The 2021 Webroot BrightCloud® Threat Report: 54% of Phishing Sites use HTTPS to Trick Users

  • 20 April 2021
  • 10 replies
The 2021 Webroot BrightCloud® Threat Report: 54% of Phishing Sites use HTTPS to Trick Users
Userlevel 7
Badge +48

The latest Webroot BrightCloud®️ Threat Report is here, and our findings show that cybercriminals are as creative and hardworking as ever. Although 2020 brought countless challenges for businesses and individuals all over the world, it seems to have offered cybercriminals new avenues to scam internet users, steal data, and cause disruption.

But the criminals weren’t the only ones hard at work. Cybersecurity analysts have been clocking overtime to identify and neutralize new threat tactics as quickly as they appear. Operating systems and web browsers are making effective improvements to their built-in security. Security awareness training for employees continues to improve security postures. Nations and companies are working together to break down cybercriminal infrastructure.


Here are some of the highlights from the report

Criminals targeted COVID-19 topics like it was their job (because it kind of is…)



Most of the malicious spam (malspam) emails we’ve seen have used COVID-related phishing lures. The most common lures involved guidelines on how to protect yourself from COVID-19, typically pretending to be from reputable organizations like the CDC, WHO, or even the White House. There were also many lures claiming to offer details on pandemic stimulus money and vaccines.

  • Between February and March, our data showed a 2000% spike in malicious files with ‘zoom’ in their filenames.
  • Phishing jumped 510% from January to February 2020 alone.
  • In March 2020, these services saw massive increases in phishing activity:
    • YouTube: 3,064%
    • HBO: 525%
    • Twitch: 337%
  • From March to July, during the initial lockdown phase in the U.S., phishing URLs targeting Netflix jumped 646%.


Ransomware developments made headlines and broke records


It was truly an astonishing year for ransomware, largely due to growing ransom payment amounts and the newer trend of data extortion.

  • By September 2020, the average ransom payment peaked at $233,817.
  • The attackers who hit Foxconn demanded ~1804 Bitcoin ($34 million at the time) to prevent the stolen data from being disclosed.
  • Malicious actors infected Garmin’s systems with ransomware and demanded (and reportedly received) $10 million to destroy the stolen data.
  • Attackers who infected travel management firm CWT demanded $10 million in ransom (they ultimately received $4.5 million.)


Business email compromise (BEC) is still a big deal, and it got worse with WFH

This type of scam targets commercial, government, and nonprofit organizations by fraudulently representing a senior colleague, IT team member, or a trusted customer. The email typically contains instructions to send money (especially via wire transfer), provide credentials, or release client data. BEC relies heavily on the inherent trust of employees in their members of management, fellow employees, and valued customers.

  • According to the FBI, the Internet Crime Complaint Center (IC3) got 19,369 BEC complaints in 2020.
  • The adjusted losses from BEC attacks reported to IC3 in 2020 were $1.8 billion USD!


Browser-based cryptojacking is dying off, but executable-based mining is on the rise


Unlike browser-based cryptojacking, executable-based cryptojacking can be done on any device that has a processor and an internet connection, including many Internet of Things (IoT) devices, such as routers and smart TVs. Typically, people are unaware that their computers, servers, IoT devices, or other systems are running the malicious executable and have no idea their resources are being used without their consent. If a victim notices the effect of the mining, it’s more likely because their systems slow down and their power bills skyrocket; otherwise, the CPU usage scaling can effectively conceal the compromise.

  • 1.4 million URLs still host cryptojacking scripts. Of these, about half are hosting defunct Coinhive code.

“The number of sites continuing to host defunct malicious code and outdated, highly vulnerable plugins indicates how many website and domain owners do not adequately audit the code they host.” – Cathy Yang, Lead Product Manager


Malware is trending down for now, but threats still abound

  • 86% of malware is unique to a single PC.
  • Attackers are pivoting to exploit Living off the Land Binaries (“LolBins”), which are applications that are already built into Windows®️ operating systems by default, so they rely less on malware.
  • Approximately 1 in 10 malicious sites is hosted on a benign domain.

Learn more about our findings and discover our predictions for the year to come in the full report


10 replies


i wish i went to  MIT ,so i could better  understand the   language.


I like what you are reporting, I hope my computer is protected well with your Internet Security Plus. Just wish I had a better understanding.

Why do I have to submit my details again to download the full report..?  I am a Webroot reseller we are all clearly registered and already logged in to Webroot’s portal - so why register again..?

Surely the report should be available to download directly from this site..?

Userlevel 3

Ransom ware is getting out of hand.Hopefully Webroot will do everything in their power to help with this problem.

Userlevel 7
Badge +48

Cyber crime happens at anytime but the security in Webroot always blank out the cyber criminals. The only hope we have the best assistance from our community :blush:

Thanks! We try and provide as much guidance as we can. 

Userlevel 3

I probably not mention something that is not ransomware, but I heard that they are going to start targeting our cell phones.I say this cause yesterday morning, when I turned on my phone it started flashing the home screen,had to wipe all data.Factory reset, and put all my apps back in.Then it would start flashing again. It took 4 hours before everything started working.

Userlevel 7
Badge +48

Oh that’s interesting. I’m not surprised that they’ll be moving to phones next. It’s where everyone spends their time and more and more people seem to think that you don’t need an AV solution there (which is crazy!) 


Userlevel 7
Badge +63

@freydrew  this is the correct version so that page needs to be updated that you pointed to:

Userlevel 3

I'm happy to have brought this to all our customers,and I have a feeling that hackers will be trying to hack our phones,so heads up on this.

Oh that’s interesting. I’m not surprised that they’ll be moving to phones next. It’s where everyone spends their time and more and more people seem to think that you don’t need an AV solution there (which is crazy!) 


I have a smart phone, however, it is not used with wifi nor do I use it for the internet. Only used as a phone for voice calls, txt, and voice mail. Do I need to worry?