Phishing Trends: August - October 2023

Phishing attacks declined…

While phishing attack volume oscillated during 2023 - down during in the February - April 2023 period, up during the May - July 2023 period and down again for the August - October 2023 period - we still observed increases over time. See the measurements at Key Statistics, TLD, Registrar, and Hosting Networks for a fuller picture.

And unique domain names reported for phishing declined as well

The number of domains reported for phishing again decreased by slightly more than 1% but malicious registrations increased by a troubling 22%.

Phishers did more with less. We found an average of 2.6 phishing attacks per phishing domain in the August - October 2023 period. This is consistent with our May - July 2023 finding and up from 1.8% identified for the February - April 2023 period.

Meta and USPS were the most impersonated brands

Facebook was the most impersonated of the Meta brands. COM was the TLD with most phishing domains reported as impersonating Facebook, and FastDomains was the registrar of choice to register these COM domains.

May - July 2023
Impersonated Brand Phishing Domains Reported
Meta, Facebook, WhatsApp, Instagram 12,344
United States Postal Service 8,962
Microsoft, Outlook 2,477
Bet365 1,876
DHL 1613

Delivery service phishing increased during the period. TOP was the TLD with most phishing domains reported as impersonating USPS. NameSilo was the registrar of choice to register these USPS phishing domains in TOP, and nearly all of these domains were registered by phishers.

Pay particular attention to emails or texts that attempt to deceive you with delivery failure or other service notifications. Examine any hyperlinks or URLs to be certain that these truly are USPS, DHL, FedEx, or other carriers and not phishers.

Phishing domains reported in ccTLDs continued to decrease

Phishing domains reported in the ccTLDs dropped to 22%, well below ~37% ccTLD market share. With Freenom out of the domain registration business, phishers are exploiting the new TLDs, particularly those with cheap registration fees, and the new TLDs’ share of phishing domains now exceeds four times its market share. Phishers are also increasingly exploiting COM.

Subdomain Resellers

Subdomain services give customers services on a domain name that the provider owns. This gives users their own DNS space, using a third level domain, e.g., subdomain.domainname.tld. The subdomain is often the name of the user account that the operator provides. Phishers are attracted to these services because user accounts are often free, anonymous, or require no email verification.

User accounts (hostnames) at subdomain resellers operated by Google and DuckDNS ranked 1 and 2 among subdomain resellers with the most phishing attacks reported. In our 2023 Phishing Landscape Study, we reported that 16% of all phishing attacks were launched from phishing pages hosted at subdomain service providers. These services continue to be misused to create significant amounts of harm.

May - July 2023
Subdomain Reseller Phishing Attacks Reported
Google 53,152
DuckDNS 12,050
Weebly 6,762
Hostinger 5,204
CentralNIC 5,069

Phishiest neighborhoods

More than 10,000 phishing attacks were reported at four hosting networks: Cloudflare (AS13335), Google (AS15169), Fastly (AS54113), and Amazon.com (AS16509).

Digging deeper into these networks, we identified three IPv4 address allocations (CIDR blocks) with more than10,000 phishing attacks reported.

More than 13,000 attacks were hosted in address allocation 199.36.158.0/24 (Fastly, ASN 54113). Nearly all of these URLs associated with these attacks resolved to hostnames (user accounts) of Firebase, a subdomain reseller that offers limited free hosting and employs the domains firebaseapp.com and web.app.

IPv4 addresses of two address allocations from Google’s ASN 15169 were also associated with more than 10,000 phishing attacks. These allocations, 142.250.0.0/15 and 142.250.217.0/24, host Blogspot, a blogging platform that offers hosting, free SSL, and a hostname delegated from one of the many blogspot gTLD and ccTLD domains.