In Q1, PhishLabs analyzed hundreds of thousands of phishing attacks and found more than 62% abused legitimate no-cost tools or services.
In this post, we take a look at findings from our Q1 Threat Trends and Intelligence Report and review the free services that were most commonly abused to stage phishing sites.
Methods of Staging Phishing Sites
Free Domain Registration
In Q1, 23.1% of phishing sites exploited free domain registration services. These services enable actors to obtain domain names at no cost, which can then be directed to infrastructure hosting phishing content. Notably, free domain registration services were abused at nearly twice the rate of paid registration services during this period.
Free Hosting
In Q1, free hosting was used to stand up 20% of phishing sites. Websites that use free hosting services are typically set up as a subdomain on the hosting provider’s root domain (e.g. https://site123456.free-hosting-service.com), which makes brand impersonation more difficult. However, the low cost makes phishing sites more disposable. Threat actors that abuse free hosting are often trading effectiveness for volume and efficiency.
Tunneling
Tunneling services such as OpenVPN and Ngrok, which assign public URLs to local servers, are increasingly being weaponized to host phishing sites. With free options readily available, their abuse has become widespread. In Q1 alone, tunneling services accounted for 10.9% of all phishing site infrastructure.
URL Shorteners
Commonly used by threat actors to mask malicious links, spam victims, and even to mine cryptocurrency, URL shorteners were abused by 5.2% of phishing sites in Q1.
Development Tools
The abuse of online development platforms to stage phishing sites is an emerging tactic. While these tools are designed to let developers build, test, and deploy code without standing up their own infrastructure, many offer free tiers that threat actors exploit to launch phishing sites on public URLs. In Q1, 2.8% of phishing sites were staged using these services. This trend highlights how adversaries increasingly rely on no-cost solutions to build their infrastructure — underscoring the need for businesses to focus detection efforts on free and easily accessible platforms.
Learn more about free tool abuse.
Additional Resources from Fortra Brand Protection: