As more of the web further embrace HTTPS and SSL certs, it's becoming a requirement that threat actors use it, too. By the end of Q1 2019, more than half of all phishing sites have employed the use of HTTPS, now up to 58%. This represents a critical milestone, underscoring that threat actor behavior frequently aligns with the broader user population.
“In Q1 2019, 58 percent of phishing sites were using SSL certificates, a significant increase from the prior quarter where 46% were using certificates," said John LaCour of Fortra. “There are two reasons we see more. Attackers can easily create free DV (Domain Validated) certificates, and more web sites are using SSL in general. More web sites are using SSL because of browsers warning users when SSL is not used, and most phishing is hosted on hacked, legitimate sites."
At the end of last year, the Fortra team identified that nearly half of all phishing sites were employing HTTPS or an SSL certification. Specifically, HTTPS was found on 49% by the end of Q3. It later dipped in Q4, which was the first drop since our initial analysis in the first quarter of 2015.
As LaCour noted, there are several reasons behind the use of HTTPS on phishing sites, and the specific use of Secure (lock) versus Not Secure can be a bit confusing. HTTPS simply means that a site is using encrypted communication when sending information between you and it. When a threat actor uses it, say for example using a fake login screen for Twitter, that site is still going to steal your login credentials, but at least it does so securely.
While threat actors may target each other, the presence of HTTPS on a phishing site is nothing more than a social engineering tactic or a baseline functional requirement.
On the feature side, HTTPS prevents the likes of Google Chrome from throwing up a big red flag stating that the user should turn around. Just like brand impersonation, a site needs to mirror an actual site in every way feasible or simply reduce the number of red flags a regular user may notice before handing over their credentials.
The decision to employ HTTPS, and to what extent, is ultimately dictated by the threat actor’s operational preferences. Increases in HTTPS adoption on phishing sites reflects both the level of threat actor activity and the nature of their intended targets. Similarly, the choice between leveraging compromised or spoofed websites versus free hosting services is determined by the tactics best suited to their objectives.
The next quarterly update will be available after July, but it's reasonable to expect that HTTPS will only increase in use by threat actors going forward.
Ready to break the attack chain? Discover how Fortra Brand Protection stops fraud and brand impersonation.
