Phishing scum going legit to beat browser warnings

Now that Chrome and Firefox call out HTTP, phisherpholk are getting certified

By Simon Sharwood


Browser-makers' decision to put big red warning lights in the faces of users when they hit sites too slack to use HTTPS is backfiring a little, as crooks are accelerating their use of encryption.

So says Netcraft, which has turned its web server probes onto phishing sites in the wake of Chrome 56 and Firefox 51 adding warnings about insecure sites that request passwords.

The firm's data shows that since the two browsers started to berate HTTP-only operations, phishing sites added an extra layer of credibility by adding HTTPS.

Proportion of phishing sites using HTTPS. Source: Netcraft. Embiggen here

Netcraft doesn't think the <20 per cent HTTPS adoption rate is a sign that there are plenty of clueless phisherpholk out there. Instead it feels that the phishing scum may be renewing their efforts to get their schemes running on compromised sites that already run HTTPS.

Either way, the firm worries that browser warnings may be having the unintended and unwelcome effect of making phishing more efficient, because using HTTPS gives them added credibility. ®

Sign up to our NewsletterGet IT in your inbox daily


More from The Register

New phishing campaign uses 30-year-old Microsoft mess as bait

Necurs botnet spreads ransomware carried in Office documents

Baddies just need one email account with clout to unleash phishing hell

Outsiders realised uni was hacked before uni did

Cobalt cybercrooks phry up phishing campaign to phling at phinance orgs

Emails hiding dodgy scripts designed to plant backdoors

If you have to simulate a phishing attack on your org, at least try to get something useful from it

Step 1: let the higher-ups know

Here's some phish-AI research: Machine-learning code crafts phishing URLs that dodge auto-detection

Humans, keep your eyes out for dodgy web links

Don't fear 1337 exploits. Sloppy mobile, phishing defenses a much bigger corp IT security threat

AppSec EU DARPA-funded white hat emits timeless advice

1 in 5 Michigan state staffers fail phishing test but that's OK apparently

IT security in America's Water Wonderland deemed so-so in tech audit

Gmail is secure. Netflix is secure. Together they're a phishing threat

Google doesn't recognise dots in email addresses, which creates an opportunity for evil

Seven in ten UK unis admit being duped by phishing attacks

Not so smart now, eh?

Botched upgrade at Belgian bank Argenta sparks phishing frenzy

Fraudsters seize advantage as transfers, balances grind to halt