Phishing scum going legit to beat browser warnings

Now that Chrome and Firefox call out HTTP, phisherpholk are getting certified

By Simon Sharwood


Browser-makers' decision to put big red warning lights in the faces of users when they hit sites too slack to use HTTPS is backfiring a little, as crooks are accelerating their use of encryption.

So says Netcraft, which has turned its web server probes onto phishing sites in the wake of Chrome 56 and Firefox 51 adding warnings about insecure sites that request passwords.

The firm's data shows that since the two browsers started to berate HTTP-only operations, phishing sites added an extra layer of credibility by adding HTTPS.

Proportion of phishing sites using HTTPS. Source: Netcraft. Embiggen here

Netcraft doesn't think the <20 per cent HTTPS adoption rate is a sign that there are plenty of clueless phisherpholk out there. Instead it feels that the phishing scum may be renewing their efforts to get their schemes running on compromised sites that already run HTTPS.

Either way, the firm worries that browser warnings may be having the unintended and unwelcome effect of making phishing more efficient, because using HTTPS gives them added credibility. ®

Sign up to our NewsletterGet IT in your inbox daily


More from The Register

In a touching Monty Python tribute today, Microsoft's Office 365 makes everything spam

Punters less amused by inbox-clearing glitch

Fake 'U's! Phishing creeps use homebrew fonts as message ciphers to evade filters

fg xjc dua ihut vyfq, xjc uih jci sfat jg mjggfa

A little phishing knowledge may be a dangerous thing

Boffins find those who know about phishing more likely to be duped than the less informed

New phishing campaign uses 30-year-old Microsoft mess as bait

Necurs botnet spreads ransomware carried in Office documents

Baddies just need one email account with clout to unleash phishing hell

Outsiders realised uni was hacked before uni did

Cobalt cybercrooks phry up phishing campaign to phling at phinance orgs

Emails hiding dodgy scripts designed to plant backdoors

If you have to simulate a phishing attack on your org, at least try to get something useful from it

Step 1: let the higher-ups know

UK spam-texting tax consultancy slapped with £200k fine

Generic privacy policies won't get you valid consent, says ICO

Tesla forums awash with spam as mods take an unscheduled holiday

'How do I charge my car?' 'No idea, but would you like one of these pills instead?'

MailChimp 'working' to stop hackers flinging malware-laced spam from accounts

What can you do about it for now? Sweet 2FA