Phishing Trends May July 2023
The theme for the May - July 2023 reporting period was… CHANGE.
Phishing attacks are on the rise once again
After a drop in phishing attacks reported in the February - April 2023 period, phishing attacks increased 21% during the May - July 2023 period. See the measurements at Key Statistics, TLD, Registrar, and Hosting Networks for a fuller picture.
Unique domain names reported for phishing are down
Phishers lost a mainstream supply chain when Freenom stopped processing domain registrations in its five commercial ccTLDs. The number of domains reported for phishing decreased 15%, but…
Phishers did more with less. We found an average of 2.6 phishing attacks per phishing domain in the May – July 2023 period, a significant increase from the 1.8 phishing attacks per phishing domain we saw in the February – April 2023 period.
As Freenom faded into the sunset
Some phishing domains continue to be reported in four of the Freenom commercial ccTLDs.
| May - July 2023 | ||
| Freenom ccTLDs | Phishing DomainsReported | |
| .TK | 1,602 | |
| .GQ | 975 | |
| .GA | 901 | |
| .CF | 894 | |
Cheap domains: cue the “We told you so…” music
A staggering 19 of the 20 TLDs that have the highest TLD phishing domain scores for the May - July 2023 period are new TLDs. The .CFD new gTLD had a whopping 40% rise in numbers of phishing domains and maliciously registered phishing domains reported.
Phishing scores are useful when comparing TLDs that have vastly different numbers of domain registrations. However, some new TLDs had disturbing numbers of phishing domains reported during this reporting period.
.TOP, .LIVE, and .XYZ have more phishing domains reported than .NET. The three new TLDs combined have approximatly 1/2 the number of domain names that .NET has under management but had nearly five times the number of domains reported for phishing
Phishing domains reported in other ccTLDs dropped considerably as well
| May - July 2023 | ||
| ccTLD | Phishing Domains Reported | |
| .US | -64% | |
| .RU | -39% | |
| .CN | -23% | |
Replenishing the phishing domain supply chain
Subdomain services: “Free” replacements for Freenom domains
Phishers have found other ways to get free or cheap domain names or host names for phishing campaigns, through free blog and web sites that provide hostnames for their users. In the May – July 2023 period, phishers flocked to these subdomain service providers, an 85% increase in phishing attacks over the May – July 2023 period. Free blog or web site accounts hosted at services operated by Google (108,000) and DuckDNS (40,000) were prominent in this new supply chain.
| May - July 2023 | ||
| TLD | Domain registrationsMay - July 2023 | Phishing DomainsMay - July 2023 |
| .TOP | 2,243,675 | 11,031 |
| .LIVE | 632,401 | 5,904 |
| .XYZ | 3,239,639 | 5,546 |
| Total (.TOP, .LIVE, .XYZ) | 6,115,715 | 22,481 ☹ |
| .NET | 12,823,843 | 4,613 |
Phishers cast a wider net for hosting
Five hosting networks (ASNs) that didn’t have enough phishing activity reported to be ranked in our February - April 2023 period jumped into the top 20: Weebly, Inc.(ASN 27647), Netminders Server Hosting (ASN 7040), Hostinger International Limited (ASN 204915), Protocol Labs (ASN 40680),and QuadraNet Enterprises (ASN 64270). Shenzhen Tencent Computer Systems Company Limited (AS 132203) also
Several hosting networks had equally dramatic quarter over quarter increases in the number of phishing attacks hosted.
Attacks hosted on IP addresses in
ASN 15169 (Google) increased 683%,
ASN 132203 (Shenzhen Tencent Computer System) increased 500%,
ASN 33387 (Nocix) increased 156%,
ASN 9009, (M247) increased 109%, and
ASN 47583 (Hostinger International) increased 100%.
