In our continued expansion and exploration of data from this year’s annual Phishing Trends and Intelligence report it’s time to take a closer look into free hosts. More specifically, the free hosts and domains that threat actors abuse in order to further distribute phishing attacks. While phishing sites that abuse free hosts don’t make up the majority, the use of them is increasing dramatically.
The quantity (not share) of phishing sites using a free hosting provider more than doubled in 2018
According to this year’s report, the number of phishing attacks using a free hosting provider more than doubled (+140%) and the volume increased by nearly 80% in 2018. In total, phishing sites on free hosts made up 14% of all phishing attacks in 2018. In comparison, over the past four years we have seen some larger gains. In 2015 free hosting providers accounted for around 3% of the total volume, but is now up to about 13.8%
According to our analysts, like total volume, free hosting volume climbed through April. After the initial climb, it then remained steady through the rest of the year, except towards August and September when free hosts comprised 23% and 19% of total phishing volume respectively. As for where the majority of phish were housed, the most popular free host was 000webhostapp that housed 69% of freely hosted phish used this service.
Among the primary methods for a threat actor to distribute a phishing attack are the use of compromised websites, free hosts and domains, and domains that attempt to spoof legitimate sites. In the past, threat actors have been observed primarily taking over existing sites and compromising them, typically in the form of unsecure WordPress instances, and hiding malicious content on it. However, this year we have observed a significant increase in the use of free domains.
There are a few potential reasons for the shift, which can be as simple as an increase in activity by threat actors who prefer free hosts or because they are significantly easier to set up and distribute.
“Free hosting provides an easy way to setup phishing sites without having to pay for hosting or compromise an existing website. Phishers don’t even need to buy a domain, as they are assigned free subdomains, for example: THISSUBDOMAIN.000webhostapp.com”
And for the less technical threat actor who uses a phish kit, using a free host is almost a necessity due to the accessibility it offers. A single threat group can create a large volume of sites in a short period of time, so total volume is heavily influenced by the activity of a small number of phishers. If a group that favors free hosts is very active one month, we’ll see a spike.
Financial and Email Industries Hit Hardest
Financial institutions and email/online services accounted for more than half of all phishing in 2018, which means that fluctuations in total phishing volume closely mirror the trends in these two industries. The August spike also coincides with a substantial rise in phishing attacks hosted with free providers.
In particular, the financial industry was hit the hardest by phish on free hosting providers - 23.6% of all financial phish were hosted on a free provider. By comparison, webmail or email services were targeted by threat actors using 11.6% of their phish on freely hosted sites. In August, we also saw a large spike in attacks targeting email services, too.
The campaign that targeted a popular company consisted of over 2,000 freely hosted phish and all used the same phish kit. The similarity of all the phish in this campaign leads us to believe one threat actor/threat actor group was behind the attacks.