Security

Phishing scum going legit to beat browser warnings

Now that Chrome and Firefox call out HTTP, phisherpholk are getting certified


Browser-makers' decision to put big red warning lights in the faces of users when they hit sites too slack to use HTTPS is backfiring a little, as crooks are accelerating their use of encryption.

So says Netcraft, which has turned its web server probes onto phishing sites in the wake of Chrome 56 and Firefox 51 adding warnings about insecure sites that request passwords.

The firm's data shows that since the two browsers started to berate HTTP-only operations, phishing sites added an extra layer of credibility by adding HTTPS.

Proportion of phishing sites using HTTPS. Source: Netcraft. Embiggen here

Netcraft doesn't think the <20 per cent HTTPS adoption rate is a sign that there are plenty of clueless phisherpholk out there. Instead it feels that the phishing scum may be renewing their efforts to get their schemes running on compromised sites that already run HTTPS.

Either way, the firm worries that browser warnings may be having the unintended and unwelcome effect of making phishing more efficient, because using HTTPS gives them added credibility. ®

Send us news
27 Comments

Big browsers are about to throw a wrench in your ad-free paradise

Mozilla and Google complicate life for users of uBlock Origin and uBlock Lite

Mozilla Foundation crumbles as third of staff cast off

Firefox overlord to 'revisit' advocacy mission

Russian spies use remote desktop protocol files in unusual mass phishing drive

The prolific Midnight Blizzard crew cast a much wider net in search of scrummy intel

ESET denies it was compromised as Israeli orgs targeted with 'ESET-branded' wipers

Says 'limited' incident isolated to 'partner company'

Microsoft says more ransomware stopped before reaching encryption

Volume of attacks still surging though, according to Digital Defense Report

Mozilla patches critical Firefox vuln that attackers are already exploiting

Firefixed: It's maintenance time for low-complexity, high-impact security flaw

US and UK govts warn: Russia scanning for your unpatched vulnerabilities

Also, phishing's easier over the phone, and your F5 cookies might be unencrypted, and more

OpenAI says Chinese gang tried to phish its staff

Claims its models aren't making threat actors more sophisticated - but is helping debug their code

Rival browsers cry foul after Microsoft Edge slips through EU gatekeeper cracks

Vivaldi and others line up behind Opera to request a rethink

Campaigners claim 'Privacy Preserving Attribution' in Firefox does the opposite

Tracking alternative is less invasive than other methods, but is opt out by default

If you're holding important data, Iran is probably trying spearphish it

It's election year for more than 50 countries and the Islamic Republic threatens a bunch of them

Google Chrome gets a mind of its own for some security fixes

Browser becomes more proactive about trimming unneeded permissions and deceptive notifications