Malicious Use of HTTPS Increased Dramatically
One particularly concerning trend is the surge in phishing sites using HTTPS encryption, which can make them appear more legitimate to unsuspecting end users. According to the report, as of Q3 2018, nearly 50% of phishing sites used encryption. This represents a 40% increase over the previous quarter alone, and a nearly 900% increase since the end of 2016.
The problem this trend poses is that many people wrongly assume that a site with HTTPS encryption is safe to use. While HTTPS does indicate a site is secure — any data exchanged with it is encrypted — that doesn’t mean it’s safe. Attackers are taking advantage of this confusion and using it to fool victims.
As the APWG warned in its Q2 2018 report, “The general public’s misunderstanding of the meaning of the HTTPS designation and the confusing labeling of HTTPS websites within browsers are the primary drivers of why they have quickly become a popular preference of phishers to host phishing sites.” As an example of this confusion, some web browsers display a small padlock icon next to an encrypted URL, which users can easily misinterpret as an indication of safety.
The report also suggests that this HTTPS phishing trend is driven in part by legitimate websites, which are increasingly migrating to HTTPS infrastructure and thus creating more opportunities for attackers to compromise encrypted sites.
Effective security awareness training can help users better understand the role of HTTPS and how to practice safer web browsing, and dispel myths and confusion around cybersecurity.
Arming End Users Against Evolving Attacks
Since the phishing threat is constantly evolving, users need to be alerted to current attacks, in addition to being firmly grounded in cybersecurity best practices. To meet this need, we launched our Attack Spotlight series in mid-2018; it provides free, timely, actionable content you can use to arm your end users against emerging threats.
Each installment in the series includes a two-minute awareness mini-module and a downloadable PDF that feature an example of an actual phishing email seen in the wild, explaining the current threat in non-technical terms. Attack Spotlight is more timely and relevant than other services that list lures or traps, since the phishing email examples are drawn from Proofpoint’s world-class threat intelligence, which analyzes billions of emails each day to classify malicious content and identify lures being distributed at critical mass.
Visit the APWG website to obtain a copy of the Q3 2018 Phishing Activity Trends Report, as well as archived issues going back to 2004.