Home / Blogs

Phishing 2020: A Concentrated Dose of Badness

How much phishing is there? Where is it occurring, and why? How can it be reduced? I and my colleagues at Interisle Consulting have just published a new study called Phishing Landscape 2020, designed to answer those questions. We assembled a deep set of data from four different, respected threat intelligence providers and enriched it with additional DNS data and investigation. The result is a look at phishing attacks that occurred in May through July 2020.

The data revealed more than 122,000 newly discovered phishing sites, on 99,412 different domain names. One of the things we established is those numbers are just a floor. Phishing is a much larger problem than is reported, and we explore how this is due to gaps in detection, gaps in data sharing, and the lack of WHOIS data. An ominous problem is: how much phishing is not being detected at all?

The data also shows that most phishing is concentrated at a small number of domain registrars, domain registries, and hosting providers. These providers can make a significant impact on phishing if they implement better anti-abuse programs. The report breaks the data down, with rankings and ratings.

We took a special look at “maliciously registered domain names”—domains registered by the phishers themselves. These domains are important for two reasons. First, there are reliable ways that registrars and registry operators can identify them, often before they are used. Second, these domains can be suspended by registrars and registry operators without creating any collateral damage. The data shows that almost half of all maliciously registered domains were purchased at just ten gTLD registrars. More than 88% of the maliciously registered domains in our data set occurred in just 20 top-level domains. Again, this presents opportunities for a few providers to put a big dent in phishing.

We also looked at the timing of these domain name registrations, and at recent research about how long phishing attacks last. One of the conclusions is that registries, registrars, and hosting providers should implement better anti-abuse programs that focus more on prevention. Many anti-abuse programs focus on mitigation—taking steps to stop a phishing attack once it is underway. That’s a reactive stance, and by the time a mitigation effort gets underway, the phishing has already taken place. In some places, these reactive programs are allowing constant cycles of new phishing, leading to no overall improvement of Internet safety. Mitigation and proactive prevention are two very different things, both are possible to implement, and both are needed.

We invite you to read the full report, or just the executve summary.

By Greg Aaron, President, Illumintel Inc.

Filed Under


Some considerations Volker Greimann  –  Oct 19, 2020 5:13 PM

Thank your for this study, which made some interesting reading. Identifying abusive registrations before they can be used is certainly the ideal situation, however it is not as easy as you make it out to be.

Many registrar do not have access to the excellent data points that the report indicates are in our possession. As significant portions of the registrations are transacted through third parties, many registrars never see the payment details, source IPs or purchase histories of individual registrants for a majority of their registrations. 

I have doubts about the usefulness of whois data for identifying abusive domain names. Over the past years, our own experience has shown that a vast majority of malicious registrations reported to us actually have the best quality of registration data as this data was freshly harvested from one of the many data lists out there.

Many contracted parties do use feeds to detect abusive domains, but some of the providers are less then helpful as they do not show their work, e.g. they list a domain as abusive but will not provide evidence of how that conclusion was reached. This increases the risk of taking action against a false positive.

One of the best and safest methods we do have at our disposal is to take proactive action based on reactive action already taken. By looking for common characteristics amongst other domains that match those of an already identified domain, we often detect domains likely to be used in an abusive manner before they become active.

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet



New TLDs

Sponsored byRadix


Sponsored byDNIB.com

Domain Names

Sponsored byVerisign


Sponsored byVerisign

IPv4 Markets

Sponsored byIPv4.Global

Threat Intelligence

Sponsored byWhoisXML API

Brand Protection

Sponsored byCSC