As more legitimate websites convert to Hypertext Transfer Protocol Secure (HTTPS), malicious phishing sites are doing the same.
When comparing the second and third quarters of this year alone, the number of phishing websites employing HTTPS have doubled according to a report by threat intelligence manager Crane Hassold.
Compared to 2016, only three percent of phishing sites used HTTPS; and less than one percent in 2015.
Pushing for the use of HTTPS has significantly gone up this year as companies migrate to websites that can securely transmit data over the Internet.
Cybercriminals are going the extra mile since HTTPS tags on their websites make them more legitimate in the eyes of prospective victims.
In January of this year, web browsers like Google Chrome and Mozilla Firefox began alerting users when their private information was inputted on non-HTTPS websites. Later in the year, Google enhanced their browser by adding a “Not Secure” tab on the URL bar whenever users visit HTTP sites.
There are a few reasons for the uptick in bogus HTTPS websites, with the first being the sheer number of HTTPS sites online. As more of sites obtain Secure Sockets Layer (SSL) certification, cybercriminals have more chances to compromise them.
SSL certification does not automatically make a website secure or that its vulnerabilities have been fixed; it only means that information sent from the site is encrypted. Cybercriminals will still be able to take over such websites as if they were regular HTTP ones that are not SSL certified.
Hackers are exploiting the situation as SSL certification is much easier, quicker, and cheaper. Hassold added that while SSL certificates are easily and freely obtained, phishing pages do not need them to fully function.
It should be public knowledge that HTTPS only means that the transmission of data between a web browser and the website is encrypted.
While the certification is certainly not needed for phishing sites fulfill their roles, cybercriminals are going the extra mile to get them since the HTTPS tags on their websites make them more legitimate in the eyes of prospective victims.
A majority of the public still believe accessing HTTPS websites means they are safe online; however, it should be public knowledge that it only means that the transmission of data between their web browser and the website is encrypted.
So how can we protect ourselves?
- Make sure you don’t click on links from suspicious emails. Hackers can easily redirect you to fraudulent HTTPS login pages.
- Login directly to your online banking accounts, emails, social media, etc. – never access them through other links or emails.
- Always double check that you’re accessing the correct web address because URLs can be deceiving and hackers try to duplicate the look and feel of the original websites.
Comprehensive multi-device protection for you and your family for up to 6 PCs, Macs, Android, and iOS devices. For more info click here.