Phishing is an online threat that doesn’t seem to go away, in particular, because it has been very effective. Our H1 2020 Attack Landscape report has indicated that email still remains the preferred  method for malicious threat actors for delivering spam, phishing and other malicious content.

The current pandemic that is going on in the real world has not changed or slowed down the pace of malicious threat activities in the cyber world. Phishing emails remain rampant, and with most organization infrastructures shifting to cloud and with the proliferation of remote work and studies, the phishing themes have also shifted to target credentials of those tools and platforms.

In this post, we review the statistics of the phishing emails we have seen since October 2020.

Web and application hosting services a popular choice

The top 3 domains seen hosting phishing pages come from web or application hosting services while the rest are mostly compromised domains.


Figure 1: Breakdown of the top 20 domains seen hosting phishing pages

These hosting services have recently become a popular choice for the attackers because the cost involved in setting up a webpage is relatively low or sometimes even free for basic use. As phishing pages are oftentimes taken down quite quickly after being reported, the use of hosting services enables threat actors to generate and switch their pages rapidly without substantial downtime.

By placing phishing pages to hosting services, threat actors also try to add a layer of legitimacy for the users as those services provide SSL certificates (reflected in the “https” prefix in the URLs). We expect this to remain as a popular choice for threat actors because it saves their resources and efforts of identifying domains or web servers that they could compromise before hosting their phishing pages.