As more and more sites switch to HTTPS, the number of phishing sites hosted on HTTPS domains is also increasing.
“In the third quarter of 2017, we observed nearly a quarter of all phishing sites hosted on HTTPS domains, nearly double the percentage we saw in the second quarter. A year ago, less than three percent of phish were hosted on websites using SSL certificates. Two years ago, this figure was less than one percent,” PhishLabs’ threat intelligence manager Crane Hassold shared.
The reasons behind this switch are several. For one, as phishers often compromise sites to host the phishing pages, it stands to reason that with the increase of legitimate HTTPS domains there will also be an increase of compromised HTTPS sites.
Secondly, as it got much easier, quicker and cheaper to get SSL certificates, criminals are taking advantage of the situation to equip their phishing domains with HTTPS.
“Although a vast majority of SSL certificates used in HTTPS phishing attacks are obtained for free from services like Let’s Encrypt or Comodo, their use is notable because, technically, they aren’t necessary to create the phishing site. Without an SSL certificate, the phishing page would still function as intended,” Hassold pointed out.
“So why would a threat actor take an extra step to create an HTTPS page when it is not actually needed? The answer is because phishers believe that the ‘HTTPS’ designation makes a phishing site seem more legitimate to potential victims and, thus, more likely to lead to a successful outcome. And unfortunately, they’re right.”
Too many users don’t know that the presence of HTTPS only means that the communication between their browser and the website is encrypted. They believe that seeing a green padlock and HTTPS before a domain name means that the site itself is secure (i.e. safe for use = legitimate and not compromised).
The fact that browsers like Google Chrome label websites with SSL certificates as “Secure” in the URL bar doesn’t help to dispel that assumption.