As the adoption of cryptographic protocols for secure website communication increased, cybercrooks also moved to HTTPS to keep their operation floating.
Over half of the phishing websites detected in the first quarter of the year used digital certificates to encrypt the connections from the visitor. This is a trend that kept growing since mid-2016.
HTTPS is designed to protect user privacy by encrypting the traffic between a website and the browser. This prevents third parties from viewing the data that's exchanged. It started as a defense against snooping traffic on pages with forms for sensitive information (payment card details, logins) and soon became a communication standard for the entire website.
Crooks catch up on HTTPS adoption
Statistics from PhishLabs - a company that monitors phishing activity at a large scale, show that up to 58% of the phishing websites in the first months of 2019 were using the secure HTTP protocol. This is a 12% jump compared to the last quarter of 2018.
As browsers became more aggressive about HTTPS adoption by warning users when their connection is not secure, phishing scams had to follow the trend. Impersonating an HTTPS website is virtually impossible now without a TLS certificate.
If a while ago getting a digital certificate was both a complicated and expensive endeavor, the process became much easier lately and TLS certificates are now available even for free (https://letsencrypt.org/).
"Attackers can easily create free DV (Domain Validated) certificates, and more web sites are using SSL in general. More web sites are using SSL because of browsers warning users when SSL is not used, and most phishing is hosted on hacked, legitimate sites," says John LaCour, founder and CTO of PhishLabs.
The researchers expect the adoption of HTTPS to grow among cybercrooks as failing to do so would mean an end to their business.
Post a Comment Community Rules
You need to login in order to post a comment
Not a member yet? Register Now