Breaking Down Phishing Site TLDs and Certificate Abuse in Q1
Cybercriminals continue to heavily abuse domains to launch phishing attacks. PhishLabs’ analysis of Q1 phishing attacks has found that:
- 96% used Legacy Generic (gTLD) or Country Code (ccTLD) Top-level Domains
- Almost 83% abused HTTPS
- Domain Validated (DV) Certificates were used 94.5% of the time
For this analysis, PhishLabs looked at three categories of TLDs: Legacy gTLDs, ccTLDs, and New gTLDs.
In Q1, nearly all detected phishing sites used either a Legacy gTLD (54.7%) or ccTLD (41.5%).
New gTLDs were seen substantially less, identified in only 3.9% of attacks.
New gTLDs were seen substantially less, identified in only 3.9% of attacks.
Percent of Phish per TLD
Top-Level Domain Breakdown
Almost 47% of all phishing scams used the .com Legacy gTLD in Q1. Additionally,
.com contributed to 86% of all the Legacy gTLDs used for attacks.
.com contributed to 86% of all the Legacy gTLDs used for attacks.
Legacy gTLDs .org and .net were also among the top 10 most abused TLDs, although both volumes were significantly less than .com. The .org Legacy gTLD was identified in 4.9% of phishing scams, while .net was used 2% of the time.
Top 10 TLDs Abused
There were seven ccTLDs represented among the top 10 most abused TLDs. These seven accounted for 83% of all phishing scams hosted on ccTLDs.
It should be noted that five of the seven ccTLDs can be registered for free:
- .ML
- .TK
- .GA
- .CF
- .GQ
These codes are targeted to Africa and New Zealand, and may be registered through the Freenom domain provider.
HTTP vs. HTTPS
In Q1, threat actor use of SSL certificates went down slightly from Q4 2020, with 82.7% of phishing attacks using HTTPS. This is the first quarter that SSL did not show a significant increase.
Phishing sites hosted on HTTPS have leveled off for the past two quarters at approximately 83%, indicating threat actors are still using HTTP to stage sites. This continued use of HTTP is notable, as websites currently default to symbols that alert visitors to whether or not a site has a security certificate. This draws unwanted attention to website insecurity and how the user may be interacting with malicious content.
Phishing Sites Hosted on HTTP vs. HTTPS
SSL Certificate Validation
In Q1, 94% of identified phishing sites used Domain Validated (DV) SSL Certificates. DV Certificates are the lowest standard certificate threat actors can acquire, and can be accessed by proving operational control of the domain name. This process may be automated as well as free.
Less than 6% of threat actors abused Organization Validated (OV) Certificates. OV Certificates are validated through a few basic checks and are associated with greater costs.
Only 11 sites had Extended Validation (EV) Certificates in Q1. Rather than threat actors taking the time to acquire credentials for EV Certificates, each observed site was determined to be a once legitimate, now compromised webpage.
Learn more with the
Q1 2021 Threat Trends and Intelligence Report.
Q1 2021 Threat Trends and Intelligence Report.
Additional Resources:
*** This is a Security Bloggers Network syndicated blog from The PhishLabs Blog authored by Stacy Shelley. Read the original post at: https://info.phishlabs.com/blog/breaking-down-phishing-site-tlds-and-certificate-abuse-in-q1
