The Q3 2017 phishing Activity Trends Report from the Anti Phishing Working Group has revealed the extent to which cybercriminals are abusing the Hypertext Transfer Protocol Secure (HTTPS) protocol in phishing campaigns.
Websites using HTTPS encrypt the connection between the website and browser to prevent man-in-the-middle attacks. There has been a major transition from HTTP to HTTPS by online retailers and other businesses to provide an additional level of security and ensure consumers can enter sensitive information such as passwords and credit card details securely on their sites.
Over the past two years there has been major coverage in the popular press of the need to ensure that websites start with HTTPS and have a green padlock indicating they are secure before sensitive information is entered. However, many consumers have been led to believe that if a website starts with HTTPS it is secure and genuine. While the first point is certainly true. The second is not guaranteed. Cybercriminals have also been embracing HTTPS and using the illusion of security to obtain sensitive information.
For its report, the APWG used data collected by PhishLabs. Phishlabs, a contributing member of APWG, analyzed 54,631 unique phishing websites during Q3, 2017 and found that almost 25% of phishers have also transitioned to HTTPS. In many cases they have obtained free HTTPS encryption certificates allowing them to execute their phishing attacks. To put the 25% figure into perspective, this time last year the percentage of phishing sites that used HTTPS was just 3%. As the availability of free HTTPS certificates expands, the percentage will certainly rise.
There is a general trend that for website owners to move to HTTPS, partially fueled by search engines such as Google announcing that HTTP sites will be flagged as insecure. However, PhishLabs notes that in its analysis of HTTPS phishing attacks in 2017 against two of the most commonly attacked brands, three quarters of the phishing sites used to target those brands were hosted on maliciously registered HTTPS sites.