Each month, OpenPhish analyses tens of millions of URLs to identify phishing content. This report breaks down the shifts in targeted brands, industries, and phishing infrastructure. Data for this report is generated using our Phishing Database.
February saw a decrease of 6% in phishing volume over January, with the Cryptocurrency sector seeing an increase of 37% in phishing activity. Attacks on the Gambling and Transportation industries increased in February and accounted for 1% of the total phishing URLs. 50% of phishing URLs used HTTPS, a decrease from 55% in January.
| Brand | Industry | Hostnames |
|---|---|---|
| Office365 | Online/Cloud Service | 1561 |
| Social Networking | 1326 | |
| Amazon.com Inc. | e-Commerce | 1191 |
| Facebook, Inc. | Social Networking | 1190 |
| Crypto/Wallet | Cryptocurrency | 972 |
| Outlook | Email Provider | 947 |
| Tencent | Online/Cloud Service | 619 |
| Webmail Providers | Email Provider | 535 |
| Discord | Online/Cloud Service | 466 |
| Social Networking | 366 |
Phishing attacks targeting Discord more than doubled in February, followed by a 77% increase in attacks impersonating Instagram. Phishing targeting Facebook decreased by 42%. Discord and Instagram entered the top 10 while PayPal and M&T Bank dropped from the list.
| TLD | Type | % Phishing URLs |
|---|---|---|
| com | gTLD | 43.08% |
| org | gTLD | 8.33% |
| app | gTLD | 5.18% |
| net | gTLD | 3.58% |
| ru | ccTLD | 3.34% |
| co | ccTLD | 2.99% |
| xyz | gTLD | 2.23% |
| me | ccTLD | 1.61% |
| page | gTLD | 1.61% |
| tk | ccTLD | 1.30% |
Threat actors exploited a total of 412 TLDs for phishing content, a decrease of 5% compared to the previous month. The legacy TLDs accounted for 55% of the phishing URLs. The .tk ccTLD saw a 79% jump in phishing content, followed by the .co ccTLD with a 64% increase month-over-month.
| ASN | ASN Name | Hostnames |
|---|---|---|
| AS13335 | Cloudflare, Inc. | 3107 |
| AS54113 | Fastly | 2545 |
| AS46606 | Unified Layer | 2349 |
| AS8075 | Microsoft Corporation | 2316 |
| AS27647 | Weebly, Inc. | 1913 |
| AS15169 | Google LLC | 866 |
| AS22612 | Namecheap, Inc. | 727 |
| AS14618 | Amazon.com, Inc. | 677 |
| AS8100 | QuadraNet Enterprises LLC | 629 |
| AS36352 | ColoCrossing | 624 |
A total of 1069 ASNs hosted phishing sites, an increase of 9% compared to January. ColoCrossing saw a 56% increase in the number of unique hostnames, while phishing content hosted on Google, Digital Ocean continued to decline for the second month in a row.