Unlike most types of cyberattacks that have evolved over time, phishing has rarely strayed from the traditional formula of combining social engineering with malicious files or links. Nevertheless, this has not stopped cybercriminals from making even more convincing attempts, going as far as abusing tools supposedly for security. One example is setting up phishing sites that use the HTTPS (Hypertext Transfer Protocol Secure) protocol — a tactic which has been on the rise in phishing attacks, now up to 58% according to the Q1 2019 report from the Anti-Phishing Working Group (APWG).
HTTPS, which has become the standard protocol for secure communication over a computer network, works by encrypting traffic between a browser and a website, ensuring that no third parties are privy to the data that is being exchanged. The use of HTTPS is especially important with websites that ask users for personal information or credentials, such as login pages.
Due to the widespread adoption of HTTPS, current browsers are now designed to notify users that they are browsing an “unsecure” website when it lacks the protocol. The presence of a lock icon in the URL bar typically signifies that the user is entering a safe domain while websites without the icon imply the opposite. Wily cybercriminals take advantage of this by creating phishing websites that use HTTPS, thus making a site appear safe to the user’s browser despite its malicious purpose.
Using the HTTPS protocol is enabled by Transport Layer Security (TLS) or Secure Sockets Layer (SSL) certificates. These certificates have traditionally been purchased, and this previously meant that phishing websites that use HTTPS were an expensive option for cybercriminals. However, a number of services now provide TLS and SSL certificates for free, meaning it is now easier for anyone (even cybercriminals) to add HTTPS to their websites. Alternatively, cybercriminals can actually hack legitimate websites to use as phishing sites, making it even more difficult for potential victims to distinguish between what’s safe and what’s not.
The practice of abusing HTTPS in phishing attacks has become so widespread that the FBI issued a public service announcement earlier this month to warn users.
Best practices to defend against phishing attacks
Fortunately, despite the large number of phishing sites that use HTTPS, some of the best methods users can do to combat phishing remain relatively simple:
- Be cognizant of what phishing attacks look like and how they work. Misspellings, out-of-context messages, and even different-looking signatures should be red flags.
- Take everything into consideration before clicking a link or downloading an attachment. Just because a website uses the HTTPS protocol and looks legitimate does not automatically mean that it is safe. For example, a seemingly authentic bank website may be spoofing the legitimate site.
Trend Micro solutions powered by machine learning
To bolster security capabilities and further protect users, organizations can consider security products such as the Trend Micro™ Cloud App Security™ solution, which employs machine learning (ML) to help detect and block attempts at phishing. If a suspected phishing email is received by an employee, it will go through sender, content, and URL reputation analysis followed by an inspection of the remaining URLs using computer vision and AI to check if website components are being spoofed. In addition, it can also detect suspicious content in the message body and attachments as well as provide sandbox malware analysis and document exploit detection.
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.
- Ransomware Spotlight: Trigona
- Steering Clear of Security Blind Spots: What SOCs Need to Know
- Understanding the Kubernetes Security Triad: Image Scanning, Admission Controllers, and Runtime Security
- Preempting Threats to Connected Cars: The Importance of Cybersecurity in a Data-Driven Automotive Ecosystem
- Your Stolen Data for Sale