Bianca Freedman

By Bianca Freedman | Articles |  Blog |  News |  

Don’t you feel a lot more secure knowing that the padlock icon is present on the website you’re browsing at the moment? You might think that way for now but cybercriminals will always find a way to get around these things.

 In fact, phishers have successfully adopted the HTTPS protocol within their campaigns which continues to grow in popularity, allowing them to deceive users into believing the malicious links or emails they send come from legitimate entities. This is where URL-based HTTPS phishing comes in.


What is URL-based HTTPS Phishing?


When talking about HTTPS phishing, we mean landing pages or websites that a person normally visits. Many people can get confused with phishing because it is often thought to just plague email, but in reality, the email is just the first stage. Most of the time the perpetrator would ask you to download an attachment or even lead you to a malicious website.

 The challenge for phishers is that standard phishing can be counteracted by educating users. Numerous studies prove that phishing simulations done over time and on frequent intervals show marked improvement in identifying these problems. And one of the main rules during such simulations is to not fall for suspicious links or attachments.

 With that being the case, the cybercriminals of today started to evolve.

 The popular cybersecurity firm, FireEye, mentions a couple of new variants for URL-based attacks. The idea here is to still send an email without any content except for a link in its body. Now this may seem really easy to ignore but a 26% increase in its usage has been observed by FireEye in the initial months of 2019 alone – proof that it may be effective.

 For those who are diligent enough, you can go ahead and have the address verified or examine the email header. The problem here is that not many users do these things. It’s therefore easy to see why anyone would fall for this tactic.

 With the first variant being an email without any content except for a link to click on, the second variant doesn’t have a link at all. It’s just the same content-less email without a clickable URL which makes it more difficult for filters to detect as there’s no active link available. In this case, the link only becomes active once the target inputs this on their browser.

 Most of these emails are sent without having the HTTPS component present, yet it doesn’t require perpetrators to have SSL certification. Yet being able to add that HTTPS at the start of a URL adds a whole new level of false trust that can push some people to do what the phisher is asking.

 In the end, the true defence for these situations is simply to educate oneself.


A Growing Number of Phishing Websites Now Use HTTPS


HTTPS phishing techniques have slowly expanded itself in the past few years but in recent reports, 1.4 million new phishing sites are being made each month. This number is expected to continue growing in the years to come. Even more alarming is that HTTPS phishing sites have grown to 49% as of 2018 up from 25% in 2017.

 That is a huge increase. We can’t say that HTTPS phishing will still be a problem because it already is at present. And there are also no signs proving that it will abate any time soon especially with the industry-wide push towards having HTTPS as a standard.


How Did We Get Here?


Today, most websites use the HTTPS protocol which was a big change compared to several years ago when it was only being used for sites that allowed password login. What escalated the use of SSL/TLS certificates along with HTTPS was the insistence of Google in 2015 that this would positively impact search engine algorithms.

 All of a sudden websites that didn’t have HTTPS started seeing negative effects due to this. By 2018, Google Chrome along with many popular browsers like Firefox and Edge started marking sites that did not have HTTPS as “not secure”. Websites and users took to the approach and so HTTPS was seen as a good thing while the lack of it as simply a bad experience.

 Cybercriminals got the idea too which shows how the rise of phishing websites with HTTPS in their domains increased at around the year 2017. And the most worrisome thought now is that these attackers may start moving towards abusing domains that are validated with legitimate certificates.


Many Users Don’t Know What HTTPS Does


It can be surprising to know how little people know about what they do and what’s happening online. In times past, Internet users had to be literate in using computers since the Internet can only be accessed through these devices before. Yet now, nearly anyone who has a smartphone with Internet connectivity can go online, effectively removing the knowledge barrier for entry.

 And compared to smartphones, the traditional desktop browsers at least made some effort to teach users how to use them. This is no longer the case today. Individuals are usually left to do what they want and figure things out along the way. There are numerous visual indicators when browsing nowadays that should serve as a sort of guide to let users know what’s happening when they surf the Web.

 This isn’t the case unfortunately. Symbols such as the padlock icon which is synonymous with HTTPS have not accomplished what they are meant to do. We can start with the fact that these padlocks essentially means that the connection you make with the server hosting the site or app is encrypted and secure. Any data that is exchanged between the two parties are safe from external attackers that might try to intercept the said connection.

 Yet without a type of authentication for an organization, there is simply no guarantee on the reputation of the party on the opposite end. You see, hackers can use HTTPS as well so although the padlock may mean that the connection is secure, there are no guarantees as to what the host will do with the data you send to them.

 It’s important to keep in mind that HTTPS is still very much a positive aspect that websites need to have to ward off prying eyes. The point here is that having its presence associated with encrypted connections doesn’t automatically mean that the site owners themselves are to be trusted.

So How Can I Beat These Phishers?


Besides not simply trusting domains with HTTPS, it is recommended by experts that you check for any misspellings in the domain names themselves. It’s also crucial that you remain wary of links that come via email while also safeguarding their credentials by activating multi-factor authentications whenever possible.

 Having a password manager is also a good idea as these apps often validate domains prior to auto-filling them with your credentials. If your software does not automatically provide the login information, this could be a giveaway that something is not right about the said website.

Digital Marketing Predictions for 2021

2020 has been a year like no other with current events shaping digital marketing trends at an unprecedented level. As COVID flooded the world, the pace of digital transformation exploded to uncharted levels by urgent and dominating ways. If you're still reeling from...

read more
[Guide] Google Product Ad Listing Campaigns

[Guide] Google Product Ad Listing Campaigns

Google Shopping Advantages   Ever since Google Shopping Ads were introduced in 2010, it has steadily turned into an essential aspect of successful e-commerce marketing. The ads have proven time and time again that they can be more effective compared to...

read more

We Built This Site, Like It?

Get Your Free Marketing Audit

Uncover your goals
Receive a strategic growth plan
Access our advanced research team
No cost, no obligation