A massive effort to encrypt web traffic over the last few years has made green padlocks and “https” addresses increasingly common; more than half the web now uses internet encryption protocols to keep data protected from prying eyes as it travels back and forth between sites and browsers. But as with any sweeping reform, the progress also comes with some new opportunities for fraud. And phishers are loving HTTPS.
On Tuesday, the phishing research and defense firm PhishLabs published new analysis showing that phishers have been adopting HTTPS more and more often on their sites. When you get a phishing email or text, the sites they lead to—that try to trick you into entering credentials, personal information, and so on—implement web encryption about 24 percent of the time now, PhishLabs found. That’s up from less than three percent at this time last year, and less than one percent two years ago.
Some phishing sites come by HTTPS only incidentally, or as an added bonus. Phishers often hijack legitimate sites for their own uses, so the more HTTPS is deployed around the web overall, the more likely a that a phisher might compromise a site that implements it. But PhishLabs notes that phishers create their own sites almost as often as they steal those of others. In those cases, phishers actively chose to implement web encryption. The green padlock lends legitimacy, a patina of security that helps trick web users into trusting a site and giving up their valuable information.
“In two extremely prevalent types of phishes targeting PayPal and Apple, about 75 percent were using HTTPS sites,” says Crane Hassold, a threat intelligence manager at PhishLabs who worked on the research. “The attackers are making that choice even though this is not needed to complete the crime.”
Other researchers see the trend as well. During a 24-hour period this month, the anti-phishing firm PhishMe observed and analyzed over 200 examples of phishing pages that were using HTTPS. “The HTTPS connection ensures that the data is encrypted when it is transmitted, but forged pages that falsely replicate an organization send the information to a criminal instead of the legitimate organizations,” says Brendan Griffin, a threat intelligence manager and malware analyst at PhishMe.
Some Like It HTTPS
Web giants like Google have led a big push over the last few years to promote and even require HTTPS. And the non-profit Internet Security Research Group has been offering free verification certificates, which a site need for HTTPS to work, through its Let’s Encrypt initiative since last year. Let’s Encrypt, which is known as a “certificate authority” because it verifies web servers to implement encryption, has now issued more than 100 million certificates.
‘The fact that they’re taking a little bit of extra time to do it means it’s worthwhile to them.’
Crane Hassold, PhishLabs
These collective efforts have been paying off. In April 2016, 42 percent of page loads on the Firefox browser were to encrypted sites. In January the number hit 50 percent, and it’s now up to an impressive 67 percent. But advocates have long known that the privacy and security gains would come with some detrimental side effects.
“HTTPS is taking off at a rate that I think is really unprecedented for any change on the web,” says Josh Aas, the executive director of ISRG. “The whole web becoming encrypted is really, really good for people. And of course the bad guys are going to follow along down that trend, that’s to be expected, but in the overall picture the situation is much better than it was.”
Certificate authorities like ISRG argue that their scope is too limited to meaningfully police the web. They don’t have the resources, means, or opportunity to screen sites for attacks like phishing or malware. Besides, a site often won’t have any content on it at all yet when a domain owner requests an encryption certificate. And even if certificate authorities did have the resources and expertise to make content-based decisions, they don’t have the ability to really penalize sites. Revoking an HTTPS certificate doesn’t take a site down or remove abusive content.
PhishLabs’ Hassold notes also that the real problem anyway isn’t phishers getting a certificate and implementing HTTPS; it’s the green padlock they gain that then gives consumers a false sense of security. Where the padlock simply indicates that traffic between the server and the user’s browser is encrypted and protected against interception, consumers often assume that a green padlock means that the site is more generally secure.
“The messaging from the security community has been so mixed that a lot of internet users believe that a green padlock means a site is safe and legitimate when it actually doesn’t,” Hassold says. “So that’s why we’re seeing the big explosion of HTTPS phish. The phishers don’t have to get an SSL certificate, but the fact that they’re taking a little bit of extra time to do it means it’s worthwhile to them.”
And though the green padlock has essentially been the mascot of the HTTPS movement over the last few years, Aas agrees that it’s too reductive. “The problem with the green lock is that it really over-promises,” he says. “I don’t think that browsers should be showing the green lock when a webpage is merely encrypted with HTTPS. I think it’s misleading and inappropriate. What I would rather is when a website has HTTPS you should see nothing, and without HTTPS your browser should indicate that there’s a problem. You have to replace the carrot with a stick.”
For the average internet user, the important thing is still following the basic steps to avoid being drawn in by phishing schemes. And don’t assume that any page that has HTTPS contains legitimate and authentic content. It’s a green padlock, not a silver bullet.