Phishing Trends: May - July 2024

Phishing in 2024 shows no sign of a slowdown. We processed just slightly more than1M reports from our phishing feeds in the 3-month period ending July 31, 2024, a third straight reporting period where our collection exceeded 1M. We observe small decreases in most measurements of resources that phishers exploit to perpetrate crimes. See the measurements at Key Statistics, TLD, Registrar, and Hosting Networks for a fuller picture.

Runaway phishing in the new gTLDs

Phishing domains reported decreased by 9% during the May - July 2024 period.

While phishing domains in .TOP decreased 34%, phishers appear to have moved on to .BOND. .RU, .ICU and .CFD which all increased by more than 125%. Since the beginning of program, phishers have migrated to and from dozens of new gTLDs that offer free, cheap, or open registration policies.

Often, phishers register domains across several new gTLDs for a given phishing campaign to make their campaigns resillient to blocklisting or takedowns. Offering cybercriminals more new gTLDs of similar pricing and policy will expand an already fertile greenfield for abuse.

Phishers have firmly concentrated their registration efforts in the new gTLDs. For the period, more domain names were reported for phishing in the thirteen new gTLDs in this period's top 20 than were reported in the .COM TLD. Why is this comparison important?

1. .COM has nearly 155M domains under management. Combined, the 13 phishiest new gTLDs have only 18M domains under management, which is approximately one-eighth of .COM.

2. The percent of Phishing Domains in the combined 13 phishiest new gTLDs is 118% of those in .COM (185,486/157,053).

This is a pronounced escalation over the worrisome increase we reported in our Phishing Landscape 2024 study.

Changes in hosting behavior

Cloudflare continues to top the list of hosting networks with the most phishing attacks. Phishers exploited several small hosting networks in this quarter:

• SEDO GmbH

• Weebly, Inc.

• Limenet

• Komkov Vadim Aleksandrovich

• PROSPERO llc

These ASNs had astronomically phishing scores, which is the ratio of phishing attacks to IPv4 addresses reported for hosting phishing attacks in the ASN (see Phishing Activity in Hosting Networks).

Impersonated Brands

United States Postal Service and Facebook were the most impersonated brands this reporting period. Meta, AT&T, Microsoft, and Netflix were also among the top targets. We also saw an increase in Crypto/Wallet phishing over prior period(s).

USPS is the brand most frequently found as an exact match string in phishing domains. Registry, registrar and subdomain operators could use this to experiment with a "filter for string, delay delegation pending investigation" process.

Phishing from Subdomain Providers

Phishing from user accounts at subdomain providers decreased but still accounts for more than 10% of phishing attacks reported during the May - July 2024 period.