Phishing sites are moving to HTTPS

Phishing with false SSL certificates becomes massive – up to a quarter of fake sites are hosted on HTTPS-domains

“Kaspersky Lab” recorded tens of millions of threats only in the third quarter. The green lock does not guarantee the authenticity of the resource – users must check the domain name.

Crane Hassold, the head of the Phish Labs threat research department, described the scale of the problem as: “In the third quarter of 2017, we observed that almost a quarter of all phishing sites are hosted on HTTPS domains, which is almost twice as much as in the second quarter “. He stressed that a year ago this figure was less than 3%, and two years ago – less than 1%.

The rapid growth of phishing sites using fake SSL certificates is due to at least three reasons. The first is that “resettlement” occurs after legitimate HTTPS-resources, because phishers usually completely copy the compromised service. And the more secure HTTPS-domains will have genuine sites, the more noticeable will be the growth of literally pursuing their phishing fakes.

The second reason is related to the ease of obtaining SSL certificates. It’s cheap, the design itself is fast, besides, on some services – such as Comodo and Let’s Encrypt, they are issued for free. It’s curious that phishing sites work fine without SSL certification, and the hackers make an extra step to get it out only so that the trap works for sure.

This is precisely the third reason. Many users still think that the presence of HTTPS automatically means authenticity – but this, alas, is not so. Green lock and SSL certificate only testify to the encryption of communication between the browser and the site, which can be either legitimate or fake. Even if a user sees a page with HTTPS, before you enter your personal data, you should carefully check the domain name.

In the report for the third quarter of 2017, Kaspersky Lab reported the prevention of nearly 60 million crossings to phishing pages. About half of the attempts were made on financial sites, among the compromised resources were messengers, social networks, online games, blogs, transport, tax and other services.

One of the reasons for the mass nature of phishing is the repeated use of ready-made packages – ZIP-files with clones of original pages, “supplemented” by malicious scripts. The contents of the archive are placed on the hosting platform, and after blocking the site the archive is often not deleted. In October 2017, Duo Security analysts examined such forgotten phishing packs and published a report. They found out that out of 7,800 blocked and abandoned ZIP packets, only 3200 were unique, that is, an attacker used one archive several times.