APWG research indicates that 25% of phishing sites are now abusing HTTPS security certificates
March 2018 by APWG
The APWG warns that cybercriminals are using HTTPS, an important Internet security protocol, to fool victims into thinking that phishing sites are safe to use. According to the APWG’s Q3 2017 Phishing Activity Trends Report, 25 percent of phishers are using HTTPS on their phishing Web sites to trick users into “securely” entering their usernames and passwords. APWG anticipates that this usage is going to continue to climb as the availability of free website HTTPS certificates expands.
The Hypertext Transfer Protocol Secure (HTTPS) protocol encrypts data exchanged between a browser and the web site server to which the user is connected, traditionally used to secure online sales and password-protected accounts. The mere presence of HTTPS (with its pert and assuring green lock symbol) does not indicate that the site is not actually being employed for phishing or any other felonious enterprise, and many Internet users do not know this.
APWG contributing member PhishLabs examined 54,631 unique phishing sites (attacks) that occurred in the third quarter of 2017, and found that almost a quarter were protected by HTTPS. "Just a year before, less than three percent of phish were hosted on websites using SSL certificates," said Crane Hassold, Threat Intelligence Manager at PhishLabs.
Hassold allowed that while some of the rise is due to generally increased deployment of HTTPS across the Internet, “An analysis of third-quarter 2017 HTTPS phishing attacks against two of the most phished brands indicates that nearly three-quarters of HTTPS phishing sites targeting them were hosted on maliciously-registered domains rather than compromised web sites. “That’s substantially higher than the overall HTTPS global usage rate,” Hassold observed.
In some cases, the phishers are obtaining free HTTPS encryption certificates in order to execute these attacks. Other free Internet services also continue to enable abuse, said Jonathan Matkowsky, Vice President of IP and Brand Security at RiskIQ. “For example, 21 percent of phishing sites across the new top-level domains were because a Russian hosting company in Saint Petersburg offered temporary free hosting on its own .TECH domain. Criminals will continue to take advantage of such free infrastructure.”
Research presented at APWG’s research conference over the years and published in a number of peer-reviewed journals have probed the cognitive aspects of cybercrime that point to the UX and animating technology architecture as well as endogenous user psychology as causes of user’s failure to recognize danger-laden situations online. Legion are the APWG members and conference delegates who have raised the question – or article of faith? – that ICT users are being conditioned to be phished by the online experiences in which they participate.
This year’s call for papers has been announced here: https://apwg.org/apwg-events/ecrime2018/.
Peter Cassidy, founder of the APWG Symposium on Electronic Crime Research (eCrime) and APWG secretary general said, “It’s clear that some Web-borne security signaling may be so ambiguous as to be helpful to phishers, giving users false assurances that their traps are trustworthy. The question it suggests is: should visual conventions employed in the Web-user experience be reconsidered around some standards of ease-of-use and/or tested for fitness for purpose?”
The full report is linked here: http://docs.apwg.org/reports/apwg_t....