The World’s Phishiest Neighborhoods (January 2025)
Dave Piscitello
At the Cybercrime Information Center, we periodically rank hosting networks (autonomous systems, AS) by the number of phishing attacks reported. Autonomous systems assigned to hosting providers in the US and China typically dominate the top 10. In this article, we take a closer look at our data to better understand what’s hosted at three autonomous systems which have appeared at or near the top in recent quarters: Shenzhen Tencent Computer Systems (AS 132203), Amazon (16509), and Cloudflare (AS 16509). We’ll also review who’s being targeted by these attacks and what corresponding name and address resources are most frequently exploited.
AS 132203, where phishers get more than their ten cents’ worth
China hosting providers had 49,676 phishing attacks reported in the November 2024 to January 2025 quarter. We associated IPv4 addresses of 52 AS numbers with hosting attacks.
Nearly two-thirds (64%) of those addresses come from IPv4 address blocks assigned to Shenzhen Tencent Computer Systems. Six of these address blocks hosted more than 1,000 phishing attacks:
The Top-level Domain most frequently associated with IPv4 addresses in Shenzhen Tencent was .TOP. Nearly all (97%) of the 17,346 .TOP domains reported for phishing were maliciously registered.
Delivery services were among the primary targets of phishing attacks hosted in Shenzhen Tencent in the November 2024 to January 2025 period: the USPS brand attracted the most attention here, with 4,677 of the 14,409 of this AS reported for hosting attacks.
Shenzhen Tencent was also identified as the hosting AS for a large number of the domains that we associated with unpaid toll scams.
AS 16509: The perfect phishing spot address
Amazon-02 (AS 16509) sits at the head of a large set of autonomous systems assigned to Amazon with 62,474 different IPv4 addresses reported as hosting phishing attacks in that quarter. A closer look reveals that:
34,058 phishing attacks were associated with a single address block: 13.248.192.0/20.
All 34,058 of these attacks used domains registered in the .BOND TLD.
All but three attacks were associated with a single IP address: 13.248.192.209.
All were registered via one registrar: Key-Systems.
There is evidence in our data of algorithmically generated domain registrations made over a long period of time (nearly daily during that quarter).
Behavior with characteristics of bulk registration are evident; for example, we found sequences of domain names of these and similar formulations: construction-services-<number>.bond, roofing-services-<number>.bond, security-apps-<number>.bond.
This is a useful illustration of how the business practices of a single registrar have cascading, adverse effects on domain registry and hosting operators.
The largest number of phishing domains associated with IPv4 addresses in Amazon-02 were registered in .COM . Of the 10,582 domains reported, 6,064 were maliciously registered, and 1,300 were associated with phishing attacks that targeted cryptocurrencies or wallets.
Domains registered in .APP were associated with 6,067 Amazon-02 addresses. Over 80% of these addresses were associated with subdomains of vercel.app. The web applications platform Vercel uses the vercel.app domain for its customers. 3,776 of the subdomains were associated with phishing attacks on the Facebook or Meta brands.
AS 13335: A road flare for Cloudflare
USA hosting providers had a disturbing 326,654 phishing attacks reported. Nearly one-half of these were associated with addresses assigned to CLOUDFLARENET (AS 13335). Six blocks in AS 13335 each had over 13,000 addresses associated with phishing attacks:
The Top-level Domains most frequently associated with phishing attacks reported as hosted at Cloudflare IPv4 addresses:
Phishing attacks that used .COM, .TOP, and .DEV exhibited some interesting patterns or behaviors.
.COM – Only the Meta brands (collectively) were identified with more than 1000 phishing domains registered in .COM. An 11/24/2024 attack against Coinbase has the characteristics of a bulk registration attack using 640 domains of the form <numeric or alphanumeric string>-coinbase.com.
.TOP – 5,208 attacks that targeted USPS and used domain names registered in .TOP were hosted on Cloudflare addresses.
.DEV – Domains registered in .DEV were associated with attacks against cryptocurrencies or wallets (3,875) and Microsoft (454). However, three of the 16 .DEV domain names that appear in phishing URLs are worth a closer look:
R2.dev. 3,718 of the URLs associated with phishing attacks contained the domain name r2.dev. Cloudflare uses this domain for cloud customers to store, share, and in this case, abuse data in public buckets.
Pages.dev. In a December 2024 report, Forta’s Phishlabs “frequently observed phishing redirects utilizing Cloudflare’s pages.dev sites. Phishing redirects are carried out to conceal the phishing URL from detection by evading security measures”. We saw this behavior throughout our reporting period, where we associated over 7,400 phishing attacks with subdomains of pages.dev.
Workers.dev. In the same report, PhishLabs explains that attackers are exploiting the Cloudflare Workers platform(hosted at workers.dev) deploy phishing sites and conduct other cyberattacks. We found 2,100 phishing attacks hosted at subdomains of workers.dev. We submitted a sample of phishing URLs containing workers.dev to VirusTotal.com’s analyzer to confirm that phishers do abuse Cloudflare Workers to execute Javascript code on the client-side (user device).
Closing Remarks
As tempting as it might seem to say “blocklist what we’ve identified here”, such an approach is too heavy-handed. What individuals and security staff can and should do is share a distilled version of our findings with friends, family, and colleagues:
Read the URLs carefully. If the domain name looks familiar, look again. If it’s unfamiliar, pause and do some research. Also, given the increased abuse of the .TOP, be particularly careful of URLs containing domains registered in this TLD, especially if you do not routinely see .TOP domains. Be particularly careful of URLs that contain the domain names R2.dev, pages.dev, workers.dev, and vercel.app. Use reputable blocklist services. We recommend the same URBLs and DBLs that we employ.
If your organization currently blocklists IP addresses or is considering doing so, do so conservatively. For example, if you choose to blocklist addresses, first block individual addresses, then address blocks (prefixes, e.g., 13.248.192.0/20). Blocking an entire autonomous system is an extreme measure, but if you conclude that a given AS is too phishy a neighborhood, then we recommend the combined Spamhaus Don’t Route or Peer (DROP) and extended (eDROP) lists.
And since January we have .xin starring as a new TLD for phishing
https://www.threatstop.com/blog/toll-scams-are-whats-happen.xin-right-now
The TLD has almost doubled in size (from ~40k to ~79k today) over the last month or so and I don't think any of the new domains are legit