Half of all phishing sites display the padlock, making people think they're safe

midian182

TechSpot Editor
Staff member

Google has spent years trying to get more of the web to adopt the HTTPS protocol, in which is data is encrypted using SSL/TLS as it travels between browser and website. Many still believe the presence of a padlock equals trustworthiness, but an increasing number of phishing sites are displaying it.

According to new data from PhishLabs (via Krebs on Security), the 49 percent of phishing websites using SSL is up from 35 percent during the last quarter and 25 percent a year ago. The increase has been put down to the number of phishers who are registering their own domain names and creating certificates for them, as well as Chrome displaying ‘Not Secure’ on sites that lack encryption. Certificate authorities aren’t able to check every site to ensure its legitimacy and many that request these certificates don’t have any content on them at the time.

Back in December last year, a poll carried out by PhishLabs showed that more than 80 percent of responders believed the padlock indicated that a website was either legitimate and/or safe, neither of which is true.

Browser makers are fighting back by working with security firms to identify and block new phishing sites, but some manage to evade being flagged. The safest option is to not input your details if you have any suspicions about a website, even if it does have a padlock.

Permalink to story.

 

Capaill

TS Evangelist
Surely the Certificate authorities could block the creation of certs for any website that contains a legitimate business's name (such as paypal) unless proof of ownership of that business is supplied? If so, make the cert authorities liable for all certs registered by phishing websites and that should eliminate that problem.
 
  • Like
Reactions: Eldritch

Eldritch

TS Maniac
Surely the Certificate authorities could block the creation of certs for any website that contains a legitimate business's name (such as paypal) unless proof of ownership of that business is supplied? If so, make the cert authorities liable for all certs registered by phishing websites and that should eliminate that problem.
Name matching is very hard as every word is registered and most are ssl already.
Even simpler method will be to simply give a new site a Blue or Purple marker to say that the site is 'Under evalution' and all sites should be marked as such for at least three months or 10,000 unique visitors or a combination of both.
So anyone who is visiting a fake site like Amazonoffers2018.com will immediately notice the padlock of different color.
Furhter, for sites under evaluation then can enable a Report Scam option by clicking on padlock. Lets say if 40 unique people report a single new site as fraud then most probably its an scam and may be investigated. Pretty easy to do and straightforward.
 
  • Like
Reactions: Capaill

Badvok

TS Evangelist
Surely the Certificate authorities could block the creation of certs for any website that contains a legitimate business's name (such as paypal) unless proof of ownership of that business is supplied? If so, make the cert authorities liable for all certs registered by phishing websites and that should eliminate that problem.
That's why we have EV certificates these days. You know, the ones that display the company's name next to the padlock. These are the only ones that verify who you are actually connecting to.
 
  • Like
Reactions: Capaill

AsParallel

TS Rookie
Surely the Certificate authorities could block the creation of certs for any website that contains a legitimate business's name (such as paypal) unless proof of ownership of that business is supplied? If so, make the cert authorities liable for all certs registered by phishing websites and that should eliminate that problem.
That's a little impractical. Amazon, for example, is also the name of a large swath of South America. It's also not their job to enforce domains, or have a tap into business registrations across every country and subnational entity that can register businesses or trademarks.

That is also painful easy for corporations to turn into an exploitatively regressive power grab for control of nameservers on the internet. It starts with corporate names and trademarks, then extends to brands, division and even product names and their permutations. Inside of 2 weeks every SEO permutation (I know sites that literally register millions of keyword combinations algorithmically) is on lock by the 10 largest companies.

At some point it just comes down to paying attention, and assuming the smallest margin of responsibility for your own safety. We can't bubble wrap the internet.
 
  • Like
Reactions: SalaSSin

wiyosaya

TS Evangelist
Surely the Certificate authorities could block the creation of certs for any website that contains a legitimate business's name (such as paypal) unless proof of ownership of that business is supplied? If so, make the cert authorities liable for all certs registered by phishing websites and that should eliminate that problem.
IMO, its better to use a DNS that blocks known malware/phishing sites. There is no guarantee that it will be up-to-date; however, the DNSs that block known bad sites are updated constantly. There are several public and free DNSs out there that offer this.
At some point it just comes down to paying attention, and assuming the smallest margin of responsibility for your own safety. We can't bubble wrap the internet.
IMO, for the technically astute, that will work; however, those that are not are the ones most likely to be caught by this type of trap. Unfortunately, gagme's push for HTTPS everywhere has created yet another social engineering opportunity for some really bad people.
 

jobeard

TS Ambassador
Just amazing ignorance! "Many still believe the presence of a padlock equals trustworthiness"

The padlock ONLY means there's an encrypted channel from the user to the website -- and that has ZERO to say about the safety of the site content (and there never has been any formal certification on the content)
 

Eldritch

TS Maniac
Just amazing ignorance! "Many still believe the presence of a padlock equals trustworthiness"

The padlock ONLY means there's an encrypted channel from the user to the website -- and that has ZERO to say about the safety of the site content (and there never has been any formal certification on the content)
Just today an head of accounting told me his story of how he fell prey to classic mobile call scams. He is highly educated but still he got duped.
Not to talk of the regular Joe with no experience or knowledge of banking. People get scammed all the time and generally there is no recourse. Thats why people need to pay start paying attention and have firewall, good AV, avoid chinese phones and always have 2FA for all banking accounts without exception.
 

toooooot

TS Evangelist
If you think about it, feeling safe contributes to your mental health. Thus, even though it is a useless padlock, it isnt useless completely.
 

JohnPent

TS Rookie
We have to get rid of Let's Encrypt and other services that do shared ssl certificates on the fly.

Really, the green lock should only go to corporations that have been in business for a while.

I set up sites all the time with shared ssl certs. I deal with real companies. If I set up malware sites or fraud sites, I could easily get them https. For a few bucks I can get them a green lock verifying nothing of the client.
 

wiyosaya

TS Evangelist
If you think about it, feeling safe contributes to your mental health. Thus, even though it is a useless padlock, it isnt useless completely.
That is certainly the social engineering part of it...
We have to get rid of Let's Encrypt and other services that do shared ssl certificates on the fly.

Really, the green lock should only go to corporations that have been in business for a while.

I set up sites all the time with shared ssl certs. I deal with real companies. If I set up malware sites or fraud sites, I could easily get them https. For a few bucks I can get them a green lock verifying nothing of the client.
Someone would find a way to hack that, too, and make it look like a green lock even if no green lock was warranted.
 
  • Like
Reactions: Clamyboy74

jobeard

TS Ambassador
Just today an head of accounting told me his story of how he fell prey to classic mobile call scams. He is highly educated but still he got duped.
We all fall prey to the social engineering of just a simple ringing telephone:
  1. maybe it's someone I know
  2. maybe it's important
We all need to learn self control!

There's a free and simple way to have a major impact on this

If the caller is NOT in your contacts, DON'T answer the phone -- hit any volume control button stopping the ringing and let the call go to voice mail!
Anyone with a legit reason to call you will leave a message while marketeers and robo callers will not as that can lead to legal Wire Fraud charges.

After several calls w/o any voice messages, BLOCK the caller.