Study finds half of phishing sites now use SSL protection to trick users
A new study from security firm PhishLabs Inc. has found that nearly half of all phishing sites now deploy Secure Sockets Layer protection complete with a padlock icon in the browser bar in an attempt to give people a false sense of protection.
Detailed today by security research Brian Krebs, the report found that 49 percent of phishing sites started with “https://” in the third quarter, up from 25 percent just one year ago, and from 35 percent in the second quarter of 2018.
The reasoning behind the move towards secure sites is attributed to a belief that many internet users have taken “look for the lock” advice to be a sign that a site is safe. A previous survey is said to have found that 80 percent of respondents believed a green lock indicated a website was either legitimate and/or safe.
Although it’s sound advice to check to make sure a site is secure when undertaking transactions online, any site can employ SSL encryption. The number of sites doing so has also exponentially increased after Google LLC decided to mark any site without an HTTPS extension as being not secure in July as well as ranking those sites down in their search results.
Paul Bischoff, privacy advocate at Comparitech.com, told SiliconANGLE that the study goes to show that there’s no one way to identify a phishing website.
“Making sure the site has a valid SSL certificate indicated by HTTPS and a padlock in the URL bar is just one step,” Bischoff explained. “Users should also look for character replacement (‘punycode’), subdomains and other inconsistencies in a site’s real URL and web page. You can usually find the real site by Googling the company name, then check it against the suspected phishing URL.”
Bischoff noted that the PhishLabs study brings up an interesting discussion about the role of certificate authorities and browser makers.
“Certificate authorities like Let’s Encrypt make the web safer by making it cheap and easy for websites to use HTTPS, but they also lower the barrier for criminals,” Bischoff said. “HTTPS instills trust in site visitors, so some argue certificate authorities should vet who they sell SSL certificates to. On the other hand, many experts argue that browser makers misrepresent what HTTPS accomplishes: encryption and authentication. It does not necessarily verify that the website owner is a legitimate entity.”
Image: Pixabay
A message from John Furrier, co-founder of SiliconANGLE:
Your vote of support is important to us and it helps us keep the content FREE.
One click below supports our mission to provide free, deep, and relevant content.
Join our community on YouTube
Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.
THANK YOU