No‰狗眨看一下PhishLabs的數(shù)據(jù)統(tǒng)計和解釋晨继。
https://info.phishlabs.com/blog/49-percent-of-phishing-sites-now-use-https
Notice how quickly uptake of SSL certificates has risen — From less than three percent in 2016 to almost 50 percent by the end of Q3 this year. There are several reasons for the shift:
“In Q3 nearly half of all phishing sites, 49 percent, were using SSL, up from 35 percent the prior quarter,” said John LaCour, PhishLabs Founder and CTO. “PhishLabs believes that this can be attributed to both the continued use of SSL certificates by phishers who register their own domain names and create certificates for them, as well as a general increase in SSL due to the Google Chrome browser now displaying ‘Not Secure’ for websites that do not use SSL.”
The bottom line is that the presence or lack of SSL doesn’t tell you anything about a site’s legitimacy.
More specifically, this is not to say that Chrome’s use of Secure (padlock) or Not Secure isn’t inherently?wrong, but it is at best misleading. In most cases, users simply don’t understand what component of a site is considered secure, in this case, encrypted communication, and that leads to misconceptions about the site and its legitimacy.
17年的一個調(diào)查統(tǒng)計 (https://info.phishlabs.com/blog/quarter-phishing-attacks-hosted-https-domains)
Why are We Seeing an Increase in HTTPS Phish?
Now that we’ve covered the basics about how the phishing landscape is changing, let’s talk about why it’s happening.
There are two primary reasons we’re seeing an increase in HTTPS phishing attacks:
1) More HTTPS websites = more HTTPS phishing sites
The first reason is the most obvious. As more websites obtain SSL certificates, the number of potential HTTPS websites available for compromise increases. An SSL certificate only means that the data sent from the website to its destination is encrypted in transit. It does NOT mean that a website has been secured or any vulnerabilities on the site have been patched. Thus, attackers will be able to exploit vulnerabilities in HTTPS websites just as easily as they can compromise HTTP websites.
Essentially, because HTTPS websites are not any less vulnerable than non-HTTPS sites, when attackers scan for potential domains to compromise and host malicious content, they will simply be more likely to randomly identify an HTTPS to pwn as HTTPS adoption increases.
2) Phishers are taking advantage of unclear security messaging
While the presence of phishing content on insecure HTTPS websites is based on a natural shift in the adoption of security measures, a significant number of HTTPS phish are hosted on domains that are registered by the phishers themselves.
An analysis of Q3 HTTPS phishing attacks against two of the most phished brands?indicates that nearly three-quarters of HTTPS phishing sites targeting them were hosted on maliciously-registered domains rather than compromised websites, which is substantially higher than the overall global rate.?Based on data from 2016, slightly less than half of all phishing sites were hosted on domains registered by a threat actor.
In the context of this discussion, the use of infrastructure that is obtained by a threat actor for the explicit purpose of hosting phishing content is particularly important because it is a conscious?choice?made by an attacker. As we mentioned earlier, the use of maliciously-registered domains to host phishing content isn’t a rare occurrence, but because we’re talking about HTTPS phishing sites, this also means that a phisher has taken the additional step of obtaining a valid SSL certificate.
Although a vast majority of SSL certificates used in HTTPS phishing attacks are obtained for free from services like Let’s Encrypt or Comodo, their use is notable because, technically, they aren’t necessary to create the phishing site. Without an SSL certificate, the phishing page would still function as intended.
So why would a threat actor take an extra step to create an HTTPS page when it is not actually needed?
The answer is because phishers believe that the “HTTPS” designation makes a phishing site seem more legitimate to potential victims and, thus, more likely to lead to a successful outcome. And unfortunately, they’re right.
As we discussed in a?blog post in November, we conducted an informal poll to see how many people actually knew the meaning of the green padlock that is associated with HTTPS websites. More than 80% of the respondents believed the green lock indicated that a website was either legitimate and/or safe, neither of which is true.
Results of an informal poll about the meaning of the green lock in a browser URL bar.
Adding to the confusion, browsers like Google Chrome label websites with SSL certificates as “Secure” in the URL bar. Another word for secure: safe.
Example of an Amazon HTTPS phishing site labeled as “Secure” in Chrome.
The misunderstanding of the meaning of the HTTPS designation among the general public and the confusing labeling of HTTPS websites within browsers are the primary drivers of why they have quickly become a popular preference of phishers to host phishing sites.
Combined with the accelerated adoption of HTTPS among website owners globally, we can expect to see the number of HTTPS phishing sites to continue to grow rapidly.
再看看CenSys上面那些注冊的Paypal的phishing網(wǎng)站?https://censys.io/certificates?q=CN%3D%25paypal%25
