Modern Phishing Tactics
Nowadays, not all phishing messages are easy to spot, and attackers have discovered ways to evade the more obvious indicators. One way users are trained to identify illegitimate web login pages is to check for an unencrypted connection (HTTP) – which, if you’re using Google Chrome, can easily be identified in the web address bar – a small red exclamation mark icon indicates a non-HTTPS website, marking it as not secure or dangerous.
However, there are now reports of phishing attempts using web pages that are encrypted, displaying the green lock icon in your address bar, as reported by Krebs on Security, which can lead to confusion for users taught to trust the icon. The icon is not an indication that the website you’re visiting is legitimately the site you intended to visit.
According to PhishLabs, by the end of 2017, nearly one-third of all phishing sites were located on HTTPS domains, up from only five percent at the end of 2016. This exponential growth shows how quickly phishers have adopted site encryption to use to their advantage.
Plus, the trend toward HTTPS-encrypted sites is seen in major browser vendor actions – in July 2018, Google Chrome will mark all HTTP sites as not secure. About 81 percent of the top 100 sites on the web default to HTTPS, according to The Verge. It’s clear that as the majority of web traffic shifts to encrypted sites, phishing sites will follow.
“Phishers are preying on the common misconception that HTTPS means a site is legitimate or trustworthy.” — PhishLabs