Phishing scum going legit to beat browser warnings
Now that Chrome and Firefox call out HTTP, phisherpholk are getting certified
Browser-makers' decision to put big red warning lights in the faces of users when they hit sites too slack to use HTTPS is backfiring a little, as crooks are accelerating their use of encryption.
So says Netcraft, which has turned its web server probes onto phishing sites in the wake of Chrome 56 and Firefox 51 adding warnings about insecure sites that request passwords.
The firm's data shows that since the two browsers started to berate HTTP-only operations, phishing sites added an extra layer of credibility by adding HTTPS.
Proportion of phishing sites using HTTPS. Source: Netcraft. Embiggen here
Netcraft doesn't think the <20 per cent HTTPS adoption rate is a sign that there are plenty of clueless phisherpholk out there. Instead it feels that the phishing scum may be renewing their efforts to get their schemes running on compromised sites that already run HTTPS.
Either way, the firm worries that browser warnings may be having the unintended and unwelcome effect of making phishing more efficient, because using HTTPS gives them added credibility. ®