Phishing is not the only method that attackers used against cryptocurrency exchanges and wallets. As noted in the 2021 TLS Telemetry report, malicious Tor exit no des were also used to strip SSL/TLS connections, which allowed attackers to harvest credentials to cryptocurrency exchanges.
Investigating Attacker Methods
Threat actors frequently refine their techniques to improve the success rates of phishing attacks. Using stolen personal data and encryption and disguising website addresses are all useful methods in the attacker’s toolkit.
Secure Does Not Mean Safe
Using valid TLS certificates allows attackers to lead potential victims into believing the site is secure and therefore “trustworthy.” The use of encrypted phishing sites has steadily increased over the years. This time last year, 72% of fraudulent websites were encrypted; this year that figure has increased to 81% of phishing sites.
Phishing links, delivered via email, text message, or social media, often use redirection so that the initial URL is rarely the final URL the victim lands on. In some cases, the original phishing link uses HTTPS and redirects to an HTTPS website. In some cases, an unencrypted phishing URL actually redirects to an encrypted HTTPS site. Table 1 breaks down the use of encryption across initial phishing URLs and final destination URLs.
| HTTPS link with HTTPS destination | 46% |
| HTTP link with HTTPS destination | 34% |
| HTTPS link with HTTP destination | 8% |
| HTTP link with HTTP destination | 12% |
Attackers will always look for the easy route, as many of us do. When it comes to securing their malicious sites, they often take advantage of automated and free services provided by the hosting provider. Google certificate authorities (CAs) account for roughly 8% of certificates and Cloudflare for about 7%. Let’s Encrypt always takes the top spot, however, accounting for an average 41% of certificates used on fraudulent sites.
Disguising URLs
Web browsers are doing a better job at highlighting the actual domain that appears to users. Browser address bars commonly highlight the base domain, such as example.com, while graying out nonessential information, such as the subdomain and path. Despite this, attackers still attempt to confuse and trick victims by including company names, brand names, or keywords somewhere in the URL. Table 2 shows the top 10 most common terms used in the path of a phishing URL.3
| Term | Percentage |
| login | 9.2% |
| .com | 4.7% |
| wp- | 4.5% |
| 3.8% | |
| secure | 2.4% |
| profile | 2.1% |
| bank | 1.7% |
| www. | 1.6% |
| discovercard.com | 1.4% |
| 0.4% |
The word login indicates that nearly 10% (though likely more) phishing sites are targeting credential theft, while the use of www. and .com in the path implies that attackers are hoping that a domain name, such as www.mybank.com in the path, will be enough to fool the victim into thinking they are on their bank’s genuine site. Table 2 shows that one company’s domain name, more than any other, kept showing up in phishing sites: discovercard.com. The use of profile in the path is almost exclusively related to fraudulent Facebook sites.
Most Abused Top-Level Domains
F5 Labs' 2020 Phishing and Fraud Report noted that .com remained the most frequently abused top-level domain (TLD) by fraudsters, accounting for 51% of all phishing sites. The .net TLD came in second at 3.4%. This year saw some change: the ubiquitous .com TLD still comes in at the top, but its lead has shrunk to just over 45%. A new entry in second place is .app at 7.5% of phishing sites, with .org in third place at 5%.
The 20 TLDs shown in Figure 5 represent 80% of the most frequently abused TLDs out of the list of 415 unique TLDs attackers used.
