Phishing scum going legit to beat browser warnings

Now that Chrome and Firefox call out HTTP, phisherpholk are getting certified

By Simon Sharwood, APAC Editor


Browser-makers' decision to put big red warning lights in the faces of users when they hit sites too slack to use HTTPS is backfiring a little, as crooks are accelerating their use of encryption.

So says Netcraft, which has turned its web server probes onto phishing sites in the wake of Chrome 56 and Firefox 51 adding warnings about insecure sites that request passwords.

The firm's data shows that since the two browsers started to berate HTTP-only operations, phishing sites added an extra layer of credibility by adding HTTPS.

Proportion of phishing sites using HTTPS. Source: Netcraft. Embiggen here

Netcraft doesn't think the <20 per cent HTTPS adoption rate is a sign that there are plenty of clueless phisherpholk out there. Instead it feels that the phishing scum may be renewing their efforts to get their schemes running on compromised sites that already run HTTPS.

Either way, the firm worries that browser warnings may be having the unintended and unwelcome effect of making phishing more efficient, because using HTTPS gives them added credibility. ®

Sign up to our NewsletterGet IT in your inbox daily


More from The Register

New phishing campaign uses 30-year-old Microsoft mess as bait

Necurs botnet spreads ransomware carried in Office documents

Here's some phish-AI research: Machine-learning code crafts phishing URLs that dodge auto-detection

Humans, keep your eyes out for dodgy web links

Don't fear 1337 exploits. Sloppy mobile, phishing defenses a much bigger corp IT security threat

AppSec EU DARPA-funded white hat emits timeless advice

1 in 5 Michigan state staffers fail phishing test but that's OK apparently

IT security in America's Water Wonderland deemed so-so in tech audit

Gmail is secure. Netflix is secure. Together they're a phishing threat

Google doesn't recognise dots in email addresses, which creates an opportunity for evil

Botched upgrade at Belgian bank Argenta sparks phishing frenzy

Fraudsters seize advantage as transfers, balances grind to halt

Seven in ten UK unis admit being duped by phishing attacks

Not so smart now, eh?

Phishing: Another thing we can blame on Brexit

Attacks up 33 per cent across the five most-targeted industries

DMARC anti-phishing standard adoption is lagging even in big firms

We could cut down on e-mail spoofing, but we don't

How did someone hijack your Gmail? Phishing, keylogger or password reuse, we're guessing

If you run a website with user accounts, take a look at this research, ta