Breaking Down Phishing Site TLDs and Certificate Abuse in Q1

Cybercriminals continue to heavily abuse domains to launch phishing attacks. PhishLabs’ analysis of Q1 phishing attacks has found that:
  • 96% used Legacy Generic (gTLD) or Country Code (ccTLD) Top-level Domains
  • Almost 83% abused HTTPS
  • Domain Validated (DV) Certificates were used 94.5% of the time  
For this analysis, PhishLabs looked at three categories of TLDs: Legacy gTLDs, ccTLDs, and New gTLDs. 
In Q1, nearly all detected phishing sites used either a Legacy gTLD (54.7%) or ccTLD (41.5%).
New gTLDs were seen substantially less, identified in only 3.9% of attacks. 
Percentage of Phish per TLD
Percent of Phish per TLD

Top-Level Domain Breakdown

Almost 47% of all phishing scams used the .com Legacy gTLD in Q1. Additionally,
.com contributed to 86% of all the Legacy gTLDs used for attacks.
Legacy gTLDs .org and .net were also among the top 10 most abused TLDs, although both volumes were significantly less than .com. The .org Legacy gTLD was identified in 4.9% of phishing scams, while .net was used 2% of the time. 
Top 10
Top 10 TLDs Abused
There were seven ccTLDs represented among the top 10 most abused TLDs. These seven accounted for 83% of all phishing scams hosted on ccTLDs.
It should be noted that five of the seven ccTLDs can be registered for free:
  • .ML
  • .TK
  • .GA
  • .CF
  • .GQ
These codes are targeted to Africa and New Zealand, and may be registered through the Freenom domain provider. 


In Q1, threat actor use of SSL certificates went down slightly from Q4 2020, with 82.7% of phishing attacks using HTTPS. This is the first quarter that SSL did not show a significant increase. 
Phishing sites hosted on HTTPS have leveled off for the past two quarters at approximately 83%, indicating threat actors are still using HTTP to stage sites. This continued use of HTTP is notable, as websites currently default to symbols that alert visitors to whether or not a site has a security certificate. This draws unwanted attention to website insecurity and how the user may be interacting with malicious content. 
Phishing Sites Hosted on HTTP vs. HTTPS

SSL Certificate Validation

In Q1, 94% of identified phishing sites used Domain Validated (DV) SSL Certificates. DV Certificates are the lowest standard certificate threat actors can acquire, and can be accessed by proving operational control of the domain name. This process may be automated as well as free. 
Less than 6% of threat actors abused Organization Validated (OV) Certificates. OV Certificates are validated through a few basic checks and are associated with greater costs.
Only 11 sites had Extended Validation (EV) Certificates in Q1. Rather than threat actors taking the time to acquire credentials for EV Certificates, each observed site was determined to be a once legitimate, now compromised webpage. 
Additional Resources:

*** This is a Security Bloggers Network syndicated blog from The PhishLabs Blog authored by Stacy Shelley. Read the original post at: