Phishing Trends: February 2022

Published on March 21, 2022

Each month, OpenPhish analyses tens of millions of URLs to identify phishing content. This report breaks down the shifts in targeted brands, industries, and phishing infrastructure. Data for this report is generated using our Phishing Database.

February saw a decrease of 6% in phishing volume over January, with the Cryptocurrency sector seeing an increase of 37% in phishing activity. Attacks on the Gambling and Transportation industries increased in February and accounted for 1% of the total phishing URLs. 50% of phishing URLs used HTTPS, a decrease from 55% in January.

Top 10 Impersonated Brands

Brand Industry Hostnames
Office365 Online/Cloud Service 1561
WhatsApp Social Networking 1326 Inc. e-Commerce 1191
Facebook, Inc. Social Networking 1190
Crypto/Wallet Cryptocurrency 972
Outlook Email Provider 947
Tencent Online/Cloud Service 619
Webmail Providers Email Provider 535
Discord Online/Cloud Service 466
Instagram Social Networking 366

Phishing attacks targeting Discord more than doubled in February, followed by a 77% increase in attacks impersonating Instagram. Phishing targeting Facebook decreased by 42%. Discord and Instagram entered the top 10 while PayPal and M&T Bank dropped from the list.

Top 10 Abused TLDs

TLD Type % Phishing URLs
com gTLD 43.08%
org gTLD 8.33%
app gTLD 5.18%
net gTLD 3.58%
ru ccTLD 3.34%
co ccTLD 2.99%
xyz gTLD 2.23%
me ccTLD 1.61%
page gTLD 1.61%
tk ccTLD 1.30%

Threat actors exploited a total of 412 TLDs for phishing content, a decrease of 5% compared to the previous month. The legacy TLDs accounted for 55% of the phishing URLs. The .tk ccTLD saw a 79% jump in phishing content, followed by the .co ccTLD with a 64% increase month-over-month.

Top 10 Abused ASNs

ASN ASN Name Hostnames
AS13335 Cloudflare, Inc. 3107
AS54113 Fastly 2545
AS46606 Unified Layer 2349
AS8075 Microsoft Corporation 2316
AS27647 Weebly, Inc. 1913
AS15169 Google LLC 866
AS22612 Namecheap, Inc. 727
AS14618, Inc. 677
AS8100 QuadraNet Enterprises LLC 629
AS36352 ColoCrossing 624

A total of 1069 ASNs hosted phishing sites, an increase of 9% compared to January. ColoCrossing saw a 56% increase in the number of unique hostnames, while phishing content hosted on Google, Digital Ocean continued to decline for the second month in a row.