The past few years have seen many businesses transition from HTTP to HTTPS websites, but HTTPS phishing websites have similarly increased. A green padlock next to the URL indicates the website is secure and traffic between the browser and website is encrypted, but it does not mean the website is legitimate.
All HTTPS means is the connection between the user and the website is secure and any data transferred between the two cannot be intercepted and read. A survey conducted by PhishLabs last month suggested 80% of consumers believe that if a website has a green padlock and starts with HTTPS it is secure and/or legitimate.
PhishLabs also notes that cybercriminals are embracing HTTPS. A recent PhishLabs report showed HTTPS phishing websites are increasing faster than legitimate HTTPS websites. The PhishLabs report showed that out of the hyperlinks used in phishing emails that have been analyzed by PhishLabs, 24% included links to HTTPS phishing websites. Last year, the percentage of phishing links that directed users to HTTPS websites was less than 3%.
Phishers may register their own websites, but it is also common for them to gain access to legitimate websites and load phishing kits onto webpages. There is approximately a 50/50 spread between compromised websites and phishing sites registered by cybercriminals.
HTTPS phishing websites give the illusion of security, and while the use of HTTPS is not necessary to scam users, it can increase the likelihood of users divulging their credentials. Take two of the most commonly abused brands: Apple and PayPal. Phishing emails that appear to have been sent from those two companies direct users to HTTPS sites 75% of the time, according to PhishLabs threat intelligence manager Crane Hassold. Consumers know that those brands use HTTPS on their websites, so phishers similarly use HTTPS to add legitimacy to their scams.
PhishMe has similarly noticed a rise in HTTPS phishing websites. As PhishMe threat intelligence manager Brendan Griffin explained, HTTPS does not mean websites are safe. “The HTTPS connection ensures that the data is encrypted when it is transmitted, but forged pages that falsely replicate an organization send the information to a criminal instead of the legitimate organizations.”
Unfortunately, certificate authorities are unable to check every website to make sure that it is not being used to spread malware or phish for sensitive information. Oftentimes, at the time the certificates are requested, the websites are new and have not yet had any content uploaded. Encryption certificates are issued before malicious content is uploaded.
Given the rise in HTTPS phishing websites, users should be wary even if websites are encrypted. HTTPS and a green padlock is no guarantee that there is no malicious or unauthentic content on the website.