Threat Intelligence Blog

Posted November 5, 2014


Image courtesy Munksynz.

Last month we shared some data from a year’s worth of collected phishing URLs. In that post, we described the relationship between Alexa rankings and the likelihood that a URL leads to a phishing attack.

In this post we’ll examine another insight gained from examining that data.


A phishing attack found on a Sudanese government server.

Earlier this week, we found the PayPal phishing attack shown above hosted on a Sudanese government server, (Khartoum is the capital of Sudan).

This made us wonder: how common is it to find a phishing attack on a website administered by a government? To find the answer, we looked at the aforementioned data, which is comprised of all phishing URLs we found from through – a little more than 72,000 unique domain names.

To be clear, these are very unlikely to be attacks created by foreign governments themselves, but happen when criminals compromise a government-owned server and use it to host the phishing attack. This is a very common method used by cyber criminals for phishing, and in fact, the most recent quarterly analysis by APWG found that approximately 75% of attacks take place on compromised servers.

Brazil Tops List of Compromised .Gov Sites

Here is the breakdown of individual hosts which contain .gov in the top level domain (TLD) of the host. For example, “” and “” would meet that criteria but “” would not.

A sample of the government hosts found to contain phishing attacks. You can download the complete list of 195 here.

A sample of the government hosts found to contain phishing attacks. You can download the complete list of 195 here.

The results showed 195 distinct phishing attacks hosted on government-administered servers from September 2013 to September 2014, across 47 different government TLDs.

government-phishing government-phishing-raw-numbers

Brazilian government websites hosted the most phishing attacks, followed closely by China.


By and large, the government servers most likely to be compromised and host phishing attacks come from countries in emerging markets that are enjoying positive, if not turbulent, economic growth. Because of Brazil’s and China’s poor performance in this study (the two powerhouses accounted for a quarter of all government hosted phishing attacks in our sample) it is tempting to associate the likelihood of a government site hosting a phishing attack with being a BRICS economy. However, India and South Africa combined accounted for only five phishing attacks. Curiously, despite having an enormous online footprint and a reputation for being a hotspot for cybercrime, we didn’t find a single phishing attack originating from Russian government sites.

In any case, the data suggest that countries whose economies are growing quickly may have a harder time securing their infrastructure online than more established economic powers. For example, with China’s breakneck pace of growth it should be no surprise that there are government servers stood up without optimal security in place. A hallmark of emerging markets is a lack of skilled or technical labor.


Our results, like any, should be interpreted with certain considerations. The string we used to identify government-owned servers (.gov) is not always used in every government-owned host. For example, Spain uses .gob instead of .gov. That said, we have no reason to believe there are any particular reasons that the results presented above are inaccurate.

Learn how our Anti-Phishing solutions can help protect your business from the earliest stages of a phishing attack, including pharming and malware, to the takedown and removal of phishing websites.

Additional Posts

3 Signs Your Employees Need Cybersecurity Training

    With the end of the year approaching, it’s a great time to evaluate your employee ...

Cyveillance Weekly Trends Report – November 4, 2014

Welcome to the Cyveillance Weekly Trends Report Since threat intelligence is constantly evolving, ...