Phishing Activity in Hosting Networks (ASNs)
November 1, 2020 - January 31, 2021
To see where phishing sites were being hosted, we collected the IP addresses that phishing domains and phishing URLs were resolving to when phishing activity was detected and added to a threat or block list. We then identified the ASN where the IP prefix containing the IP address of the phish is allocated and this number identifies the hosting network where phishing attacks were reported.
For the November 1, 2020 to January 31, 2021 period, we identified
- 135 hosting networks with 100 or more reported phishing attacks.
- 41 hosting networks with 500 or more reported phishing attacks. and
- 20 hosting networks with 1000 or more reported phishing attacks.
We measure phishing attacks to show where phishing sites are hosted and to identify the hosting service that has been allocated the IPv4 address space wherein the IP address of the phishing site lies.
A phisher may use one, several, or large numbers of URLs in a single phishing campaign. We apply rules to our phishing reports to de-duplicate URLs and to analyze hostname, URL path composition, target, and abuse report dates for similarities to obtain sets of URLs that we consider to be involved in one phishing attack. We also apply additional rules to group URLs into attacks based on observed cases.
Table 1 shows the twenty hosting networks with the highest numbers of reported phishing attacks. Several ASNs with small IPv4 address delegations - NAMECHEAP-NET, WEEBLY, and AWEX - had extraordinarily high counts of phishing attacks during this reporting period.
Table 1. Ranking of Hosting Networks (ASNs) by Phishing Attacks (November 2020 to January 2021)
| Rank | AS Name | AS number | # Routed IPv4 Addresses |
Phishing Attacks ▼ | Phishing Attack Score |
| 1 | NAMECHEAP-NET | 22612 | 68,096 | 20,677 | 3036.45 |
| 2 | CLOUDFLARENET | 13335 | 2,550,016 | 14,452 | 56.67 |
| 3 | UNIFIEDLAYER-AS-1 | 46606 | 1,384,448 | 8,793 | 63.51 |
| 4 | 15169 | 15,219,968 | 6,950 | 4.57 | |
| 5 | DIGITALOCEAN-ASN | 14061 | 2,372,352 | 5,232 | 22.05 |
| 6 | DYNDNS | 33517 | 65,792 | 4,639 | 705.10 |
| 7 | OVH - OVH SAS | 16276 | 3,655,168 | 4,155 | 11.37 |
| 8 | CONTABO - Contabo GmbH | 51167 | 215,296 | 3,621 | 168.19 |
| 9 | WEEBLY | 27647 | 2,048 | 2,887 | 14096.68 |
| 10 | AMAZON-02 | 16509 | 37,688,064 | 2,663 | 0.71 |
| 11 | AWEX - Hostinger International Limited | 204915 | 768 | 2,470 | 32161.46 |
| 12 | AS-26496-GO-DADDY-COM-LLC | 26496 | 1,555,968 | 1,840 | 11.83 |
| 13 | MICROSOFT-CORP-MSN-AS-BLOCK | 8075 | 38,437,632 | 1,828 | 0.48 |
| 14 | HETZNER-AS - Hetzner Online GmbH | 24940 | 2,042,368 | 1,722 | 8.43 |
| 15 | CNNIC-ALIBABA-US-NET-AP Alibaba (US) Technology Co. | 45102 | 12,118,784 | 1,652 | 1.36 |
| 16 | AS-COLOCROSSING | 36352 | 788,992 | 1,370 | 17.36 |
| 17 | LAYER-HOST | 46573 | 403,712 | 1,157 | 28.66 |
| 18 | HOSTWINDS | 54290 | 327,424 | 1,149 | 35.09 |
| 19 | AS-30083-GO-DADDY-COM-LLC | 30083 | 66,816 | 1,091 | 163.28 |
| 20 | AMAZON-AES | 14618 | 16,306,944 | 1,031 | 0.63 |
To allow comparison of large and small Hosting Networks (ASNs), we also rank Hosting Networks based on a metric, phishing attack score, which is calculated by dividing the number phishing attacks reported against an ASN by the number of routable IPv4 addresses allocated to that ASN.
Hosting (ASN) Phishing Attack Score = (number of phishing attacks/IP Addresses in ASN) * 10,000
Table 2 shows the top 20 hosting operators based on phishing attack score.
Table 2. Ranking of Hosting Networks (ASNs) by Phishing Attack Score (November 2020 to January 2021)
Hosting Networks (ASNs) with a minimum of 50,000 IPv4 addresses and 25 phishing domains
| Rank | AS Name | AS number | # Routed IPv4 Addresses |
Phishing attacks | Phishing Attack Score ▼ |
| 1 | NAMECHEAP-NET | 22612 | 68,096 | 20,677 | 3036.45 |
| 2 | CONTABO - Contabo GmbH | 51167 | 215,296 | 3,621 | 168.19 |
| 3 | AS-30083-GO-DADDY-COM-LLC | 30083 | 66,816 | 1,091 | 163.28 |
| 4 | IMH-WEST | 22611 | 62,720 | 920 | 146.68 |
| 5 | AS-REGRU - "Domain names registrar REG.RU", Ltd | 197695 | 94,208 | 995 | 105.62 |
| 6 | INMOTI-1 | 54641 | 55,808 | 536 | 96.04 |
| 7 | UPCLOUD - UpCloud Ltd | 202053 | 54,528 | 501 | 91.88 |
| 8 | AS-HOSTINGER - Hostinger International Limited | 47583 | 85,504 | 578 | 67.60 |
| 9 | UNIFIEDLAYER-AS-1 | 46606 | 1,384,448 | 8,793 | 63.51 |
| 10 | PONYNET | 53667 | 60,160 | 355 | 59.01 |
| 11 | RACKRAY - UAB Rakrejus | 62282 | 58,624 | 340 | 58.00 |
| 12 | CLOUDFLARENET | 13335 | 2,550,016 | 14,452 | 56.67 |
| 13 | HOSTWINDS | 54290 | 327,424 | 1,149 | 35.09 |
| 14 | A2HOSTING | 55293 | 137,984 | 462 | 33.48 |
| 15 | LAYER-HOST | 46573 | 403,712 | 1,157 | 28.66 |
| 16 | NOCIX | 33387 | 60,160 | 171 | 28.42 |
| 17 | THEFIRST-AS - JSC The First | 29182 | 81,920 | 228 | 27.83 |
| 18 | SERVERIUS-AS - Serverius Holding B.V. | 50673 | 100,096 | 262 | 26.17 |
| 19 | ON-LINE-DATA - Zomro B.V. | 204601 | 65,792 | 169 | 25.69 |
| 20 | GO-DADDY-COM-LLC | 398101 | 90,624 | 225 | 24.83 |
Activity in Hosting Networks (ASNs)