Unlike most types of cyberattacks that have evolved over time, phishing has rarely strayed from the traditional formula of combining social engineering with malicious files or links. Nevertheless, this has not stopped cybercriminals from making even more convincing attempts, going as far as abusing tools supposedly for security. One example is setting up phishing sites that use the HTTPS (Hypertext Transfer Protocol Secure) protocol — a tactic which has been on the rise in phishing attacks, now up to 58% according to the Q1 2019 report from the Anti-Phishing Working Group (APWG).
HTTPS, which has become the standard protocol for secure communication over a computer network, works by encrypting traffic between a browser and a website, ensuring that no third parties are privy to the data that is being exchanged. The use of HTTPS is especially important with websites that ask users for personal information or credentials, such as login pages.
Due to the widespread adoption of HTTPS, current browsers are now designed to notify usersthat they are browsing an “unsecure” website when it lacks the protocol. The presence of a lock icon in the URL bar typically signifies that the user is entering a safe domain while websites without the icon imply the opposite. Wily cybercriminals take advantage of this by creating phishing websites that use HTTPS, thus making a site appear safe to the user’s browser despite its malicious purpose.
Using the HTTPS protocol is enabled by Transport Layer Security (TLS) or Secure Sockets Layer (SSL) certificates. These certificates have traditionally been purchased, and this previously meant that phishing websites that use HTTPS were an expensive option for cybercriminals. However, a number of services now provide TLS and SSL certificates for free, meaning it is now easier for anyone (even cybercriminals) to add HTTPS to their websites. Alternatively, cybercriminals can actually hack legitimate websites to use as phishing sites, making it even more difficult for potential victims to distinguish between what’s safe and what’s not.
The practice of abusing HTTPS in phishing attacks has become so widespread that the FBI issued a public service announcement earlier this month to warn users.
Best practices to defend against phishing attacks
Fortunately, despite the large number of phishing sites that use HTTPS, some of the best methods users can do to combat phishing remain relatively simple:
Be cognizant of what phishing attacks look like and how they work. Misspellings, out-of-context messages, and even different-looking signatures should be red flags.
Take everything into consideration before clicking a link or downloading an attachment. Just because a website uses the HTTPS protocol and looks legitimate does not automatically mean that it is safe. For example, a seemingly authentic bank website may be spoofing the legitimate site.