Dec 1, 2018
Nearly half of the phishing sites now have SSL credentials, begin with HTTPS, and show the green lock to display the sites are safe, as per new research by PhishLabs.
The number of phishing websites that have SSL credentials has been rising gradually since Q3, 2016 when about 5% of phishing websites were showing the green lock to show a safe connection. The proportion increased to roughly 25% of all phishing sites by this time last year, and by the end of Q1, 2018, 35% of phishing websites had SSL credentials. At the end of Q3, 2018, the proportion had risen to 49%.
It is no shock that so many phishers have chosen to change to HTTPS, as free SSL credentials are easy to get. Most companies have now made the change to HTTPS and it has been drummed into clients to always look for the green lock next to the URL to make certain the connection is safe before any confidential information is disclosed. Some search engines also show the web page is ‘secure’ as well as showing the green lock.
The green lock shows a lot of web users that not only is the site safe, but also that it is safe and genuine, which is certainly not the case. A safe connection doesn’t mean the site is reliable.
A survey carried out by PhishLabs in late 2017 disclosed the level of the confusion. About 80% of surveyed people thought the green lock showed a site was legitimate/safe. Just 18% of respondents to the survey presently identified that the green lock only meant the connection between the browser and the site was safe.
The truth is that the green lock is no assurance that a site is genuine or safe. It only implies that the user’s data is encrypted between their browser and the site so it can’t be interrupted and read by a third party. If the website has been created by a scammer, any information entered through the site can be read by the scammer.
The survey, together with the surge in HTTPS phishing sites, indicate how significant it is for businesses to teach their workers about the correct meaning of the green lock to avoid them falling for phishing cheats.
In addition to beginning with HTTPS and showing the green lock, phishing sites often use stolen branding. They can look the same as the genuine site they are deceiving. The only pointer that the site is not genuine is the URL. However, even the URL can seem identical to the actual site. A lot of phishing sites take benefit of internationalized domain names to make the URLs seem genuine.
Brian Krebs identified one phishing site that deceived the cryptocurrency exchange box and used a nearly identical URL. The only difference being the use of the Vietnamese letter “ỉ” in place of the standard i. The characters are nearly indistinguishable, particularly on a small mobile screen.
Mobile screens also don’t show the complete URL, therefore it is easy to create a subdomain to impersonate the genuine domain, as only this part of the URL is likely to be shown on a mobile screen.