"In the third quarter of 2017, we noticed that almost a quarter of all phishing sites were hosted on HTTPS domains, which is almost double the percentage we saw in the second quarter."
"A year ago, less than 3% of phishers used websites that had SSL certificates. "Two years ago, that number was less than one percent." said the PhishLabs administrator, Mr Crane Hassold.
The reasons behind this change are several. Phishers often hack pages to host attacks phishing, and it makes sense that with the increase in legitimate HTTPS domains, there would also be an increase in hacked HTTPS pages.
Today, too, it is much easier, faster and cheaper to obtain SSL certificates. So the scammers are taking advantage of the situation to equip the e-fishing domains they use with HTTPS.
“Although the vast majority of SSL certificates used in HTTPS phishing attacks are obtained for free from services like Let's Encrypt or Comodo, their use is notable because technically, they are not necessary to create phishing websites.
"Without certificate SSL, the phishing page would still work as designed," Hassold says.
“So why do scammers bother creating an HTTPS page when they don't really need to? The answer is because phishers believe that the 'HTTPS' designation makes a phishing site look more legitimate to potential victims and therefore more likely to lead to a successful outcome. And unfortunately, they are right.”
Many users they don't know that the presence of HTTPS only means that the communication between the browser and the website is encrypted. They believe that seeing the green padlock and HTTPS before a domain name means that the website itself is secure (ie Safe to Use = Legit).
The fact that browsers like Google Chrome showing pages with SSL certificates as “Secure” in the URL bar does not help eliminate these attacks.