Phishing Activity in Hosting Networks (ASNs)
May 1, 2020 - July 31, 2020
To see where phishing sites were being hosted, we collected the IP addresses that phishing domains and phishing URLs were resolving to when phishing activity was detected and added to a threat or block list. We then identified the ASN where the IP prefix containing the IP address of the phish is allocated and this number identifies the hosting network where phishing attacks were reported.
For the August-October 2020 period, we identified
- 119 hosting networks with at least 100 reported phishing attacks,
- 30 hosting networks with at least 500 reported phishing attacks, and
- 18 hosting networks with at least 1000 reported phishing attacks.
We measure phishing attacks to show where phishing sites are hosted and to identify the hosting service that has been allocated the IPv4 address space wherein the IP address of the phishing site lies.
A phisher may use one, several, or large numbers of URLs in a single phishing campaign. We apply rules to our phishing reports to de-duplicate URLs and to analyze hostname, URL path composition, target, and abuse report dates for similarities to obtain sets of URLs that we consider to be involved in one phishing attack. We also apply additional rules to group URLs into attacks based on observed cases.
In the table below, we show the twenty hosting networks with the highest numbers of reported phishing attacks. Several ASNs with small IPv4 address delegations - NAMECHEAP-NET, AWEX,WEEBLY, PUBLIC-DOMAIN-REGISTRY, IHOR-AS, and SHINJIRU-MY-AS-AP - had extraordinarily high counts of phishing attacks during this reporting period.
Ranking of Hosting Networks (ASNs) by Phishing Attacks (May to July 2020)
| Rank | AS Name | AS number | # Routed IPv4 Addresses |
Phishing Attacks ▼ | Phishing Attack Score |
| 1 | UNIFIEDLAYER-AS-1 | 46606 | 1,373,952 | 9,174 | 66.77 |
| 2 | CLOUDFLARENET | 13335 | 1,570,304 | 8,700 | 55.40 |
| 3 | NAMECHEAP-NET | 22612 | 35,072 | 4,897 | 1396.27 |
| 4 | AS-26496-GO-DADDY-COM-LLC | 26496 | 935,168 | 3,860 | 41.28 |
| 5 | AWEX - Hostinger International Limited | 204915 | 768 | 3,657 | 47617.19 |
| 6 | 15169 | 10,280,960 | 3,561 | 3.46 | |
| 7 | CONTABO - Contabo GmbH | 51167 | 217,344 | 2,988 | 137.48 |
| 8 | OVH - OVH SAS | 16276 | 3,485,440 | 2,602 | 7.47 |
| 9 | WEEBLY | 27647 | 2,304 | 2,573 | 11167.53 |
| 10 | DIGITALOCEAN-ASN | 14061 | 2,328,832 | 2,114 | 9.08 |
| 11 | MICROSOFT-CORP-MSN-AS-BLOCK | 8075 | 37,570,816 | 2,095 | 0.56 |
| 12 | AMAZON-02 | 16509 | 50,380,544 | 1,862 | 0.37 |
| 13 | PUBLIC-DOMAIN-REGISTRY | 394695 | 32,000 | 1,512 | 472.50 |
| 14 | LIQUIDWEB | 32244 | 250,368 | 1,188 | 47.45 |
| 15 | BCPL-SG BGPNET Global ASN | 64050 | 216,320 | 1,144 | 52.88 |
| 16 | IHOR-AS - Ihor Hosting LLC | 35196 | 29,696 | 1,134 | 381.87 |
| 17 | HETZNER-AS - Hetzner Online GmbH | 24940 | 1,912,576 | 1,095 | 5.73 |
| 18 | CNNIC-ALIBABA-US-NET-AP Alibaba (US) Technology Co. | 45102 | 10,199,296 | 1,059 | 1.04 |
| 19 | SHINJIRU-MY-AS-AP Shinjiru Technology Sdn Bhd | 45839 | 21,248 | 981 | 461.69 |
| 20 | AS-COLOCROSSING | 36352 | 783,360 | 850 | 10.85 |
To allow comparison of large and small Hosting Networks (ASNs), we also rank Hosting Networks based on a metric, phishing attack score, which is calculated by dividing the number phishing attacks reported against an ASN by the number of routable IPv4 addresses allocated to that ASN.
Hosting (ASN) Phishing Attack Score = (number of phishing attacks/IP Addresses in ASN) * 10,000
The table below shows the top 20 hosting operators based on phishing attack score.
Ranking of Hosting Networks (ASNs) by Phishing Attack Score (May to July 2020)
Hosting Networks (ASNs) with a minimum of 50,000 IPv4 addresses and 25 phishing domains
| Rank | AS Name | AS number | # Routed IPv4 Addresses |
Phishing attacks | Phishing Attack Score ▼ |
| 1 | CONTABO - Contabo GmbH | 51167 | 217,344 | 2,988 | 137.48 |
| 2 | NOCIX | 33387 | 54,784 | 734 | 133.98 |
| 3 | OPENDNS | 36692 | 58,624 | 689 | 117.53 |
| 4 | AS-HOSTINGER - Hostinger International Limited | 47583 | 70,912 | 627 | 88.42 |
| 5 | AS-REGRU - "Domain names registrar REG.RU", Ltd | 197695 | 71,680 | 633 | 88.31 |
| 6 | UNIFIEDLAYER-AS-1 | 46606 | 1,373,952 | 9,174 | 66.77 |
| 7 | CLOUDFLARENET | 13335 | 1,570,304 | 8,700 | 55.40 |
| 8 | BCPL-SG BGPNET Global ASN | 64050 | 216,320 | 1,144 | 52.88 |
| 9 | A2HOSTING | 55293 | 85,760 | 439 | 51.19 |
| 10 | GCORE - G-Core Labs S.A. | 199524 | 72,704 | 347 | 47.73 |
| 11 | LIQUIDWEB | 32244 | 250,368 | 1,188 | 47.45 |
| 12 | AS-26496-GO-DADDY-COM-LLC | 26496 | 935,168 | 3,860 | 41.28 |
| 13 | WII | 32097 | 90,112 | 292 | 32.40 |
| 14 | SSASN2 | 20454 | 142,336 | 418 | 29.37 |
| 15 | SUNHK-DATA-AS-AP Sun Network (Hong Kong) Limited - HongKong Backbone | 38197 | 72,192 | 194 | 26.87 |
| 16 | RACKRAY - UAB Rakrejus | 62282 | 53,760 | 144 | 26.79 |
| 17 | PONYNET | 53667 | 55,296 | 144 | 26.04 |
| 18 | IS-AS-1 | 19318 | 112,640 | 257 | 22.82 |
| 19 | NFORCE - NForce Entertainment B.V. | 43350 | 71,936 | 163 | 22.66 |
| 20 | MASTER-AS - Master Internet s.r.o. | 24971 | 59,648 | 134 | 22.47 |
Activity in Hosting Networks (ASNs)