Phishing Activity in Hosting Networks (ASNs)
May 1, 2021 - July 31, 2021
To see where phishing sites were being hosted, we collected the IP addresses that phishing domains and phishing URLs were resolving to when phishing activity was detected and added to a threat or block list. We then identified the ASN where the IP prefix containing the IP address of the phish is allocated and this number identifies the hosting network where phishing attacks were reported.
For the period, we identified
- 176 hosting networks with 100 or more reported phishing attacks.
- 66 hosting networks with 500 or more reported phishing attacks. and
- 33 hosting networks with 1000 or more reported phishing attacks.
- 7 hosting networks with 5000 or more reported phishing attacks.
We measure phishing attacks to show where phishing sites are hosted and to identify the hosting service that has been allocated the IPv4 address space wherein the IP address of the phishing site lies.
A phisher may use one, several, or large numbers of URLs in a single phishing campaign. We apply rules to our phishing reports to de-duplicate URLs and to analyze hostname, URL path composition, target, and abuse report dates for similarities to obtain sets of URLs that we consider to be involved in one phishing attack. We also apply additional rules to group URLs into attacks based on observed cases.
In the table below, we show the twenty hosting networks with the highest numbers of reported phishing attacks.
Ranking of Hosting Networks (ASNs) by Phishing Attacks (May to July 2021)
Rank | AS Name | AS number | # Routed IPv4 Addresses |
Phishing Attacks ▼ | Phishing Attack Score |
1 | CLOUDFLARENET | 13335 | 2,301,440 | 18,652 | 81.04 |
2 | UNIFIEDLAYER-AS-1 | 46606 | 1,392,384 | 13,276 | 95.35 |
3 | NAMECHEAP-NET | 22612 | 79,616 | 11,441 | 1437.02 |
4 | MICROSOFT-CORP-MSN-AS-BLOCK | 8075 | 46,434,048 | 7,279 | 1.57 |
5 | CNNIC-ALIBABA-US-NET-AP Alibaba (US) Technology Co. | 45102 | 4,134,912 | 6,583 | 15.92 |
6 | 15169 | 23,095,808 | 5,636 | 2.44 | |
7 | ASN-QUADRANET-GLOBAL | 8100 | 683,520 | 5,263 | 77.00 |
8 | AMAZON-02 | 16509 | 38,949,888 | 4,498 | 1.15 |
9 | DIGITALOCEAN-ASN | 14061 | 2,467,840 | 4,024 | 16.31 |
10 | HETZNER-AS - Hetzner Online GmbH | 24940 | 2,041,344 | 3,718 | 18.21 |
11 | AWEX - Hostinger International Limited | 204915 | 768 | 3,643 | 47434.90 |
12 | OVH - OVH SAS | 16276 | 3,847,424 | 2,815 | 7.32 |
13 | AMAZON-AES | 14618 | 16,326,912 | 2,810 | 1.72 |
14 | WEEBLY | 27647 | 2,048 | 2,777 | 13559.57 |
15 | AS-COLOCROSSING | 36352 | 789,504 | 2,694 | 34.12 |
16 | CONTABO - Contabo GmbH | 51167 | 226,816 | 2,414 | 106.43 |
17 | IDNIC-JALANET-AS-ID PT. Jupiter Jala Arta | 131775 | 2,560 | 2,054 | 8023.44 |
18 | FASTLY | 54113 | 377,600 | 2,023 | 53.58 |
19 | DDOS-GUARD CORP. | 262254 | 17,152 | 1,958 | 1141.56 |
20 | AS-REGRU - "Domain names registrar REG.RU", Ltd | 197695 | 93,440 | 1,913 | 204.73 |
To allow comparison of large and small Hosting Networks (ASNs), we also rank Hosting Networks based on a metric, phishing attack score, which is calculated by dividing the number phishing attacks reported against an ASN by the number of routable IPv4 addresses allocated to that ASN.
Hosting (ASN) Phishing Attack Score = (number of phishing attacks/IP Addresses in ASN) * 10,000
In the table below, we show the top 20 hosting operators based on phishing attack score.
Ranking of Hosting Networks (ASNs) by Phishing Attack Score (May to July 2021)
Hosting Networks (ASNs) with a minimum of 50,000 IPv4 addresses and 25 phishing attacks
Rank | AS Name | AS number | # Routed IPv4 Addresses |
Phishing attacks | Phishing Attack Score ▼ |
1 | NAMECHEAP-NET | 22612 | 79,616 | 11,441 | 1437.02 |
2 | GORILLASERVERS | 53850 | 84,480 | 1,833 | 216.97 |
3 | AS-REGRU - "Domain names registrar REG.RU", Ltd | 197695 | 93,440 | 1,913 | 204.73 |
4 | PONYNET | 53667 | 59,136 | 942 | 159.29 |
5 | INMOTI-1 | 54641 | 54,784 | 633 | 115.54 |
6 | CONTABO - Contabo GmbH | 51167 | 226,816 | 2,414 | 106.43 |
7 | THEFIRST-AS - JSC The First | 29182 | 82,688 | 810 | 97.96 |
8 | UNIFIEDLAYER-AS-1 | 46606 | 1,392,384 | 13,276 | 95.35 |
9 | IMH-WEST | 22611 | 62,720 | 591 | 94.23 |
10 | CLOUDFLARENET | 13335 | 2,301,440 | 18,652 | 81.04 |
11 | AS-HOSTINGER - Hostinger International Limited | 47583 | 91,904 | 724 | 78.78 |
12 | ASN-QUADRANET-GLOBAL | 8100 | 683,520 | 5,263 | 77.00 |
13 | NOCIX | 33387 | 61,440 | 349 | 56.80 |
14 | FASTLY | 54113 | 377,600 | 2,023 | 53.58 |
15 | ASIATECH - Asiatech Data Transmission company | 43754 | 379,136 | 1,559 | 41.12 |
16 | WII | 32097 | 94,208 | 325 | 34.50 |
17 | AS-COLOCROSSING | 36352 | 789,504 | 2,694 | 34.12 |
18 | ALCHEMYNET | 7296 | 73,216 | 242 | 33.05 |
19 | AS-30083-GO-DADDY-COM-LLC | 30083 | 66,816 | 215 | 32.18 |
20 | GCORE - G-Core Labs S.A. | 199524 | 107,776 | 330 | 30.62 |
Activity in Hosting Networks (ASNs)