1. TechSpot is dedicated to computer enthusiasts and power users. Ask a question and give support. Join the community here.
    TechSpot is dedicated to computer enthusiasts and power users.
    Ask a question and give support.
    Join the community here, it only takes a minute.
    Dismiss Notice

More phishing websites are using HTTPS to appear legitimate

By midian182 · 16 replies
Dec 6, 2017
Post New Reply
  1. While the adoption of HTTPS has helped keep internet users’ data secure as it travels between browser and website, an increasing number of phishing schemes are taking advantage of people’s ignorance when it comes to the little green padlock.

    Phishing defense firm PhishLabs published a new report yesterday that shows the rate at which phishing sites are hosted on HTTPS pages is rising significantly faster than overall HTTPS adoption.

    According to Let’s Encrypt, which has issued more than 100 million encryption certificates, 65 percent of pages loaded by FireFox last month used HTTPS, up from 45 percent at the end of 2016. Meanwhile, phishing sites—those that are linked to from phishing emails and texts—use web encryption 24 percent of the time. Just one year ago, less than three percent of these sites used HTTPS, and in 2015 the figure stood at less than one percent.

    While some phishers compromise sites that have already obtained SSL certificates, just as many of these cybercriminals are creating their own HTTPS sites. “An analysis of Q3 HTTPS phishing attacks against PayPal and Apple, the two primary targets of these attacks, indicates that nearly three-quarters of HTTPS phishing sites targeting them were hosted on maliciously-registered domains rather than compromised websites, which is substantially higher than the overall global rate,” writes PhishLabs.

    The main reason phishers are turning to HTTPS is that many people believe the green padlock is a sign of a site’s trustworthiness. The certificate shows that data is encrypted in transit; it doesn’t mean the website has been secured and is legitimate—they are not any less vulnerable than non-HTTPS sites.

    As noted by Wired, one of the problems is that certificate authorities aren’t able to check every site to ensure it doesn’t contain phishing or malware attacks. Moreover, many websites that request encryption certificates don’t have any content on them at the time.

    In a poll carried out by PhishLabs in November, more than 80% of the respondents believed the green lock indicated that a website was either legitimate and/or safe, neither of which is true.

    Permalink to story.

  2. Uncle Al

    Uncle Al TS Evangelist Posts: 4,206   +2,672

    Now that is VERY disturbing news ......
  3. Kaj Hansen

    Kaj Hansen TS Rookie

    So https now is actually a way to give people a false sense of security and thus it does the opposite of what it has has been invented for, namely making the web a saver place.

    I guess it still keeps 75% of the fishing slightly at bay, but time for a new way of legit website verification is very much needed.
    MalcolmX likes this.
  4. Cycloid Torus

    Cycloid Torus Stone age computing. Posts: 3,565   +950

    "one of the problems is that certificate authorities aren’t able to check every site to ensure it doesn’t contain phishing or malware attacks"

    So, what does?
  5. Burty117

    Burty117 TechSpot Chancellor Posts: 3,323   +1,094

    Bigger companies which have the money can get Extended Validation SSL Certificates, this is where the browser bar goes green and the SSL Cert is only issued once the entire company has been verified (usually a couple of phone calls, several emails from the domain itself, they research your company to check it's valid and then the usual domain verification checks).

    The green tick has NEVER meant a website was safe, only that it was secure (data is encrypted between you and it).
    SalaSSin and MaXtor like this.
  6. VitalyT

    VitalyT Russ-Puss Posts: 4,034   +2,429

    It is a shocking as finding that your fortune teller was wrong.
    fktech and Burty117 like this.
  7. fadingfool

    fadingfool TS Booster Posts: 79   +85

    Doesn't help that there is a Barclays TV advert campaign running in the UK at the moment that implies the green padlock = secure. (https://www.youtube.com/watch?v=GbThUL0aLyk)
    FPSChris likes this.
  8. “Secure” Connection ≠ Safe Connection
  9. MrBlkfx1

    MrBlkfx1 TS Evangelist Posts: 857   +205

    This isn't at all surprising, but still concerning. Although, the tried and true, don't do business with shady websites still work in this situation. You just can't write off a website as legitimate anymore based purely on an active SSL cert.
  10. senketsu

    senketsu TS Guru Posts: 710   +480

    Ironically this happens with many safety measures. A example is protective gear, such as helmets in USA football. Intended to reduce head injuries, (they used to play helmetless), it actually has increased head injuries as players now feel their head is safe, they do things like try to 'smash heads' into their opponent. A quirk of human nature I suppose
  11. Squid Surprise

    Squid Surprise TS Evangelist Posts: 2,013   +1,023

    There is a fundamental comprehension problem here.... I can securely give you my money - there can be armed guards, an expensive safe, etc.... But if you are untrustworthy, you can take what I gave you and buy something illegal, unsafe, etc....and never bother giving me my money back....

    The endpoint is always the most important piece of data a user needs to know. Securely giving your money/info/etc to someone nefarious is no better than giving your money to someone "insecurely" (like in a bar over drinks) to a person you actually trust.... In fact, it's far worse!
  12. jobeard

    jobeard TS Ambassador Posts: 12,218   +1,363

    In fact, the padlock means:
    1. the session (end-to-end) is encrypted
    2. the site has created a Certificate which is signed
    Signed by whom - - that's the question! Today, we can create Self-Signed Certs to allow (1) to work.

    Click on the the lock: it will show you WHO vouches for the signature. If it's the same as the site, then it's self-signed and is meaningless (aka, untrustworthy).
  13. Burty117

    Burty117 TechSpot Chancellor Posts: 3,323   +1,094

    Self-Signed certificates have, since the dawn of time, always shown up in all browsers as "untrustworthy, only continue if recognize this site". You have to have the root cert installed on the machine before it can be trusted which, on a normal home PC, is a manual process. The reason certs cost is because you're getting it from a trusted provider who's root cert is already installed on your machine to verify the certs authenticity.
  14. Altikaka

    Altikaka TS Rookie

    Whatever happened to the PRIVACY / SECURITY that appeared in the context menu ?
  15. LeroN

    LeroN TS Enthusiast Posts: 62   +22

    HTTPS doesn't keep your safety and was never intended to do that.
    HTTPS is not a true secure feature like firewall.
    HTTPS helps to keep your privacy only. So you are being in a privacy connection can get malicious software, viruses or be hacked.
    And it doesn't matter what kind of certificate you use. HTTPS is a transport and it works to both sides.
    I think the problem is with the definition of HTTPS connection as secured but it shoud be called as private.
    They created the problem self.
  16. Potato Judge

    Potato Judge TS Booster Posts: 143   +65

    That really phishy...
  17. Patrick Nohe

    Patrick Nohe TS Rookie

    It's tough to say it's causal, but between the change to Google's UI and the advent of all these free SSL certificates, phishing is at an all-time high. It's up 74% in Q3, 1.4 million new phishing sites are being created each day and a quarter of them, 25%, are now using HTTPS.

    This really comes down to a problem of poor user education. Users need to know that Secure doesn't mean Safe. Frankly, I think we need to eliminate the indicator for DV completely. If encryption is the new standard, why does it get a special indicator?

Similar Topics

Add your comment to this article

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...