Cybercrime Report: January 2025

Colin Strutt

Interisle publishes quarterly data about cybercrime activity (for phishing, malware, and spam) at the Cybercrime Information Center.

Here we peek at the data for the month of January 2025. We’ll point out anything that strikes us as particularly interesting in overall numbers as well as significant changes in ranking for TLDs, Registrars, and Hosting Networks.

Overall Numbers

We observed month-over-month growth in all three cybercrimes, but significantly in phishing (93% growth) and spam (125% growth). Much of that growth is attributable to reports collected for 3 Jan 2025, when we saw a two orders of magnitude increase in both phishing and spam reports.

Phishing

53% of all the phishing attacks for the whole month were reported on 3 Jan 2025. Nearly two-thirds of those were using maliciously registered domains. Hardly any were using subdomain reseller accounts.

A quarter of these phishing attacks used domains registered in .top, .lol, and .ru. More than 40% of those attacks came via domains registered through GMO (Onamae), NICENIC, and NameSilo. Nearly 40% of those attacks came from addresses hosted at Cloudflare (AS13335) and Amazon (AS16509).

Malware

The breakdown of malware types (Endpoint Malware vs. IoT Malware vs. Malicious IP Address Malware vs. uncategorized) shifted, with less Endpoint and IoT Malware and more Malicious IP Address Malware. However, the malware reports that were uncategorized grew, which might reflect that reporters of malware have not always indicated the specific type of malware involved.

Spam

55% of all the spam reports for the whole month were reported on 3 Jan 2025. More than a quarter of those were using subdomain reseller accounts, with these five: CTG Server Limited, Cloudflare London, LLC, Dimension Network & Communication Limited, and Microsoft Corporation accounting for a third of that day’s subdomain spam reports.

Name Resource Misuse

The number of unique domain names reported for each cybercrime at least doubled.

Cybercrimes were detected across more TLDs than the previous month, meaning that cybercriminals have been able to make use of more TLDs.

The number of subdomain reseller accounts used for phishing only showed a small increase, but the number of those accounts used to host spam content grew by 60%.

TLDs

Phishing activity increased most significantly in .lol, .shop, .ru, .finance, .support .sbs and .mom (by phishing domains reported or phishing domain score).

Malicious phishing domain registrations increased significantly in .lol, .ru, .sbs, and .de.

We observed the most significant increases in malware domains reported in .top, .eu, .it, .pl, .vn, and .hu.

Spam activity increased most significantly in .club, .app, and .pro (by spam domains) and .ooo, .rest, .wang, .wiki, and .club (by spam domain score).

Registrars

Phishing activity increased most significantly for domain names registered through GMO (Onamae), OwnRegistrar, Aceville, and IONOS (by phishing domains) and through Aceville, GMO (Onamae), and Eranet (by phishing domain score).

Malicious phishing domains increased significantly through domain names registered through GMO (Onamae), REG.RU, Aceville, and Realtime Register.

The most significant increases in malware domains were registered through NICENIC, REG.RU, Alibaba (HiChina), and CSL (Joker).

Spam activity increased most significantly for domain names registered through eNom, Hongkong Kouming, and Wild West Domains (by spam domains) and MAT BAO, Aceville, and Hongkong Kouming (by spam domain score).

Hosting Networks (ASNs)

Phishing activity increased significantly at Clayer (AS137951) and diva-e Datacenters (AS44066) (by phishing attacks) and SonderCloud (AS133199), Hong Kong Communications (AS140227), diva-e Datacenters (AS44066), Tier.Net (AS397423), PEG TECH (AS398478) (by phishing attack score).

We observed significant increases in malware hosted at TELEFONICA BRASIL (AS26599), Telecom Italia (AS3269, and NTT Communications (AS4713). And we saw significant increases in the number of malware addresses hosted at Chunghwa Telecom (AS3462), TELEFONICA BRASIL (26599), Telecom Italia (AS3269), and NTT Communications (AS 4713).

Spam activity increased significantly using the networks Google (AS15169) and Cloudflare (AS209242) (by spam attacks) and Hong Kong Communications (AS140227), Gigabit Hosting (AS55720), and GTHost (AS63023) (by spam attack score).

Quarterly Phishing Results

The quarterly phishing activity results for November 2024 to January 2025 is available from the Phishing Activity page at the Cybercrime Information Center.