Phishing Activity in Hosting Networks (ASNs)
May 1, 2021 - July 31, 2021

To see where phishing sites were being hosted, we collected the IP addresses that phishing domains and phishing URLs were resolving to when phishing activity was detected and added to a threat or block list. We then identified the ASN where the IP prefix containing the IP address of the phish is allocated and this number identifies the hosting network where phishing attacks were reported.

For the period, we identified

- 176 hosting networks with 100 or more reported phishing attacks.

- 66 hosting networks with 500 or more reported phishing attacks. and

- 33 hosting networks with 1000 or more reported phishing attacks.

- 7 hosting networks with 5000 or more reported phishing attacks.

We measure phishing attacks to show where phishing sites are hosted and to identify the hosting service that has been allocated the IPv4 address space wherein the IP address of the phishing site lies.

A phisher may use one, several, or large numbers of URLs in a single phishing campaign. We apply rules to our phishing reports to de-duplicate URLs and to analyze hostname, URL path composition, target, and abuse report dates for similarities to obtain sets of URLs that we consider to be involved in one phishing attack. We also apply additional rules to group URLs into attacks based on observed cases.

In the table below, we show the twenty hosting networks with the highest numbers of reported phishing attacks.

Ranking of Hosting Networks (ASNs) by Phishing Attacks
(May to July 2021)

Rank AS Name AS number # Routed
IPv4 Addresses
Phishing Attacks ▼ Phishing Attack Score
1 CLOUDFLARENET 13335 2,301,440 18,652 81.04
2 UNIFIEDLAYER-AS-1 46606 1,392,384 13,276 95.35
3 NAMECHEAP-NET 22612 79,616 11,441 1437.02
4 MICROSOFT-CORP-MSN-AS-BLOCK 8075 46,434,048 7,279 1.57
5 CNNIC-ALIBABA-US-NET-AP Alibaba (US) Technology Co. 45102 4,134,912 6,583 15.92
6 GOOGLE 15169 23,095,808 5,636 2.44
7 ASN-QUADRANET-GLOBAL 8100 683,520 5,263 77.00
8 AMAZON-02 16509 38,949,888 4,498 1.15
9 DIGITALOCEAN-ASN 14061 2,467,840 4,024 16.31
10 HETZNER-AS - Hetzner Online GmbH 24940 2,041,344 3,718 18.21
11 AWEX - Hostinger International Limited 204915 768 3,643 47434.90
12 OVH - OVH SAS 16276 3,847,424 2,815 7.32
13 AMAZON-AES 14618 16,326,912 2,810 1.72
14 WEEBLY 27647 2,048 2,777 13559.57
15 AS-COLOCROSSING 36352 789,504 2,694 34.12
16 CONTABO - Contabo GmbH 51167 226,816 2,414 106.43
17 IDNIC-JALANET-AS-ID PT. Jupiter Jala Arta 131775 2,560 2,054 8023.44
18 FASTLY 54113 377,600 2,023 53.58
19 DDOS-GUARD CORP. 262254 17,152 1,958 1141.56
20 AS-REGRU - "Domain names registrar REG.RU", Ltd 197695 93,440 1,913 204.73

To allow comparison of large and small Hosting Networks (ASNs), we also rank Hosting Networks based on a metric, phishing attack score, which is calculated by dividing the number phishing attacks reported against an ASN by the number of routable IPv4 addresses allocated to that ASN.

Hosting (ASN) Phishing Attack Score = (number of phishing attacks/IP Addresses in ASN) * 10,000

In the table below, we show the top 20 hosting operators based on phishing attack score.

Ranking of Hosting Networks (ASNs) by Phishing Attack Score
(May to July 2021)

Hosting Networks (ASNs) with a minimum of 50,000 IPv4 addresses and 25 phishing attacks

Rank AS Name AS number # Routed IPv4
Addresses
Phishing attacks Phishing Attack Score ▼
1 NAMECHEAP-NET 22612 79,616 11,441 1437.02
2 GORILLASERVERS 53850 84,480 1,833 216.97
3 AS-REGRU - "Domain names registrar REG.RU", Ltd 197695 93,440 1,913 204.73
4 PONYNET 53667 59,136 942 159.29
5 INMOTI-1 54641 54,784 633 115.54
6 CONTABO - Contabo GmbH 51167 226,816 2,414 106.43
7 THEFIRST-AS - JSC The First 29182 82,688 810 97.96
8 UNIFIEDLAYER-AS-1 46606 1,392,384 13,276 95.35
9 IMH-WEST 22611 62,720 591 94.23
10 CLOUDFLARENET 13335 2,301,440 18,652 81.04
11 AS-HOSTINGER - Hostinger International Limited 47583 91,904 724 78.78
12 ASN-QUADRANET-GLOBAL 8100 683,520 5,263 77.00
13 NOCIX 33387 61,440 349 56.80
14 FASTLY 54113 377,600 2,023 53.58
15 ASIATECH - Asiatech Data Transmission company 43754 379,136 1,559 41.12
16 WII 32097 94,208 325 34.50
17 AS-COLOCROSSING 36352 789,504 2,694 34.12
18 ALCHEMYNET 7296 73,216 242 33.05
19 AS-30083-GO-DADDY-COM-LLC 30083 66,816 215 32.18
20 GCORE - G-Core Labs S.A. 199524 107,776 330 30.62