Each month, OpenPhish analyses tens of millions of URLs to identify phishing content. This report breaks down the shifts in targeted brands, industries, and phishing infrastructure. Data for this report is generated using our Phishing Database.
December saw a decrease of 40% in phishing volume from November, with most sectors seeing a substantial decline in phishing activity. However, phishing URLs impersonating brands in the Gaming and Telecommunication sectors rose by 4% from the previous month. 51% of phishing URLs used HTTPS, a decline from 56% in November.
| Brand | Industry | Hostnames |
|---|---|---|
| Facebook, Inc. | Social Networking | 1992 |
| Amazon.com Inc. | e-Commerce | 1459 |
| Social Networking | 1264 | |
| Office365 | Online/Cloud Service | 869 |
| Outlook | Online/Cloud Service | 624 |
| Crypto/Wallet | Cryptocurrency | 613 |
| PayPal Inc. | Payment Service | 358 |
| Webmail Providers | Email Provider | 344 |
| Tencent | Online/Cloud Service | 329 |
| M & T Bank | Financial | 295 |
Although we saw a decline in phishing volume across most brands, phishing attacks targeting Facebook rose by 2% in December, making it the top impersonated brand for the month. M&T Bank entered the top 10 list after a 30% increase in phishing volume. Instagram dropped from the list.
| TLD | Type | % Phishing URLs |
|---|---|---|
| com | gTLD | 46.16% |
| org | gTLD | 8.27% |
| ru | ccTLD | 4.00% |
| net | gTLD | 2.78% |
| xyz | gTLD | 2.56% |
| app | gTLD | 2.23% |
| cn | ccTLD | 2.16% |
| page | gTLD | 2.02% |
| com.br | ccTLD | 1.25% |
| de | ccTLD | 1.02% |
Threat actors exploited a total of 380 TLDs for phishing content, a decrease of 12% compared to the previous month. The legacy TLDs accounted for almost 60% of the phishing URLs. The most commonly abused TLD remains .com
| ASN | ASN Name | Hostnames |
|---|---|---|
| AS13335 | Cloudflare, Inc. | 2490 |
| AS15169 | Google LLC | 2257 |
| AS46606 | Unified Layer | 1879 |
| AS8075 | Microsoft Corporation | 1569 |
| AS27647 | Weebly, Inc. | 880 |
| AS14061 | DigitalOcean, LLC | 671 |
| AS16509 | Amazon.com, Inc. | 617 |
| AS22612 | Namecheap, Inc. | 610 |
| AS8100 | QuadraNet Enterprises LLC | 495 |
| AS204915 | Hostinger International Limited | 458 |
A total of 960 ASNs hosted phishing sites, a decrease of 16% compared to December. Google saw a 1.5x increase in the number of unique hostnames, while phishing content hosted on Microsoft declined by 85% compared to the month before.