Get The Latest Insights

By John LaCour | September 14, 2021

Domains are some of the most highly abused tools threat actors use to manipulate victims and execute phishing attacks. In the latest PhishLabs Quarterly Threat Trends & Intelligence report, we break down how actors are abusing Legacy Generic (gTLD) and Country Code (ccTLD) Top-level domains, HTTPS, and free security certificates to target enterprises.

Top-level Domain Abuse

PhishLabs' Quarterly Threat Trends & Intelligence Report
Percent of Phish Per TLD

Nearly half of all phishing scams targeting enterprises are using Legacy gTLDs. Within the group, almost 40% of attacks are exploiting .com, making it the most widely-used Legacy gTLD. It is also the most abused TLD overall, despite experiencing a decline of 7.2% when compared to last quarter.

Legacy gTLDs .org and .net were among the top 10 TLDs abused, representing 5.9% and 3.2% of all scams, respectively.

Notably, although the share of ccTLDs used for phishing scams increased to 43% this quarter, the abuse of free ccTLD domain registrations plummeted 39%. Historically, we have seen these five ccTLDs registered through a known free domain provider:

  • .ml
  • .tk
  • .ga
  • .cf
  • .gq

The decrease in abuse of these ccTLDs may be attributed to measures by PhishLabs and others that have improved the detection and mitigation of free domain registration misuse. As a result, free domain registrations may be significantly less profitable or no longer a desirable attack method for bad actors.

Abuse of New gTLDs increased to 8% this quarter. Within the group, .monster was responsible for 2.2% of phishing scams and was the only New gTLD represented in the top 10.

PhishLabs' Quarterly Threat Trends & Intelligence Report
Top 10 TLDs Abused


PhishLabs' Quarterly Threat Trends & Intelligence Report

The majority of all phishing sites continue to use HTTPS. This quarter, 82% of sites used SSL Certificates, slightly down from the beginning of the year. This is the second consecutive quarter where the total number of phishing attacks using SSL has remained consistent, indicating sites hosted on HTTPS are leveling off.

Attacks are being staged with non-HTTPS 18% of the time, demonstrating a slight increase from last quarter. The continued use of non-HTTPS is notable, as websites will present visitors with a negative web browser indicator if SSL or HTTPS certificates are not being used. This indicator alerts users that they may be interacting with a web site over an unsecure connection.

SSL Site Certification

PhishLabs' Quarterly Threat Trends & Intelligence Report
SSL Certificate Validation

Last quarter, 90.5% of phishing sites used Domain Validated (DV) SSL Certificates. Threat actors continue to primarily install DV certificates because they are easy to acquire and often free.

The number of phishing sites that used Organization Validated (OV) Certificates increased more than 4%, representing 9.51% of SSL Certificates observed. OV Certificates traditionally represent a higher level of website security as there are additional layers of verification required of the domain owner.

Only two phishing sites were observed with Extended Validation (EV) Certificates. In-depth analysis found that threat actors had not acquired these certificates themselves, but rather hacked legitimate sites where the certificates had already been installed.

To learn more, check out the Quarterly Threat Trends & Intelligence Report.

Additional Resources: