Get The Latest Insights

By The PhishLabs Team | June 17, 2021

In Q1, PhishLabs analyzed hundreds of thousands of phishing attacks and found more than 62% abused legitimate no-cost tools or services. 
 
 
In this post, we take a look at findings from our Q1 Threat Trends and Intelligence Report and review the free services that were most commonly abused to stage phishing sites.  
 
Methods of Staging Phishing Sites
 

Free Domain Registration

In Q1, 23.1% of phishing sites took advantage of free domain registration services. These services allow individuals to register a new domain name at no cost. Once the domain has been registered, it can be pointed to a site hosting phishing content. It’s also worth noting that free domain registration services were abused nearly twice as often than paid domain registration services in Q1.  
 

Free Hosting

In Q1, free hosting was used to stand up 20% of phishing sites. Websites that use free hosting services are typically set up as a subdomain on the hosting provider’s root domain (e.g. https://site123456.free-hosting-service.com), which makes brand impersonation more difficult. However, the low cost makes phishing sites more disposable. Threat actors that abuse free hosting are often trading effectiveness for volume and efficiency.    
 

Tunneling 

Tunneling services such as Open VPN and Ngrock allow public URLs to be assigned to local servers.  Many of these services have free options that are being increasingly abused to stage phishing sites. In Q1, tunneling services were used to stage phishing sites 10.9% of the time. 
 

URL Shorteners

Commonly used by threat actors to mask malicious links, spam victims, and even mine cryptocurrency, URL shorteners were abused by 5.2% of phishing sites in Q1. 
 

Development Tools

The use of online development tools to stage phishing sites is an emerging trend. Developers use these tools to build, test, and deploy code in online environments without having to set up their own infrastructure. Many of these development tools have no cost options that can be abused to build and deploy phishing sites on public URLs. Development tools were abused in 2.8% of phishing sites in Q1.   
 
Analysis of how phishing sites were staged in Q1 indicates threat actors are building infrastructures using free solutions, and businesses should direct detection efforts toward no-cost options. 
 
Learn more about free tool abuse here.
 
Additional Resources: