Each month, OpenPhish analyses tens of millions of URLs to identify phishing content. This report breaks down the shifts in targeted brands, industries, and phishing infrastructure. Data for this report is generated using our Phishing Database.
January saw an increase of 27% in phishing volume from December, with the Online and Cloud Services sector seeing an increase of 30% in phishing activity. 55% of phishing URLs used HTTPS, an increase from 51% in December.
| Brand | Industry | Hostnames |
|---|---|---|
| Facebook, Inc. | Social Networking | 2085 |
| Social Networking | 1320 | |
| Office365 | Online/Cloud Service | 1295 |
| Outlook | Online/Cloud Service | 912 |
| Amazon.com Inc. | e-Commerce | 843 |
| Crypto/Wallet | Payment Service | 747 |
| Tencent | Online/Cloud Service | 497 |
| M & T Bank | Financial | 418 |
| Webmail Providers | Email Provider | 330 |
| PayPal Inc. | Payment Service | 303 |
Phishing attacks targeting Tencent rose by more than 50% in January, followed by a 49% increase in attacks impersonating Microsoft products - Office365 and Outlook. Phishing targeting Amazon decreased by 42% month-over-month. There were no changes in the top 10 targeted brands between January and December.
| TLD | Type | % Phishing URLs |
|---|---|---|
| com | gTLD | 43.10% |
| app | gTLD | 14.15% |
| org | gTLD | 6.98% |
| ru | ccTLD | 3.03% |
| net | gTLD | 2.08% |
| app | gTLD | 2.23% |
| xyz | gTLD | 2.05% |
| co | ccTLD | 1.70% |
| cn | ccTLD | 1.43% |
| page | gTLD | 1.37% |
Threat actors exploited a total of 433 TLDs for phishing content, an increase of 14% compared to the previous month. The legacy TLDs accounted for 52% of the phishing URLs. The .app gTLD saw a 7x increase in phishing content month-over-month, followed by a 2x increase for the .co ccTLD.
| ASN | ASN Name | Hostnames |
|---|---|---|
| AS54113 | Fastly | 6750 |
| AS46606 | Unified Layer | 2500 |
| AS13335 | Cloudflare, Inc. | 2029 |
| AS27647 | Weebly, Inc. | 2018 |
| AS8075 | Microsoft Corporation | 1948 |
| AS15169 | Google LLC | 1413 |
| AS22612 | Namecheap, Inc. | 729 |
| AS14618 | Amazon.com, Inc. | 504 |
| AS8100 | QuadraNet Enterprises LLC | 492 |
| AS16509 | Amazon.com, Inc. | 454 |
A total of 979 ASNs hosted phishing sites, an increase of 2% compared to December. Fastly saw a 15x increase in the number of unique hostnames, while phishing content hosted on Google, Digital Ocean and Amazon declined by 35% on average compared to the month before.