Phishing Trends: December 2021

Published on January 26, 2022

Each month, OpenPhish analyses tens of millions of URLs to identify phishing content. This report breaks down the shifts in targeted brands, industries, and phishing infrastructure. Data for this report is generated using our Phishing Database.

December saw a decrease of 40% in phishing volume from November, with most sectors seeing a substantial decline in phishing activity. However, phishing URLs impersonating brands in the Gaming and Telecommunication sectors rose by 4% from the previous month. 51% of phishing URLs used HTTPS, a decline from 56% in November.

Top 10 Impersonated Brands

Brand Industry Hostnames
Facebook, Inc. Social Networking 1992 Inc. e-Commerce 1459
WhatsApp Social Networking 1264
Office365 Online/Cloud Service 869
Outlook Online/Cloud Service 624
Crypto/Wallet Cryptocurrency 613
PayPal Inc. Payment Service 358
Webmail Providers Email Provider 344
Tencent Online/Cloud Service 329
M & T Bank Financial 295

Although we saw a decline in phishing volume across most brands, phishing attacks targeting Facebook rose by 2% in December, making it the top impersonated brand for the month. M&T Bank entered the top 10 list after a 30% increase in phishing volume. Instagram dropped from the list.

Top 10 Abused TLDs

TLD Type % Phishing URLs
com gTLD 46.16%
org gTLD 8.27%
ru ccTLD 4.00%
net gTLD 2.78%
xyz gTLD 2.56%
app gTLD 2.23%
cn ccTLD 2.16%
page gTLD 2.02% ccTLD 1.25%
de ccTLD 1.02%

Threat actors exploited a total of 380 TLDs for phishing content, a decrease of 12% compared to the previous month. The legacy TLDs accounted for almost 60% of the phishing URLs. The most commonly abused TLD remains .com

Top 10 Abused ASNs

ASN ASN Name Hostnames
AS13335 Cloudflare, Inc. 2490
AS15169 Google LLC 2257
AS46606 Unified Layer 1879
AS8075 Microsoft Corporation 1569
AS27647 Weebly, Inc. 880
AS14061 DigitalOcean, LLC 671
AS16509, Inc. 617
AS22612 Namecheap, Inc. 610
AS8100 QuadraNet Enterprises LLC 495
AS204915 Hostinger International Limited 458

A total of 960 ASNs hosted phishing sites, a decrease of 16% compared to December. Google saw a 1.5x increase in the number of unique hostnames, while phishing content hosted on Microsoft declined by 85% compared to the month before.