I found a phishing filter (here) which can be used in content blockers (as well as adblockers) like uBlock Origin. I wanted to analyze the phishing links — and this is the analysis.

Who are the web hosts (and website builders) that are used the most often in the phishing websites examined?

  1. Google for Firebase Hosting, with 2,428 unique websites 1.

  2. Weebly (a free website builder), with 2,239 websites. 2

  3. r2.dev, with 1,286 entries.
    This refers to the R2 file storage offered by Cloudflare®.

  4. crazydomains.com (with their Sitebeat website builder), with 1,164 websites.
    Interestingly, the domains I tested seemed to redirect to global_errors.sitebeat.crazydomains.com with a “Coming Soon” page (which is also in the filter list)

  5. workers.dev (Cloudflare Workers), with 759 entries
    Cloudflare Workers is a service which allows a user to run JavaScript on their edge nodes. I presume these could be proxies or returning hardcoded HTML. However, the code isn’t visible so that’s just speculation.

Just these 5 domains cover 66% of recognized hosting providers.

Dynamic DNS

Dynamic DNS is a service where a fixed hostname maps to a dynamic IP address (like a home IP address) that updates regularly.

  1. DuckDNS, with 138 entries.

  2. DynDNS, with 20 entries.

  3. ddns.net and ddnss.eu, with 1 entry each.

Documents

This category consists of platforms that host documents, spreadsheets and presentations.

  1. Google Docs, with 1,296 entries.
    This includes 74 forms, 10 documents, 6 drawings, and 1,206 presentations.
    Almost all presentations contain “/pub?” with some data as URL parameters. I’m not too sure what this does.
    In addition, Google Drive has 9 entries.
    Many of the URLs seem to be taken down, either by the owner or by Google.

  2. telegra.ph, with 3 entries.

  3. notion.site, with 2 entries.

Forms

This consists of tools that allow users to build forms.

  1. Microsoft Forms, with 62 forms.

  2. forms.app, with 24 forms.

  3. Google Forms (forms.gle), with 15 forms.

  4. JotForm, with 11 forms.

  5. formstack.com and hsforms.com, with 7 forms each.

Scripts

There are 102 entries for “script.google.com” (Google Apps Script) which link to macros and running the script, sometimes with parameters to track the user that clicks.

Government

There are 4 government domains, none of which seem inherently malicious. The entire domain is blocked by the phishing filter.
I’m not listing these domains here because the pattern is what matters, not an individual country.

IP Addresses

98 unique IP(v4) addresses (with 441 entries) exist in the phishing filter list.

(For the below information, ipinfo.io was used as a source)

Top ASNs

ASNs (Autonomous System Numbers) are the organizations that own a block(s) of IP addresses to provide services to their customers (hosting providers, ISPs, some VPNs)

  1. “AS132203 Tencent Building, Kejizhongyi Avenue” with 46 IP addresses.

  2. “AS14061 DigitalOcean, LLC” and “AS16276 OVH SAS” with 5 IP addresses each.

  3. “AS396982 Google LLC” with 4 IP addresses.

Top Cities

  1. Singapore with 40 IP addresses.

  2. Santa Clara (California, US) with 9 IP addresses.

  3. Beauharnois (Quebec, Canada) with 4 IP addresses.

  1. TinyURL, with 176 entries.

  2. Bitly, with 161 entries.

  3. Twitter’s link shortener (t.co) with 160 entries.

  4. s.id with 115 entries.

  5. t.ly with 33 entries.

IPFS

IPFS is a Web3 technology that allows decentralized hosting of files. These are not directly accessible in a browser, but through gateways like those from Cloudflare, ipfs.io and others.

When I saw the numbers for IPFS, I was genuinely surprised.

  1. From Cloudflare IPFS alone, there are 5,380 entries.3
    (I also want to point out that BleepingComputer has an article about Cloudflare’s IPFS gateway being used for phishing attacks, showing its prominence.)

  2. ipfs.io with 990 entries.

  3. nftstorage.link with 805 entries.

  4. dweb.link with 416 entries.

  5. Infura IPFS with 366 entries.

Evasion Methods

These are methods used such that the domain seems innocent but leads to another website (not including link shorteners).

  1. VKontakte, with 39 entries – this uses an “away” page that redirects to another website (an account on VKontakte is required).

  2. google.com, with 22 entries4 with 13 URLs having the path “/url?q=[insert a url-encoded url here]” and 9 entries using AMP to have a Google domain, but with a phishing page. They’re having their cake and eating it too.

  3. translate.goog (Google Translate for websites), with 15 entries.

  4. accounts.google.com, with 8 URLs, all of which contain “continue=” and “followup=” with URLs as the values. This redirects the user after they’re signed in.

Uncategorized

There are 6,593 uncategorized domains.

  1. 3058 domains use a “.com” TLD.

  2. 437 domains use a “.top” TLD.

  3. 217 domains use a “.br” TLD.

  4. 200 domains use a “.net” TLD.

  5. 186 domains use a “.pl” TLD.

  6. 176 domains use a “.xyz” TLD.

  7. 108 domains use a “.org” TLD.

The Big Picture

A diagram showing the different means for phishing outlined in this article. Website Hosting/Website Builders is at 11,800. IPFS is at 8,634. Documents is at 1,236. Link Shorteners is at 735. Forms is at 147. Dynamic DNS is at 160.

Subscribe

See new posts on tercmd.com in your RSS reader!

Subscribe using RSS!

  1. The filter list has more than 2,100 entries for both firebaseapp.com and web.app, due to the data sources of the filter list including both domains. Websites on both domains have been filtered down to just one, leading to the lower number. ↩︎

  2. Weebly has two domains which are weebly.com and weeblysite.com for hosted websites, in which none of the entries are duplicates. ↩︎

  3. This is across two domains (cf-ipfs.com and cloudflare-ipfs.com) with duplicate addresses removed. ↩︎

  4. There were 23 entries, but one of them was a search, so that’s been excluded. ↩︎