Phishing Phishing Activity in Hosting Networks (ASNs)
August 1, 2020 - October 31, 2020
To see where phishing sites were being hosted, we collected the IP addresses that phishing domains and phishing URLs were resolving to when phishing activity was detected and added to a threat or block list. We then identified the ASN where the IP prefix containing the IP address of the phish is allocated and this number identifies the hosting network where phishing attacks were reported.
For the August-October 2020 period, we identified
- 136 hosting networks with at least 100 reported phishing attacks,
- 36 hosting networks with at least 500 reported phishing attacks, and
- 18 hosting networks with at least 1000 reported phishing attacks
We measure phishing attacks to show where phishing sites are hosted and to identify the hosting service that has been allocated the IPv4 address space wherein the IP address of the phishing site lies.
A phisher may use one, several, or large numbers of URLs in a single phishing campaign. We apply rules to our phishing reports to de-duplicate URLs and to analyze hostname, URL path composition, target, and abuse report dates for similarities to obtain sets of URLs that we consider to be involved in one phishing attack. We also apply additional rules to group URLs into attacks based on observed cases.
Table 1 shows the twenty hosting networks with the highest numbers of reported phishing attacks. Several ASNs with small IPv4 address delegations - NAMECHEAP-NET, WEEBLY, AWEX, and BEON-AS-ID PT - had extraordinarily high counts of phishing attacks during this reporting period.
Table 1. Ranking of Hosting Networks (ASNs) by Phishing Attacks (August to October 2020)
| Rank | AS Name | AS number | # Routed IPv4 Addresses |
Phishing Attacks ▼ | Phishing Attack Score |
| 1 | 15169 | 15,217,408 | 17,106 | 11.24 | |
| 2 | CLOUDFLARENET | 13335 | 2,542,848 | 11,467 | 45.10 |
| 3 | NAMECHEAP-NET | 22612 | 65,792 | 11,311 | 1719.21 |
| 4 | UNIFIEDLAYER-AS-1 | 46606 | 1,393,664 | 8,481 | 60.85 |
| 5 | AWEX - Hostinger International Limited | 204915 | 768 | 3,657 | 47617.19 |
| 6 | DIGITALOCEAN-ASN | 14061 | 2,348,544 | 3,081 | 13.12 |
| 7 | WEEBLY | 27647 | 2,048 | 2,898 | 14150.39 |
| 8 | OVH - OVH SAS | 16276 | 3,556,608 | 2,878 | 8.09 |
| 9 | HETZNER-AS - Hetzner Online GmbH | 24940 | 1,912,320 | 2,442 | 12.77 |
| 10 | MICROSOFT-CORP-MSN-AS-BLOCK | 8075 | 38,437,120 | 2,350 | 0.61 |
| 11 | AS-26496-GO-DADDY-COM-LLC | 26496 | 1,579,520 | 2,213 | 14.01 |
| 12 | AMAZON-02 | 16509 | 37,400,576 | 2,045 | 0.55 |
| 13 | CNNIC-ALIBABA-US-NET-AP Alibaba (US) Technology Co. | 45102 | 12,102,912 | 1,983 | 1.64 |
| 14 | CONTABO - Contabo GmbH | 51167 | 217,344 | 1,861 | 85.62 |
| 15 | BEON-AS-ID PT. Beon Intermedia | 55688 | 2,560 | 1,409 | 5503.91 |
| 16 | MULTA-ASN1 | 35916 | 3,491,584 | 1,322 | 3.79 |
| 17 | BEGET-AS - Beget LLC | 198610 | 23,552 | 1,180 | 501.02 |
| 18 | AS-COLOCROSSING | 36352 | 792,064 | 1,002 | 12.65 |
| 19 | AS-REGRU - "Domain names registrar REG.RU", Ltd | 197695 | 77,824 | 969 | 124.51 |
| 20 | PUBLIC-DOMAIN-REGISTRY | 394695 | 34,560 | 856 | 247.69 |
To allow comparison of large and small Hosting Networks (ASNs), we also rank Hosting Networks based on a metric, phishing attack score, which is calculated by dividing the number phishing attacks reported against an ASN by the number of routable IPv4 addresses allocated to that ASN.
Hosting (ASN) Phishing Attack Score = (number of phishing attacks/IP Addresses in ASN) * 10,000
Table 2 shows the top 20 hosting operators based on phishing attack score.
Table 2. Ranking of Hosting Networks (ASNs) by Phishing Attack Score (August to October 2020)
Hosting Networks (ASNs) with a minimum of 50,000 IPv4 addresses and 25 phishing domains
| Rank | AS Name | AS number | # Routed IPv4 Addresses |
Phishing attacks | Phishing Attack Score ▼ |
| 1 | NAMECHEAP-NET | 22612 | 65,792 | 11,311 | 1719.21 |
| 2 | AS-REGRU - "Domain names registrar REG.RU", Ltd | 197695 | 77,824 | 969 | 124.51 |
| 3 | IMH-WEST | 22611 | 62,720 | 760 | 121.17 |
| 4 | INMOTI-1 | 54641 | 55,808 | 500 | 89.59 |
| 5 | CONTABO - Contabo GmbH | 51167 | 217,344 | 1,861 | 85.62 |
| 6 | RACKRAY - UAB Rakrejus | 62282 | 54,784 | 347 | 63.34 |
| 7 | UNIFIEDLAYER-AS-1 | 46606 | 1,393,664 | 8,481 | 60.85 |
| 8 | NOCIX | 33387 | 57,856 | 348 | 60.15 |
| 9 | AS-HOSTINGER - Hostinger International Limited | 47583 | 84,480 | 459 | 54.33 |
| 10 | LEASEWEB-DE-FRA-10 - Leaseweb Deutschland GmbH | 28753 | 90,112 | 456 | 50.60 |
| 11 | PONYNET | 53667 | 59,136 | 276 | 46.67 |
| 12 | CLOUDFLARENET | 13335 | 2,542,848 | 11,467 | 45.10 |
| 13 | UKFAST - UKFAST.NET LIMITED | 61323 | 76,544 | 316 | 41.28 |
| 14 | OPENDNS | 36692 | 79,616 | 320 | 40.19 |
| 15 | LIQUIDWEB | 32244 | 254,464 | 837 | 32.89 |
| 16 | ST-BGP | 46844 | 141,056 | 464 | 32.89 |
| 17 | WII | 32097 | 92,160 | 286 | 31.03 |
| 18 | A2HOSTING | 55293 | 123,136 | 344 | 27.94 |
| 19 | HKKFGL-AS-AP HK Kwaifong Group Limited | 133115 | 50,176 | 131 | 26.11 |
| 20 | MASTER-AS - Master Internet s.r.o. | 24971 | 59,648 | 155 | 25.99 |
Activity in Hosting Networks (ASNs)