Posting this here because it's really starting to bug me.
I got asked by a friend why he keeps seeing Google Ads that are clones of known exchanges- sent me a few URLs, and each and every single one was operating not as a clone, but as a XSS attack because the exchanges didn't have the basic security headers set. Some examples of bad offenders:
Binance Header Report - No CSP policy, no XSS blocks, no referrer policy
MyEtherWallet Header Report - Literally embarrassing, doesn't have anything set at all. Despite being told in their GitHub repo how to fix it and being given a pull request.
Everyone- be careful, and scan the sites you use before you get ripped off by someone doing a drive by.