Phishing Activity in Hosting Networks (ASNs)
November 1, 2021 - January 31, 2022
To see where phishing sites were being hosted, we collected the IP addresses that phishing domains and phishing URLs were resolving to when phishing activity was detected and added to a threat or block list. We then identified the ASN where the IP prefix containing the IP address of the phish is allocated and this number identifies the hosting network where phishing attacks were reported.
For the November 1, 2021 to January 31, 2022 period, we identified
- 98 hosting networks with 100 or more reported phishing attacks.
- 44 hosting networks with 500 or more reported phishing attacks.
- 22 hosting networks with 1000 or more reported phishing attacks.
and 8 hosting networks with 5000 or more reported phishing attacks.
We measure phishing attacks to show where phishing sites are hosted and to identify the hosting service that has been allocated the IPv4 address space wherein the IP address of the phishing site lies.
A phisher may use one, several, or large numbers of URLs in a single phishing campaign. We apply rules to our phishing reports to de-duplicate URLs and to analyze hostname, URL path composition, target, and abuse report dates for similarities to obtain sets of URLs that we consider to be involved in one phishing attack. We also apply additional rules to group URLs into attacks based on observed cases.
Table 1 shows the twenty hosting networks with the highest numbers of reported phishing attacks.
Ranking of Hosting Networks (ASNs) by Phishing Attacks (November 2021 to January 2022)
| Rank | AS Name | AS number | # Routed IPv4 Addresses |
Phishing Attacks ▼ | Phishing Attack Score |
| 1 | CLOUDFLARENET | 13335 | 2,374,400 | 30,434 | 128.18 |
| 2 | UNIFIEDLAYER-AS-1 | 46606 | 1,393,920 | 18,826 | 135.06 |
| 3 | MICROSOFT-CORP-MSN-AS-BLOCK | 8075 | 45,598,720 | 16,876 | 3.70 |
| 4 | NAMECHEAP-NET | 22612 | 93,696 | 10,850 | 1158.00 |
| 5 | 15169 | 23,098,112 | 9,532 | 4.13 | |
| 6 | FASTLY | 54113 | 530,176 | 8,872 | 167.34 |
| 7 | WEEBLY | 27647 | 2,048 | 5,917 | 28891.60 |
| 8 | DIGITALOCEAN-ASN | 14061 | 2,656,512 | 5,586 | 21.03 |
| 9 | AMAZON-02 | 16509 | 42,261,760 | 5,439 | 1.29 |
| 10 | SOFTQLOUD-AS - Softqloud GmbH | 208006 | 3,584 | 4,401 | 12279.58 |
| 11 | ASN-QUADRANET-GLOBAL | 8100 | 654,080 | 4,199 | 64.20 |
| 12 | AS-COLOCROSSING | 36352 | 780,800 | 3,369 | 43.15 |
| 13 | BCPL-SG BGPNET Global ASN | 64050 | 435,968 | 3,135 | 71.91 |
| 14 | AWEX - Hostinger International Limited | 204915 | 768 | 3,068 | 39947.92 |
| 15 | OVH - OVH SAS | 16276 | 4,044,800 | 2,505 | 6.19 |
| 16 | CNNIC-ALIBABA-US-NET-AP Alibaba (US) Technology Co. | 45102 | 4,819,968 | 2,466 | 5.12 |
| 17 | AMAZON-AES | 14618 | 16,345,344 | 2,463 | 1.51 |
| 18 | CONTABO - Contabo GmbH | 51167 | 269,824 | 2,279 | 84.46 |
| 19 | HETZNER-AS - Hetzner Online GmbH | 24940 | 2,239,232 | 1,678 | 7.49 |
| 20 | HOSTWINDS | 54290 | 327,424 | 1,584 | 48.38 |
To allow comparison of large and small Hosting Networks (ASNs), we also rank Hosting Networks based on a metric, phishing attack score, which is calculated by dividing the number phishing attacks reported against an ASN by the number of routable IPv4 addresses allocated to that ASN.
Hosting (ASN) Phishing Attack Score = (number of phishing attacks/IP Addresses in ASN) * 10,000
Table 2 shows the top 20 hosting operators based on phishing attack score.
Ranking of Hosting Networks (ASNs) by Phishing Attack Score (November 2021 to January 2022)
Hosting Networks (ASNs) with a minimum of 50,000 IPv4 addresses and 25 phishing attacks
| Rank | AS Name | AS number | # Routed IPv4 Addresses |
Phishing attacks | Phishing Attack Score ▼ |
| 1 | NAMECHEAP-NET | 22612 | 93,696 | 10,850 | 1158.00 |
| 2 | FASTLY | 54113 | 530,176 | 8,872 | 167.34 |
| 3 | GHOST - G-Core Labs S.A. | 202422 | 54,016 | 765 | 141.62 |
| 4 | UNIFIEDLAYER-AS-1 | 46606 | 1,393,920 | 18,826 | 135.06 |
| 5 | CLOUDFLARENET | 13335 | 2,374,400 | 30,434 | 128.18 |
| 6 | PONYNET | 53667 | 63,744 | 781 | 122.52 |
| 7 | AS-HOSTINGER - Hostinger International Limited | 47583 | 121,600 | 1,388 | 114.14 |
| 8 | AS-REGRU - "Domain names registrar REG.RU", Ltd | 197695 | 94,464 | 972 | 102.90 |
| 9 | INMOTI-1 | 54641 | 58,368 | 588 | 100.74 |
| 10 | TIMEWEB-AS - TimeWeb Ltd. | 9123 | 57,600 | 529 | 91.84 |
| 11 | CONTABO - Contabo GmbH | 51167 | 269,824 | 2,279 | 84.46 |
| 12 | PEGTECHINC-AP-03 | 398993 | 65,536 | 500 | 76.29 |
| 13 | IMH-WEST | 22611 | 56,832 | 411 | 72.32 |
| 14 | BCPL-SG BGPNET Global ASN | 64050 | 435,968 | 3,135 | 71.91 |
| 15 | 24SHELLS | 55081 | 103,680 | 736 | 70.99 |
| 16 | ASN-QUADRANET-GLOBAL | 8100 | 654,080 | 4,199 | 64.20 |
| 17 | NFORCE - NForce Entertainment B.V. | 43350 | 80,384 | 508 | 63.20 |
| 18 | ON-LINE-DATA - Zomro B.V. | 204601 | 58,112 | 319 | 54.89 |
| 19 | NOCIX | 33387 | 57,344 | 290 | 50.57 |
| 20 | HOSTWINDS | 54290 | 327,424 | 1,584 | 48.38 |
Activity in Hosting Networks (ASNs)