Half of phishing sites fool users with green padlock symbols

Seeing a padlock no longer a guarantee of security

Phishing

A padlock displayed in a browser bar is no longer a sign that a website is safe. According to reports, half of the known phishing sites display the symbol in a bid to fool victims.

In a new report by PhishLabs (via Krebs on Security), 49% of phishing websites are using SSL, up from 35% during the last quarter and 25% a year ago.

While the padlock has never meant to portray a site as safe (it just means that data exchanged between browser and website is encrypted), it has been assumed by many that the site is somehow genuine. A survey carried out by Phishlabs last year found that over 80% of people thought that the padlock meant that a website was either legitimate and/or safe, neither are true.

"The presence of the padlock does not mean the site is legitimate, nor is it any proof the site has been security-hardened against intrusion from hackers," said Brian Krebs in a report on the finding.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

John LaCour, chief technology officer at Phishlabs told Krebs that the adoption of SSL by phishers is a good example in which fraudsters are taking their cue from legitimate sites.

"PhishLabs believes that this can be attributed to both the continued use of SSL certificates by phishers who register their own domain names and create certificates for them, as well as a general increase in SSL due to the Google Chrome browser now displaying Not secure' for web sites that do not use SSL," he said. "The bottom line is that the presence or lack of SSL doesn't tell you anything about a site's legitimacy."

Paul Bischoff, privacy advocate with Comparitech, told IT Pro that the study goes to show that there's no one way to identify a phishing website.

"Making sure the site has a valid SSL certificate indicated by HTTPS and a padlock in the URL bar is just one step. Users should also look for character replacement ("punycode"), subdomains, and other inconsistencies in a site's real URL and webpage. You can usually find the real site by Googling the company name, then check it against the suspected phishing URL. Other means of combating phishing usually deal with emails and other means of getting victims to the phishing site," he said.

Featured Resources

What you need to know about migrating to SAP S/4HANA

Factors to assess how and when to begin migration

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

Testing for compliance just became easier

How you can use technology to ensure compliance in your organisation

Download now

Best practices for implementing security awareness training

How to develop a security awareness programme that will actually change behaviour

Download now
Advertisement

Most Popular

Visit/microsoft-windows/32066/what-to-do-if-youre-still-running-windows-7
Microsoft Windows

What to do if you're still running Windows 7

14 Jan 2020
Visit/operating-systems/25802/17-windows-10-problems-and-how-to-fix-them
operating systems

17 Windows 10 problems - and how to fix them

13 Jan 2020
Visit/hardware/laptops/354533/dell-xps-13-new-9300-hands-on-review-chasing-perfection
Laptops

Dell XPS 13 (New 9300) hands-on review: Chasing perfection

14 Jan 2020
Visit/web-browser/30394/what-is-http-error-503-and-how-do-you-fix-it
web browser

What is HTTP error 503 and how do you fix it?

7 Jan 2020