Half of all phishing sites display the padlock, making people think they're safe

midian182

midian182

Posts: 9,745   +121
Staff member
In brief: Most non-tech savvy web users presume that a padlock in the browser bar means a site is legitimate and safe, but that’s far from the reality. New research shows a massive 49 percent of all phishing sites used Secure Sockets Layer protection, and by extension showed the padlock, as of Q3 2018.

Google has spent years trying to get more of the web to adopt the HTTPS protocol, in which is data is encrypted using SSL/TLS as it travels between browser and website. Many still believe the presence of a padlock equals trustworthiness, but an increasing number of phishing sites are displaying it.

According to new data from PhishLabs (via Krebs on Security), the 49 percent of phishing websites using SSL is up from 35 percent during the last quarter and 25 percent a year ago. The increase has been put down to the number of phishers who are registering their own domain names and creating certificates for them, as well as Chrome displaying ‘Not Secure’ on sites that lack encryption. Certificate authorities aren’t able to check every site to ensure its legitimacy and many that request these certificates don’t have any content on them at the time.

Back in December last year, a poll carried out by PhishLabs showed that more than 80 percent of responders believed the padlock indicated that a website was either legitimate and/or safe, neither of which is true.

Browser makers are fighting back by working with security firms to identify and block new phishing sites, but some manage to evade being flagged. The safest option is to not input your details if you have any suspicions about a website, even if it does have a padlock.

Permalink to story.

https://www.techspot.com/news/77585-half-all-phishing-sites-display-padlock-making-people.html

 
Surely the Certificate authorities could block the creation of certs for any website that contains a legitimate business's name (such as paypal) unless proof of ownership of that business is supplied? If so, make the cert authorities liable for all certs registered by phishing websites and that should eliminate that problem.
 
  • Like
Reactions: Eldritch
Capaill said:
Surely the Certificate authorities could block the creation of certs for any website that contains a legitimate business's name (such as paypal) unless proof of ownership of that business is supplied? If so, make the cert authorities liable for all certs registered by phishing websites and that should eliminate that problem.
Click to expand...

Name matching is very hard as every word is registered and most are ssl already.
Even simpler method will be to simply give a new site a Blue or Purple marker to say that the site is 'Under evalution' and all sites should be marked as such for at least three months or 10,000 unique visitors or a combination of both.
So anyone who is visiting a fake site like Amazonoffers2018.com will immediately notice the padlock of different color.
Furhter, for sites under evaluation then can enable a Report Scam option by clicking on padlock. Lets say if 40 unique people report a single new site as fraud then most probably its an scam and may be investigated. Pretty easy to do and straightforward.
 
  • Like
Reactions: Capaill
Capaill said:
Surely the Certificate authorities could block the creation of certs for any website that contains a legitimate business's name (such as paypal) unless proof of ownership of that business is supplied? If so, make the cert authorities liable for all certs registered by phishing websites and that should eliminate that problem.
Click to expand...
That's why we have EV certificates these days. You know, the ones that display the company's name next to the padlock. These are the only ones that verify who you are actually connecting to.
 
  • Like
Reactions: Capaill
Capaill said:
Surely the Certificate authorities could block the creation of certs for any website that contains a legitimate business's name (such as paypal) unless proof of ownership of that business is supplied? If so, make the cert authorities liable for all certs registered by phishing websites and that should eliminate that problem.
Click to expand...

That's a little impractical. Amazon, for example, is also the name of a large swath of South America. It's also not their job to enforce domains, or have a tap into business registrations across every country and subnational entity that can register businesses or trademarks.

That is also painful easy for corporations to turn into an exploitatively regressive power grab for control of nameservers on the internet. It starts with corporate names and trademarks, then extends to brands, division and even product names and their permutations. Inside of 2 weeks every SEO permutation (I know sites that literally register millions of keyword combinations algorithmically) is on lock by the 10 largest companies.

At some point it just comes down to paying attention, and assuming the smallest margin of responsibility for your own safety. We can't bubble wrap the internet.
 
  • Like
Reactions: SalaSSin
Capaill said:
Surely the Certificate authorities could block the creation of certs for any website that contains a legitimate business's name (such as paypal) unless proof of ownership of that business is supplied? If so, make the cert authorities liable for all certs registered by phishing websites and that should eliminate that problem.
Click to expand...
IMO, its better to use a DNS that blocks known malware/phishing sites. There is no guarantee that it will be up-to-date; however, the DNSs that block known bad sites are updated constantly. There are several public and free DNSs out there that offer this.
AsParallel said:
At some point it just comes down to paying attention, and assuming the smallest margin of responsibility for your own safety. We can't bubble wrap the internet.
Click to expand...
IMO, for the technically astute, that will work; however, those that are not are the ones most likely to be caught by this type of trap. Unfortunately, gagme's push for HTTPS everywhere has created yet another social engineering opportunity for some really bad people.
 
Just amazing ignorance! "Many still believe the presence of a padlock equals trustworthiness"

The padlock ONLY means there's an encrypted channel from the user to the website -- and that has ZERO to say about the safety of the site content (and there never has been any formal certification on the content)
 
jobeard said:
Just amazing ignorance! "Many still believe the presence of a padlock equals trustworthiness"

The padlock ONLY means there's an encrypted channel from the user to the website -- and that has ZERO to say about the safety of the site content (and there never has been any formal certification on the content)
Click to expand...

Just today an head of accounting told me his story of how he fell prey to classic mobile call scams. He is highly educated but still he got duped.
Not to talk of the regular Joe with no experience or knowledge of banking. People get scammed all the time and generally there is no recourse. Thats why people need to pay start paying attention and have firewall, good AV, avoid chinese phones and always have 2FA for all banking accounts without exception.
 
If you think about it, feeling safe contributes to your mental health. Thus, even though it is a useless padlock, it isnt useless completely.
 
We have to get rid of Let's Encrypt and other services that do shared ssl certificates on the fly.

Really, the green lock should only go to corporations that have been in business for a while.

I set up sites all the time with shared ssl certs. I deal with real companies. If I set up malware sites or fraud sites, I could easily get them https. For a few bucks I can get them a green lock verifying nothing of the client.
 
toooooot said:
If you think about it, feeling safe contributes to your mental health. Thus, even though it is a useless padlock, it isnt useless completely.
Click to expand...
That is certainly the social engineering part of it...
JohnPent said:
We have to get rid of Let's Encrypt and other services that do shared ssl certificates on the fly.

Really, the green lock should only go to corporations that have been in business for a while.

I set up sites all the time with shared ssl certs. I deal with real companies. If I set up malware sites or fraud sites, I could easily get them https. For a few bucks I can get them a green lock verifying nothing of the client.
Click to expand...
Someone would find a way to hack that, too, and make it look like a green lock even if no green lock was warranted.
 
  • Like
Reactions: Clamyboy74
Eldritch said:
Just today an head of accounting told me his story of how he fell prey to classic mobile call scams. He is highly educated but still he got duped.
Click to expand...

We all fall prey to the social engineering of just a simple ringing telephone:
  1. maybe it's someone I know
  2. maybe it's important
We all need to learn self control!

There's a free and simple way to have a major impact on this

If the caller is NOT in your contacts, DON'T answer the phone -- hit any volume control button stopping the ringing and let the call go to voice mail!
Anyone with a legit reason to call you will leave a message while marketeers and robo callers will not as that can lead to legal Wire Fraud charges.

After several calls w/o any voice messages, BLOCK the caller.
 
You must log in or register to reply here.

Similar threads

D
Google Chrome gets real-time phishing and malware protection with upgraded Safe Browsing...
Replies
7
Views
260
Evrsr
E
midian182
Google launches Chrome Enterprise Premium, a paid-for browser with advanced security features
Replies
7
Views
137
noXLar
noXLar
D
Intel unveils its Gaudi 3 AI accelerator: 128GB HBM2e memory, set to rival Nvidia H100 and AMD MI300
Replies
3
Views
131
poohbear
P

Latest posts

Back