Almost half of phishing sites now have SSL certificates, start with HTTPS, and display the green padlock to show the sites are secure, according to new research by PhishLabs.
The number of phishing websites that have SSL certificates has been increasing steadily since Q3, 2016, when around 5% of phishing websites were displaying the green padlock to indicate a secure connection. The percentage increased to approximately 25% of all phishing sites by this time last year, and by the end of Q1, 2018, 35% of phishing websites had SSL certificates. At the end of Q3, 2018, the percentage had increased to 49%.
It is no surprise that so many phishers have opted to transition to HTTPS, as free SSL certificates are easy to obtain. Most businesses have now made the switch to HTTPS and it has been drummed into consumers to always look for the green padlock next to the URL to make sure the connection is secure before any sensitive information is divulged. Some search engines also indicate the web page is ‘secure’ as well as displaying the green padlock.
The green padlock indicates to many web users that not only is the site secure, but also that it is safe and legitimate, which is definitely not the case. A secure connection does not mean the site is safe.
A survey conducted by PhishLabs in late 2017 revealed the extent of the confusion. Around 80% of surveyed people believed the green padlock indicated a site was legitimate/safe. Only 18% of respondents to the survey currently identified that the green padlock only meant the connection between the browser and the site was secure.
The reality is that the green padlock is no guarantee that a site is legitimate or safe. It only means that the user’s data is encrypted between their browser and the site so it cannot be intercepted and read by a third party. If the website has been created by a scammer, any information entered via the site can be read by the scammer.
The survey, coupled with the increase in HTTPS phishing sites, show how important it is for companies to teach their employees about the true meaning of the green padlock to avoid them falling for phishing scams.
In addition to starting with HTTPS and displaying the green padlock, phishing sites often use stolen branding. They can look identical to the legitimate site they are spoofing. The only indicator that the site is not genuine is the URL. However, even the URL can appear identical to the real site. Many phishing sites take advantage of internationalized domain names to make the URLs appear legitimate.
Brian Krebs identified one phishing site that spoofed the cryptocurrency exchange bibox and used a virtually identical URL. The only difference being the use of the Vietnamese letter “ỉ” in place of the standard i. The characters are virtually indistinguishable, especially on a small mobile screen.
Mobile screens also do not display the full URL, so it is easy to create a subdomain to mimic the legitimate domain, as only this part of the URL is likely to be displayed on a mobile screen.