You know that little padlock icon displayed on the upper left-hand side of the address bar in your web browser? The one that provides you with a sense of privacy and security. Turns out cybercriminals are increasingly banking on users’ trust of HTTPS and the padlock icon – with nearly one in three of all phishing sites now using HTTPS. That’s according to a recent report from Webroot.
“When you see that little lock icon in your browser, it just means that the information you transmit on that site is encrypted and securely delivered to where it’s going. There’s no guarantee that the destination is safe,” Webroot chief technology officer Hal Lonas said about HTTPS phishing.
The report titled 2019 Webroot Threat Report: Mid-Year Update showcases data from the Webroot Platform from January through June this year -- which also detected over 1.5 million unique phishing URLs during that timeline -- and highlights threat trends like HTTPS phishing, and predictions from the Webroot Threat Research Team.
Taking advantage of users’ trust
Cybercriminals are using HTTPS to create a sense of legitimacy, because they know users worldwide have been trained to look for the padlock icon displayed in a web browser.
The “s” in HTTPS stands for secure, meaning that the website has a TLS certificate and it encrypts information transmitted between you and the site. But the advent of certificate authorities like Let’s Encrypt has made it easier for phishers to acquire these certificates.
And cybercriminals are not just stopping at crafting HTTPS phishing sites. They are also hijacking web pages on trusted domains to host malicious content. Nearly one in four malicious URLs are hosted on trusted domains, the report found.
Why? Because they know it’s more difficult for security measures to block URLs on these domains and users are less likely to be suspicious of pages on domains they recognize.
“What this means is that a lot of these mental checks that people have like checking the URLs and checking for that padlock icon, don't really mean much anymore because criminals can simulate that,” said Webroot security analyst Tyler Moffitt.
Bolster up your phishing defenses
As phishing attacks advance and attackers continue to whet their tactics, here are tips on how to shield your growing business against such attacks:
- Advanced endpoint protection. While installing and keeping antivirus software up to date is crucial, don’t forget to back up critical business data to help minimize the damage in the event of an attack. Today’s sophisticated threat also calls for employing cloud-driven endpoint protection that harnesses the power of machine learning to detect and protect against evolving threats.
- Deploying DNS protection. As DNS attacks gain momentum – with businesses reporting a 57% increase in downtime due to such attacks – DNS-level protection has become a business imperative. DNS security solutions provides content filtering at the DNS layer, full network visibility, and automatically blocks dangerous connection requests from phishing and malware sites.
- Provide security awareness training. Providing end user education is key to IT security. Simulated phishing campaigns can not only help you gauge end user phishing awareness, but also help raise their cyber awareness. Keep in mind that continuous learning is key to success when it comes to such trainings.