One of the most widely known ways a web user can determine if the website they’re using is safe and encrypted is to check for the small green padlock and “https” at the start of a URL; this has lead to over half of all websites on the internet to use this exact encryption method to secure their websites and block criminals from stealing data. As HTTPS has become so widely used, so have hacking programs.
Phishers have now developed a way to mimic the HTTPS encryption method and are spoofing the padlock and ‘green-lighting’ website users into believing malicious sites are safe.
Tuesday saw PhishLabs publish a research analysis detailing how phishers have begun rolling out false HTTPS displays for their websites. This has risen a number of red flags, as emails and text messages sent to web users with links to false bank websites, and other services will now display a ‘safe’ result or a green padlock – leading users to believe this is the authentic website they’re accessing and giving their credentials to.
It’s reported that some of the websites were so meticulously copied from the authentic versions that they tripped the HTTPS indicator by accident. Other phishers have developed their own proprietary way to trip the HTTPS indicator and are implementing it within websites all across the web. The green padlock and HTTPS URL was previously a sure-fire way to ensure a website was encrypted and safe, but this new attack has shaken that faith.
PhishMe, an anti-phishing firm, monitored over 200 websites using false HTTPS to dupe users into handing over their details to a website run by criminals. They said that “The HTTPS connection ensures that the data is encrypted when it is transmitted, but forged pages that falsely replicate an organisation send the information to a criminal instead of the legitimate organisations.”
The Expansive HTTPS Security
Companies like Google have heavily promoted the HTTPS protocol, and even required websites to utilise it in most cases, which has resulted in over 100 million HTTPS certificates being granted by just one “certificate authority” Let’s Encrypt.
Over the past few years, the gains in HTTPS browsing has grown immensely. Over 50% of page loads on Firefox were being encrypted with HTTPS in January 2017, and that number now sits at 67%. But experts have expressed that they knew this added security would bring undesirable side effects.
Josh Aas, director of ISRG, says that “HTTPS is taking off at a rate that I think is really unprecedented for any change on the web,” and that the “web becoming encrypted is really, really good for people. And of course the bad guys are going to follow along down that trend, that’s to be expected, but in the overall picture the situation is much better than it was.”
ISRG believes that their lack of resources is hindering their ability to monitor and police large swaths of the web, leading an endless list of websites being controlled by phishers not being exposed to the public. Some of the major deceptive actions taken by malware and phishing criminals is creating an entirely empty website, then requesting HTTPS authentication, and from there developing a website to steal user data.
Hassold from PhishLabs believes the real issue is that the phishers websites gain the green padlock throughout their deceptive behaviour and give consumers and users a false sense of security. This then coerces users into handing over any and all types of information without much hesitation.
Tips for the average web user is to be alert and look for signs that a website may be built by phishers. It’s no longer safe to assume that just because a website has a green padlock and an HTTPS URL that it’s genuinely safe.