Phishing embraces HTTPS, hoping you’ll “check for the padlock”

Supported By:

Net Patrol International Inc.  Data Investigation and Forensic Services
Bankruptcy and Insolvency Trustees

After a slow-burning romance, HTTPS has recently bloomed into one of security’s great love affairs.

Google is a long-time admirer, and in October started plastering “not secure” labels on many sites failing to use HTTPS by default in the Chrome address bar, a tactic meant to persuade more website owners to share its enthusiasm.

Facebook, Twitter, and WordPress, meanwhile, have been keen for years, which helps explain EFF figures from early in 2017 estimating that an impressive half of all web traffic was being secured using HTTPS.

So alluring has HTTPS become that it has now acquired suitors it could do without – phishing websites.

According to PhishLabs, a quarter of all phishing sites now use HTTPS, up from a few percent a year ago. Browsers are using a colour-coding system to designate the trustworthiness of a site (green padlocks being awarded to sites with an Extended Validation certificate), but these can still appear on phishing sites that have not been detected by integrated filtering.

Naked Security discussed this issue (and the problem of how sites are verified) in 2015 so it’s not a new worry.

The logical result of the trend PhishLabs has detected is that eventually, all websites will use HTTPS whether they are phishing sites or not, at which point the misunderstanding of the whole padlock system will become apparent.

The dream of an entirely encrypted internet is a noble one but its ubiquity will be a pyrrhic victory if cybercriminals can find easy ways to manipulate it from the inside.

Read the full story over at Naked Security.

This story was summarized by Canadian Fraud News Inc.