Phishers Are Using HTTPS to Assure Users That Phishing Sites Are ‘Safe’

APWG research indicates that 25% of phishing sites are now abusing HTTPS security certificates

CAMBRIDGE, Mass.--()--The APWG warns that cybercriminals are using HTTPS, an important Internet security protocol, to fool victims into thinking that phishing sites are safe to use. According to the APWG’s Q3 2017 Phishing Activity Trends Report, 25 percent of phishers are using HTTPS on their phishing Web sites to trick users into “securely” entering their usernames and passwords. APWG anticipates that this usage is going to continue to climb as the availability of free website HTTPS certificates expands.

The full report is linked here: http://docs.apwg.org/reports/apwg_trends_report_q3_2017.pdf.

The Hypertext Transfer Protocol Secure (HTTPS) protocol encrypts data exchanged between a browser and the web site server to which the user is connected, traditionally used to secure online sales and password-protected accounts. The mere presence of HTTPS (with its pert and assuring green lock symbol) does not indicate that the site is not actually being employed for phishing or any other felonious enterprise, and many Internet users do not know this.

APWG contributing member PhishLabs examined 54,631 unique phishing sites (attacks) that occurred in the third quarter of 2017, and found that almost a quarter were protected by HTTPS. "Just a year before, less than three percent of phish were hosted on websites using SSL certificates," said Crane Hassold, Threat Intelligence Manager at PhishLabs.

Hassold allowed that while some of the rise is due to generally increased deployment of HTTPS across the Internet, “An analysis of third-quarter 2017 HTTPS phishing attacks against two of the most phished brands indicates that nearly three-quarters of HTTPS phishing sites targeting them were hosted on maliciously-registered domains rather than compromised web sites.

“That’s substantially higher than the overall HTTPS global usage rate,” Hassold observed.

In some cases, the phishers are obtaining free HTTPS encryption certificates in order to execute these attacks. Other free Internet services also continue to enable abuse, said Jonathan Matkowsky, Vice President of IP and Brand Security at RiskIQ. “For example, 21 percent of phishing sites across the new top-level domains were because a Russian hosting company in Saint Petersburg offered temporary free hosting on its own .TECH domain. Criminals will continue to take advantage of such free infrastructure.”

Research presented at APWG’s research conference over the years and published in a number of peer-reviewed journals have probed the cognitive aspects of cybercrime that point to the UX and animating technology architecture as well as endogenous user psychology as causes of user’s failure to recognize danger-laden situations online. Legion are the APWG members and conference delegates who have raised the question – or article of faith? – that ICT users are being conditioned to be phished by the online experiences in which they participate.

This year’s call for papers has been announced here: https://apwg.org/apwg-events/ecrime2018/.

Peter Cassidy, founder of the APWG Symposium on Electronic Crime Research (eCrime) and APWG secretary general said, “It’s clear that some Web-borne security signaling may be so ambiguous as to be helpful to phishers, giving users false assurances that their traps are trustworthy. The question it suggests is: should visual conventions employed in the Web-user experience be reconsidered around some standards of ease-of-use and/or tested for fitness for purpose?”

About the APWG

The APWG, founded in 2003 as the Anti-Phishing Working Group, is the global industry, law enforcement, and government coalition focused on unifying the global response to electronic crime. Membership is open to qualified financial institutions, online retailers, ISPs and Telcos, the law enforcement community, solutions providers, multi-lateral treaty organizations, research centers, trade associations and government agencies. There are more than 2,200 companies, government agencies and NGOs participating in the APWG worldwide. The APWG's <www.apwg.org> and <education.apwg.org> websites offer the public, industry and government agencies practical information about phishing and electronically mediated fraud as well as pointers to pragmatic technical solutions that provide immediate protection. The APWG is co-founder and co-manager of the Stop. Think. Connect. Messaging Convention, the global online safety public awareness collaborative <https://education.apwg.org/safety-messaging-convention/> and founder/curator of the eCrime Researchers Summit, the world’s only peer-reviewed conference dedicated specifically to electronic crime studies <www.ecrimeresearch.org>. APWG advises hemispheric and global trade groups and multilateral treaty organizations such as the European Commission, the G8 High Technology Crime Subgroup, Council of Europe's Convention on Cybercrime, United Nations Office of Drugs and Crime, Organization for Security and Cooperation in Europe, Europol EC3 and the Organization of American States. APWG is a member of the steering group of the Commonwealth Cybercrime Initiative at the Commonwealth of Nations. Among APWG's corporate sponsors are: Among APWG's corporate sponsors include: AhnLab, Area 1, AT&T (T), Afilias Ltd., Avast!, AVG Technologies, Axur, Baidu Antivirus, Bangkok Bank, BBN Technologies, Barracuda Networks, Bandura Networks, BillMeLater, Bkav, Blue Coat, BrandMail, BrandProtect, Bsecure Technologies, CSC Digital Brand Services, Check Point Software Technologies, Claro, Cloudmark, Comcast, CrowdStrike, CSIRTBANELCO, Cyber Defender, CYREN, Cyveillance, DNS Belgium, DigiCert, Domain Tools, Donuts, Duo Security, Easy Solutions, PayPal, eCert, EC Cert, ESET, EST Soft, Facebook, FeelSafe Digital, FEBRABAN, Fortinet, FraudWatch International, F-Secure, GetResponse, GlobalSign, GoDaddy, Google, Hauri, Hitachi Systems, Ltd., Huawei, ICANN, Identity Guard, Infoblox, IronPort (Cisco), Infoblox, Intel (INTC), Interac, IT Matrix, iThreat Cyber Group, iZOOlogic, KnowBe4, LaCaixa, Lenos Software, LookingGlass, MX Tools, MailChannels, MailJet, MailChimp, MailShell, MailUp, MarkMonitor (TRI), Melbourne IT, MessageLevel, Microsoft (MSFT), MicroWorld, Mimecast, Mirapoint, NHN, NZRS, MyPW, nProtect Online Security, Netcraft, Network Solutions, NeuStar, Nominet, Nominum, NZRS Limited, Public Interest Registry, Panda Software, Phishlabs, PhishMe, Planty.net, Prevalent, Prevx, Proofpoint, Psafe, RSA Security (EMC), Rakuten, RedMarlin, Return Path, RiskIQ, RuleSpace, SalesForce, SecureBrain, SendGrid, S21sec, SIDN, SilverPop, SiteLock, SnoopWall, SoftForum, SoftLayer, SoftSecurity, SOPHOS, SunTrust, SurfControl, Symantec (SYMC), TDS Telecom, Telefonica (TEF), ThreatSTOP, TransCreditBank, Trend Micro (TMIC), Trustwave, UITSEC, Vasco (VDSI), VADE-RETRO, VeriSign (VRSN), Wombat Security Technologies, and zvelo.

Contacts

APWG
Peter Cassidy, +1-617-669-1123
Secretary General
pcassidy@apwg.org
or
Mark Monitor
Stefanie Ellis
Stefanie.ellis@markmonitor.com
or
Axur
Fabricio Pessôa, +55-51-3012-2987
fabricio.pessoa@axur.com
or
PhishLabs
Stacy Shelley, 1-843-329-7824
stacy@phishlabs.com
or
RiskIQ:
Kari Walker, +1-703-928-9996
Kari@KariWalkerPR.com

Contacts

APWG
Peter Cassidy, +1-617-669-1123
Secretary General
pcassidy@apwg.org
or
Mark Monitor
Stefanie Ellis
Stefanie.ellis@markmonitor.com
or
Axur
Fabricio Pessôa, +55-51-3012-2987
fabricio.pessoa@axur.com
or
PhishLabs
Stacy Shelley, 1-843-329-7824
stacy@phishlabs.com
or
RiskIQ:
Kari Walker, +1-703-928-9996
Kari@KariWalkerPR.com