Half of all Phishing Sites Now Have the Padlock — Krebs on Security
Krebs on Security reported that Half of all Phishing Sites Now Have the Padlock and warned: “Maybe you were once advised to “look for the padlock” as a means of telling legitimate e-commerce sites from phishing or malware traps. Unfortunately, this has never been more useless advice. New research indicates that half of all phishing scams are now hosted on Web sites whose Internet address includes the padlock and begins with “https://”… The presence of the padlock does not mean the site is legitimate, nor is it any proof the site has been security-hardened against intrusion from hackers.”
Nick Bilogorskiy, Cybersecurity Strategist at Juniper Networks:
The “green padlock” icon is a red herring as it misleads users into having a false sense of security. Many website visitors assume it means a website is safe to use but this is not the case, not by a long shot.
Attackers are always quick to adapt any innovative means to increase the click-through of their phishing sites. It does not cost them anything to get an SSL certificate from Let’s Encrypt to obtain the “green padlock”. In fact, Let’s Encrypt has become the largest certificate issuer in the world with over 380 million certificates issued on 129 million unique domains. That said, I am not surprised that attackers have doubled the number of HTTPS phishing sites in a year.
Colin Bastable, CEO of cybersecurity training firm Lucy Security:
“While I defer to Brian on this, I don’t believe people really think the padlock means the site is genuine – just secure. The problem is that most people readily assume that a shopping site is genuine. The industry has been pushing all websites to go https, so they can sell certificates, so this is a natural outcome. The unintended consequence is that folks can be securely robbed online.”