While the adoption of HTTPS has helped keep internet users’ data secure as it travels between browser and website, an increasing number of phishing schemes are taking advantage of people’s ignorance when it comes to the little green padlock.
Phishing defense firm PhishLabs published a new report yesterday that shows the rate at which phishing sites are hosted on HTTPS pages is rising significantly faster than overall HTTPS adoption.
According to Let’s Encrypt, which has issued more than 100 million encryption certificates, 65 percent of pages loaded by FireFox last month used HTTPS, up from 45 percent at the end of 2016. Meanwhile, phishing sites—those that are linked to from phishing emails and texts—use web encryption 24 percent of the time. Just one year ago, less than three percent of these sites used HTTPS, and in 2015 the figure stood at less than one percent.
While some phishers compromise sites that have already obtained SSL certificates, just as many of these cybercriminals are creating their own HTTPS sites. “An analysis of Q3 HTTPS phishing attacks against PayPal and Apple, the two primary targets of these attacks, indicates that nearly three-quarters of HTTPS phishing sites targeting them were hosted on maliciously-registered domains rather than compromised websites, which is substantially higher than the overall global rate,” writes PhishLabs.
The main reason phishers are turning to HTTPS is that many people believe the green padlock is a sign of a site’s trustworthiness. The certificate shows that data is encrypted in transit; it doesn’t mean the website has been secured and is legitimate—they are not any less vulnerable than non-HTTPS sites.
As noted by Wired, one of the problems is that certificate authorities aren’t able to check every site to ensure it doesn’t contain phishing or malware attacks. Moreover, many websites that request encryption certificates don’t have any content on them at the time.
In a poll carried out by PhishLabs in November, more than 80% of the respondents believed the green lock indicated that a website was either legitimate and/or safe, neither of which is true.