Over this year alone there has been a huge push for websites to enable secure communications over the internet through the adoption of HTTPS. This has amounted in a not insignificant increase in the number of websites using HTTPS as, according to statistics from Let’s Encrypt, 65% of the webpages that were loaded by the Firefox web browser in November of 2017 used HTTPS, a substantial increase when compared to the 45% at the end of 2016. However, a recent spike in the number of phishing sites using the HTTPS protocol is showing how hackers are currently exploiting the recent raised awareness of HTTPS to their own advantage.
What is HTTPS Phishing?
HTTPS phishing differs from traditional, mass phishing attacks and spear-phishing attacks in that it primarily makes use of a user’s trust in a website they are visiting, rather than, for example, an email they are receiving. In mass phishing attacks, emails containing links to unsecure phishing sites are often sent to large numbers of email addresses at a time in the hope that a few will succeed in their objectives of luring people in. Spear-phishing attacks are usually personalized or tailored to a specific individual, organization, or enterprise. The results of these three kind of phishing attacks can often be potentially devastating to their victims.
Why the Sudden Spike?
Interestingly, the increase in the number of HTTPS phishing sites has risen much faster than the global adoption of HTTPS among websites. According to Phish Labs, in the third quarter of 2017, nearly a quarter of all phishing sites were hosted on HTTPS domains**. There are several reasons that could explain why this could be the case and also demonstrate how the environment for these kinds of attacks has come to be so fertile. Firstly, and probably most obviously, is the fact that the more websites there are using HTTPS protocols, then naturally the number of phishing sites using HTTPS will also increase.
Secondly, the recent drive for HTTPS awareness has also inadvertently caused users to blindly accept and trust any website using HTTPS. The familiarity in seeing HTTPS in a web browser alongside the reassuring green padlock has seen users display alarming levels of trust in websites displaying these features, without necessarily knowing at all how trustworthy they actually are, or even if they’re a fraudulent imitation of a website. This trend has caused hackers to boost the number of HTTPS phishing sites in order to exploit this trust and, in fact, turn it against end users for their own gains.
Preventative Best Practices
In order to avoid HTTPS phishing incidents causing unnecessary and potentially damaging consequences, individuals, businesses, organizations, and enterprises can undertake several steps to boost their cyber security efforts and knowledge of the threats they face. Three of the most effective techniques and practices to teach and enforce are detailed below for consideration.
One of the best, yet still undervalued tools for fighting cyber threats such as HTTPS-based phishing attacks is educating staff and management about each threat and how best to avoid falling victim to them. As obvious as this may seem, some organization still do not have adequate cyber security education and training for all staff and it is this lack that will create situations and vulnerabilities that hackers depend on for the successful deployment of their schemes. Regular training and education sessions, twice a year, for example, can help to keep staff up-to-date on the threats they face and the latest trends to observe and watch out for when it comes to keeping safe and secure while online.
Alongside education and training, individuals and organizations can equip themselves with the latest technologies in assisting with spotting suspicious looking sites and security certificates. Many of these technologies now come with built-in databases of known phishing threats and can also alert and notify users when they come across suspicious sites or communications that could potentially be phishing attempts. Monitoring equipment can also detect successful phishing attempts and attempt to uncover the affected information or data as well as the origin of the attack(s).
Analytics software such as cognitive analytics systems and other such equipment are capable of discovering potentially hundreds of phishing sites a week. They do this by modeling the observed network then data watching for anomalies in the data. This allows analytics systems to spot and identify previously unknown phishing sites and notify users of these discoveries as well as updating any databases they are connected to or working in sync with.