I found a phishing filter (here) which can be used in content blockers (as well as adblockers) like uBlock Origin. I wanted to analyze the phishing links — and this is the analysis.
Popular Web Hosts⌗
Who are the web hosts (and website builders) that are used the most often in the phishing websites examined?
Weebly (a free website builder), with
This refers to the R2 file storage offered by Cloudflare®.
crazydomains.com (with their Sitebeat website builder), with
Interestingly, the domains I tested seemed to redirect to
global_errors.sitebeat.crazydomains.comwith a “Coming Soon” page (which is also in the filter list)
workers.dev (Cloudflare Workers), with
Just these 5 domains cover 66% of recognized hosting providers.
Dynamic DNS is a service where a fixed hostname maps to a dynamic IP address (like a home IP address) that updates regularly.
ddns.net and ddnss.eu, with
This category consists of platforms that host documents, spreadsheets and presentations.
Google Docs, with
This includes 74 forms, 10 documents, 6 drawings, and 1,206 presentations.
Almost all presentations contain “/pub?” with some data as URL parameters. I’m not too sure what this does.
In addition, Google Drive has
Many of the URLs seem to be taken down, either by the owner or by Google.
This consists of tools that allow users to build forms.
Microsoft Forms, with
Google Forms (forms.gle), with
formstack.com and hsforms.com, with
102 entries for “script.google.com” (Google Apps Script) which link to macros and running the script, sometimes with parameters to track the user that clicks.
There are 4 government domains, none of which seem inherently malicious. The entire domain is blocked by the phishing filter.
I’m not listing these domains here because the pattern is what matters, not an individual country.
98 unique IP(v4) addresses (with 441 entries) exist in the phishing filter list.
(For the below information, ipinfo.io was used as a source)
ASNs (Autonomous System Numbers) are the organizations that own a block(s) of IP addresses to provide services to their customers (hosting providers, ISPs, some VPNs)
“AS132203 Tencent Building, Kejizhongyi Avenue” with
“AS14061 DigitalOcean, LLC” and “AS16276 OVH SAS” with
5IP addresses each.
“AS396982 Google LLC” with
Santa Clara (California, US) with
Beauharnois (Quebec, Canada) with
Twitter’s link shortener (t.co) with
IPFS is a Web3 technology that allows decentralized hosting of files. These are not directly accessible in a browser, but through gateways like those from Cloudflare, ipfs.io and others.
When I saw the numbers for IPFS, I was genuinely surprised.
From Cloudflare IPFS alone, there are
(I also want to point out that BleepingComputer has an article about Cloudflare’s IPFS gateway being used for phishing attacks, showing its prominence.)
Infura IPFS with
These are methods used such that the domain seems innocent but leads to another website (not including link shorteners).
39entries – this uses an “away” page that redirects to another website (an account on VKontakte is required).
22entries4 with 13 URLs having the path “/url?q=[insert a url-encoded url here]” and
9entries using AMP to have a Google domain, but with a phishing page.
They’re having their cake and eating it too.
translate.goog (Google Translate for websites), with
8URLs, all of which contain “continue=” and “followup=” with URLs as the values. This redirects the user after they’re signed in.
6,593 uncategorized domains.
3058domains use a “.com” TLD.
437domains use a “.top” TLD.
217domains use a “.br” TLD.
200domains use a “.net” TLD.
186domains use a “.pl” TLD.
176domains use a “.xyz” TLD.
108domains use a “.org” TLD.
The Big Picture⌗
SubscribeSee new posts on tercmd.com in your RSS reader!
Subscribe using RSS!
The filter list has more than 2,100 entries for both
web.app, due to the data sources of the filter list including both domains. Websites on both domains have been filtered down to just one, leading to the lower number. ↩︎
Weebly has two domains which are
weeblysite.comfor hosted websites, in which none of the entries are duplicates. ↩︎
This is across two domains (
cloudflare-ipfs.com) with duplicate addresses removed. ↩︎
23entries, but one of them was a search, so that’s been excluded. ↩︎