By John LaCour | September 14, 2021
Domains are some of the most highly abused tools threat actors use to manipulate victims and execute phishing attacks. In the latest PhishLabs Quarterly Threat Trends & Intelligence report, we break down how actors are abusing Legacy Generic (gTLD) and Country Code (ccTLD) Top-level domains, HTTPS, and free security certificates to target enterprises.
Top-level Domain Abuse
Nearly half of all phishing scams targeting enterprises are using Legacy gTLDs. Within the group, almost 40% of attacks are exploiting .com, making it the most widely-used Legacy gTLD. It is also the most abused TLD overall, despite experiencing a decline of 7.2% when compared to last quarter.
Legacy gTLDs .org and .net were among the top 10 TLDs abused, representing 5.9% and 3.2% of all scams, respectively.
Notably, although the share of ccTLDs used for phishing scams increased to 43% this quarter, the abuse of free ccTLD domain registrations plummeted 39%. Historically, we have seen these five ccTLDs registered through a known free domain provider:
The decrease in abuse of these ccTLDs may be attributed to measures by PhishLabs and others that have improved the detection and mitigation of free domain registration misuse. As a result, free domain registrations may be significantly less profitable or no longer a desirable attack method for bad actors.
Abuse of New gTLDs increased to 8% this quarter. Within the group, .monster was responsible for 2.2% of phishing scams and was the only New gTLD represented in the top 10.
HTTPS vs Non-HTTPS
The majority of all phishing sites continue to use HTTPS. This quarter, 82% of sites used SSL Certificates, slightly down from the beginning of the year. This is the second consecutive quarter where the total number of phishing attacks using SSL has remained consistent, indicating sites hosted on HTTPS are leveling off.
Attacks are being staged with non-HTTPS 18% of the time, demonstrating a slight increase from last quarter. The continued use of non-HTTPS is notable, as websites will present visitors with a negative web browser indicator if SSL or HTTPS certificates are not being used. This indicator alerts users that they may be interacting with a web site over an unsecure connection.
SSL Site Certification
Last quarter, 90.5% of phishing sites used Domain Validated (DV) SSL Certificates. Threat actors continue to primarily install DV certificates because they are easy to acquire and often free.
The number of phishing sites that used Organization Validated (OV) Certificates increased more than 4%, representing 9.51% of SSL Certificates observed. OV Certificates traditionally represent a higher level of website security as there are additional layers of verification required of the domain owner.
Only two phishing sites were observed with Extended Validation (EV) Certificates. In-depth analysis found that threat actors had not acquired these certificates themselves, but rather hacked legitimate sites where the certificates had already been installed.
To learn more, check out the Quarterly Threat Trends & Intelligence Report.