The push for more widespread adoption of HTTPS has been in full-force this year as a way to increase the number of websites that securely transmit information on the Internet. In January, both Chrome and Firefox browsers began alerting users whenever sensitive information, such as passwords or credit card information, was entered on a non-HTTPS web page. In October, Google took this a step further by displaying a “Not Secure” label in the URL bar whenever a user enters any text on an HTTP website.
Chrome “Not Secure” HTTP warning.
This effort to get more webpages to enable secure communication has resulted in a significant increase in the number of web pages using HTTPS. According to Let’s Encrypt, 65% of web pages loaded by Firefox in November used HTTPS, compared to 45% at the end of 2016.
Percentage of pageloads using HTTPS since October 2015 (Source: Let’s Encrypt).
Based on these trends, it shouldn’t be surprising that the number of phish hosted on HTTPS sites is also increasing. Interestingly though, the rate at which phishing sites are hosted on HTTPS pages is rising significantly faster than overall HTTPS adoption.
In the third quarter of 2017, we observed nearly a quarter of all phishing sites hosted on HTTPS domains, nearly double the percentage we saw in the second quarter. A year ago, less than three percent of phish were hosted on websites using SSL certificates. Two years ago, this figure was less than one percent.
Trend of phishing sites hosted on HTTPS domains.
Why are We Seeing an Increase in HTTPS Phish?
Now that we’ve covered the basics about how the phishing landscape is changing, let’s talk about why it’s happening.
There are two primary reasons we’re seeing an increase in HTTPS phishing attacks:
1) More HTTPS websites = more HTTPS phishing sites
The first reason is the most obvious. As more websites obtain SSL certificates, the number of potential HTTPS websites available for compromise increases. An SSL certificate only means that the data sent from the website to its destination is encrypted in transit. It does NOT mean that a website has been secured or any vulnerabilities on the site have been patched. Thus, attackers will be able to exploit vulnerabilities in HTTPS websites just as easily as they can compromise HTTP websites.
Essentially, because HTTPS websites are not any less vulnerable than non-HTTPS sites, when attackers scan for potential domains to compromise and host malicious content, they will simply be more likely to randomly identify an HTTPS to pwn as HTTPS adoption increases.
2) Phishers are taking advantage of unclear security messaging
While the presence of phishing content on insecure HTTPS websites is based on a natural shift in the adoption of security measures, a significant number of HTTPS phish are hosted on domains that are registered by the phishers themselves.
An analysis of Q3 HTTPS phishing attacks against PayPal and Apple, the two primary targets of these attacks, indicates that nearly three-quarters of HTTPS phishing sites targeting them were hosted on maliciously-registered domains rather than compromised websites, which is substantially higher than the overall global rate. Based on data from 2016, slightly less than half of all phishing sites were hosted on domains registered by a threat actor.
In the context of this discussion, the use of infrastructure that is obtained by a threat actor for the explicit purpose of hosting phishing content is particularly important because it is a conscious choice made by an attacker. As we mentioned earlier, the use of maliciously-registered domains to host phishing content isn’t a rare occurrence, but because we’re talking about HTTPS phishing sites, this also means that a phisher has taken the additional step of obtaining a valid SSL certificate.
Although a vast majority of SSL certificates used in HTTPS phishing attacks are obtained for free from services like Let’s Encrypt or Comodo, their use is notable because, technically, they aren’t necessary to create the phishing site. Without an SSL certificate, the phishing page would still function as intended.
So why would a threat actor take an extra step to create an HTTPS page when it is not actually needed?
The answer is because phishers believe that the “HTTPS” designation makes a phishing site seem more legitimate to potential victims and, thus, more likely to lead to a successful outcome. And unfortunately, they’re right.
As we discussed in a blog post in November, we conducted an informal poll to see how many people actually knew the meaning of the green padlock that is associated with HTTPS websites. More than 80% of the respondents believed the green lock indicated that a website was either legitimate and/or safe, neither of which is true.
Results of an informal poll about the meaning of the green lock in a browser URL bar.
Adding to the confusion, browsers like Google Chrome label websites with SSL certificates as “Secure” in the URL bar. Another word for secure: safe.
Example of an Amazon HTTPS phishing site labeled as “Secure” in Chrome.
The misunderstanding of the meaning of the HTTPS designation among the general public and the confusing labeling of HTTPS websites within browsers are the primary drivers of why they have quickly become a popular preference of phishers to host phishing sites.
Combined with the accelerated adoption of HTTPS among website owners globally, we can expect to see the number of HTTPS phishing sites to continue to grow rapidly.