Online criminals are now launching most of their phishing attacks from domains secured by the HTTPS protocol—and they’re hijacking the sites they need to do it, according to the latest report from the Anti-Phishing Working Group, a security-industry organization that tracks the crime.
Some 77.6% of phishing sites in the second quarter featured the normally reassuring HTTPS prefix, up dramatically from about 55% a year ago, according to data from PhishLabs cited in the APWG report, released Sunday. Indeed, the second quarter represents the third period in a row that such attacks have accounted for better than 70% of all phishing assaults. The growth of the tactic has been so fast that as recently as three years ago the percentage stood at just over 10%. PhishLabs is a Charleston, S.C.-based cybersecurity firm.
In phishing attacks, Internet gangs use plausible-looking emails to direct victims to sites where they can harvest card credentials and other vital details that can be used for identity fraud or sold online. HTTPS is an encryption protocol that legitimate Web sites use to cloak data exchanged between a user’s browser and the Web site he or she is visiting. Consumers are often advised to look for the HTTPS prefix on Web addresses at sites offering e-commerce or those requiring passwords.
“Studying HTTP on phishing sites provides insight into how phishers are fooling Internet users by turning an Internet security feature against them,” notes the APWG report.
And criminals often come by this valuable tool by hijacking law-abiding sites, the report adds. “Phishers are hacking into legitimate Web sites and placing their phishing files on those compromised sites,” said John LaCour, founder and chief technology officer at PhishLabs, in a comment featured in the report. In some cases, fraudsters can get certificates from firms that issue them at no cost, the report adds.
All told, the number of phishing sites dropped 11% from the first quarter, when 165,772 were detected, to 146,994, the report says. The 16-year old APWG includes financial institutions, online retailers, software companies, Internet service providers, and law-enforcement agencies among its more than 2,000 members.