadvantage for the fraudster is that he may have to pay for both domain registrations and hosting.

Offshore Racks' Acceptable Use Policy has said nothing more than "In development" since 2010 Offshore Racks’ Acceptable Use Policy has said nothing more than “In development…” since 2010.

While it is clear that the company responsible for hosting most of these phishing sites could be doing more to prevent the attacks, domain name registrars and domain registries are also well positioned to nip this activity in the bud. Netcraft’s Deceptive Domain Score service can be used to analyse the likelihood of a domain name being used for fraudulent activities, giving an opportunity to prevent the registration, flag for human inspection, or immediately suspend fraudulent domains, before malicious content can be uploaded. Domains that have already been registered can be suspended by TLD operators as soon as phishing activity is detected.

Consumers can boost their browsers’ standard security features by installing the Netcraft anti-phishing extension. As well as blocking access to known phishing sites, it will display the hosting location, Risk Rating and other information that can help establish the authenticity of every site visited.