More phishing websites are using HTTPS to appear legitimate

[midian182]

While the adoption of HTTPS has helped keep internet users’ data secure as it travels between browser and website, an increasing number of phishing schemes are taking advantage of people’s ignorance when it comes to the little green padlock.

Phishing defense firm PhishLabs published a new report yesterday that shows the rate at which phishing sites are hosted on HTTPS pages is rising significantly faster than overall HTTPS adoption.

According to Let’s Encrypt, which has issued more than 100 million encryption certificates, 65 percent of pages loaded by FireFox last month used HTTPS, up from 45 percent at the end of 2016. Meanwhile, phishing sites—those that are linked to from phishing emails and texts—use web encryption 24 percent of the time. Just one year ago, less than three percent of these sites used HTTPS, and in 2015 the figure stood at less than one percent.

While some phishers compromise sites that have already obtained SSL certificates, just as many of these cybercriminals are creating their own HTTPS sites. “An analysis of Q3 HTTPS phishing attacks against PayPal and Apple, the two primary targets of these attacks, indicates that nearly three-quarters of HTTPS phishing sites targeting them were hosted on maliciously-registered domains rather than compromised websites, which is substantially higher than the overall global rate,” writes PhishLabs.

The main reason phishers are turning to HTTPS is that many people believe the green padlock is a sign of a site’s trustworthiness. The certificate shows that data is encrypted in transit; it doesn’t mean the website has been secured and is legitimate—they are not any less vulnerable than non-HTTPS sites.

As noted by Wired, one of the problems is that certificate authorities aren’t able to check every site to ensure it doesn’t contain phishing or malware attacks. Moreover, many websites that request encryption certificates don’t have any content on them at the time.

In a poll carried out by PhishLabs in November, more than 80% of the respondents believed the green lock indicated that a website was either legitimate and/or safe, neither of which is true.

Permalink to story.

https://www.techspot.com/news/72185-more-phishing-websites-using-https-appear-legitimate.html

 

[Uncle Al]

Now that is VERY disturbing news ......

 

[Kaj Hansen]

So https now is actually a way to give people a false sense of security and thus it does the opposite of what it has has been invented for, namely making the web a saver place.

I guess it still keeps 75% of the fishing slightly at bay, but time for a new way of legit website verification is very much needed.

 

[Cycloid Torus]

"one of the problems is that certificate authorities aren’t able to check every site to ensure it doesn’t contain phishing or malware attacks"

So, what does?

 

[Burty117]

So https now is actually a way to give people a false sense of security and thus it does the opposite of what it has has been invented for, namely making the web a saver place.

I guess it still keeps 75% of the fishing slightly at bay, but time for a new way of legit website verification is very much needed.

Bigger companies which have the money can get Extended Validation SSL Certificates, this is where the browser bar goes green and the SSL Cert is only issued once the entire company has been verified (usually a couple of phone calls, several emails from the domain itself, they research your company to check it's valid and then the usual domain verification checks).

The green tick has NEVER meant a website was safe, only that it was secure (data is encrypted between you and it).

 

[VitalyT]

It is a shocking as finding that your fortune teller was wrong.

 

[fadingfool]

Doesn't help that there is a Barclays TV advert campaign running in the UK at the moment that implies the green padlock = secure. (https://www.youtube.com/watch?v=GbThUL0aLyk)

 

[TheSolarisGuru]

“Secure” Connection ≠ Safe Connection

 

[MrBlkfx1]

This isn't at all surprising, but still concerning. Although, the tried and true, don't do business with shady websites still work in this situation. You just can't write off a website as legitimate anymore based purely on an active SSL cert.

 

[senketsu]

So https now is actually a way to give people a false sense of security and thus it does the opposite of what it has has been invented for, namely making the web a saver place.

Ironically this happens with many safety measures. A example is protective gear, such as helmets in USA football. Intended to reduce head injuries, (they used to play helmetless), it actually has increased head injuries as players now feel their head is safe, they do things like try to 'smash heads' into their opponent. A quirk of human nature I suppose

 

[Squid Surprise]

There is a fundamental comprehension problem here.... I can securely give you my money - there can be armed guards, an expensive safe, etc.... But if you are untrustworthy, you can take what I gave you and buy something illegal, unsafe, etc....and never bother giving me my money back....

The endpoint is always the most important piece of data a user needs to know. Securely giving your money/info/etc to someone nefarious is no better than giving your money to someone "insecurely" (like in a bar over drinks) to a person you actually trust.... In fact, it's far worse!

 

[DelJo63]

The main reason phishers are turning to HTTPS is that many people believe the green padlock is a sign of a site’s trustworthiness. The certificate shows that data is encrypted in transit; it doesn’t mean the website has been secured and is legitimate—they are not any less vulnerable than non-HTTPS sites.

In fact, the padlock means:

1. the session (end-to-end) is encrypted
2. the site has created a Certificate which is signed

Signed by whom - - that's the question! Today, we can create Self-Signed Certs to allow (1) to work.

Click on the the lock: it will show you WHO vouches for the signature. If it's the same as the site, then it's self-signed and is meaningless (aka, untrustworthy).

 

[Burty117]

we can create Self-Signed Certs to allow (1) to work.

Click on the the lock: it will show you WHO vouches for the signature. If it's the same as the site, then it's self-signed and is meaningless (aka, untrustworthy).

Self-Signed certificates have, since the dawn of time, always shown up in all browsers as "untrustworthy, only continue if recognize this site". You have to have the root cert installed on the machine before it can be trusted which, on a normal home PC, is a manual process. The reason certs cost is because you're getting it from a trusted provider who's root cert is already installed on your machine to verify the certs authenticity.

 

[Altikaka]

Whatever happened to the PRIVACY / SECURITY that appeared in the context menu ?

 

[LeroN]

HTTPS doesn't keep your safety and was never intended to do that.
HTTPS is not a true secure feature like firewall.
HTTPS helps to keep your privacy only. So you are being in a privacy connection can get malicious software, viruses or be hacked.
And it doesn't matter what kind of certificate you use. HTTPS is a transport and it works to both sides.
I think the problem is with the definition of HTTPS connection as secured but it shoud be called as private.
They created the problem self.

 

[Potato Judge]

That really phishy...

 

[Patrick Nohe]

It's tough to say it's causal, but between the change to Google's UI and the advent of all these free SSL certificates, phishing is at an all-time high. It's up 74% in Q3, 1.4 million new phishing sites are being created each day and a quarter of them, 25%, are now using HTTPS.

This really comes down to a problem of poor user education. Users need to know that Secure doesn't mean Safe. Frankly, I think we need to eliminate the indicator for DV completely. If encryption is the new standard, why does it get a special indicator?