Jump to content

Phishing sites are increasingly using HTTPS


peteyt
 Share

Recommended Posts

  • Most Valued Members

One piece of security advice I see a lot is to make sure sites you are using is using HTTPS rather than just HTTP and that the green padlock is visible. Google Chrome now even states if a websites connection is secure.

While Google and others have good intentions as usual it seems many people are relying on these things now. In my experience people like to rely on stuff - they don't tend to like putting security in their own hands and rely on others to protect them. People are taking the green padlock for example to mean the website they are on is legitimate. The padlock basically means the traffic between the server and the user's browser is encrypted and protected against interception, rather than the site being generally secure and even then, nothing is ever 100 percent safe, with bugs and backdoors often found in systems. 

According to research, 24 percent of the time, phishers are now using HTTPS which is a massive increase when compared to the less than 3 percent this time last year and one percent two years ago. Sometimes this is done by simply taking over an already established site, but often phishers are creating their own sites. Research also shows in targeted attacks pretending to be from both Apple and PayPal, 75 percent where using HTTPS.

Again, I wish people would stop relying on other people, services etc. I trust Eset, but it is just a program, and so could make mistakes. That is why I have my own practises e.g. stick to known trustworthy sites, avoid emails from unknown senders etc. It's obvious to see that the number of phishers using HTTPS is going to continue to rise. It wouldn't surprise me if something else comes along to combat this that will in turn be abused by the same phishers.

https://www.wired.com/story/phishing-schemes-use-encrypted-sites-to-seem-legit/

Link to comment
Share on other sites

  • Most Valued Members

HTTPS was never created to discover or report fake sites, its merely to encrypt the data between your browser and the site you are visiting to stop it being intercepted by a "man in the middle". What you are saying does have some validity though, as some guides online have portrayed if you are entering (bank details/paypal/credit card details) to make sure the site is using HTTPS. Although this is good practice to follow , it has never "meant" that the site is legitimate as some guides fail to point out.

 

Link to comment
Share on other sites

  • Most Valued Members
2 hours ago, cyberhash said:

HTTPS was never created to discover or report fake sites, its merely to encrypt the data between your browser and the site you are visiting to stop it being intercepted by a "man in the middle". What you are saying does have some validity though, as some guides online have portrayed if you are entering (bank details/paypal/credit card details) to make sure the site is using HTTPS. Although this is good practice to follow , it has never "meant" that the site is legitimate as some guides fail to point out.

 

No i think too many are relying on it ans just persume it means the site is safe

Link to comment
Share on other sites

  • Most Valued Members

One look at phishtank[dot]com and you'll notice the amount of Phishing sites using HTTPS.

This brings into the discussion of allowing Security products to use SSL/HTTPS... and why although there are some saying it should not be intercepted, at the same time there is a shift to using HTTPS as a standard. Let's Encrypt and Cloudflare with their free SLLs I think brought a huge jump and ease.

Security products should provide the option for SSL/HTTPS interception, and let users turn it off for those who don't use it, otherwise, it's now becoming more of a necessity.

If ESET could bring SSL/HTTPS to their Mac products, that would be pretty useful now. ;)

Link to comment
Share on other sites

  • Most Valued Members
3 hours ago, planet said:

One look at phishtank[dot]com and you'll notice the amount of Phishing sites using HTTPS.

This brings into the discussion of allowing Security products to use SSL/HTTPS... and why although there are some saying it should not be intercepted, at the same time there is a shift to using HTTPS as a standard. Let's Encrypt and Cloudflare with their free SLLs I think brought a huge jump and ease.

Security products should provide the option for SSL/HTTPS interception, and let users turn it off for those who don't use it, otherwise, it's now becoming more of a necessity.

If ESET could bring SSL/HTTPS to their Mac products, that would be pretty useful now. ;)

I was surprised when I heard they didn't have that feature in the mac product. I thought it might be due to Apple as they sometimes cause issues but some other products do apparently offer this feature. A bit off topic, but apparently all eset products will include network protection sometime in I presume 2018, not just firewall products e.g. NOD32 will have this feature

Link to comment
Share on other sites

  • Most Valued Members
10 hours ago, peteyt said:

I was surprised when I heard they didn't have that feature in the mac product. I thought it might be due to Apple as they sometimes cause issues but some other products do apparently offer this feature. A bit off topic, but apparently all eset products will include network protection sometime in I presume 2018, not just firewall products e.g. NOD32 will have this feature

I actually think ESET is the only product now that doesn't do SSL/HTTPS -- from my experience Avast, Norton, Trend Micro, Kaspersky, Bitdefender, McAfee, Sophos, Avira and Adguard all do. Regarding network protection, that would be great to see.

Link to comment
Share on other sites

51 minutes ago, planet said:

actually think ESET is the only product now that doesn't do SSL/HTTPS -- from my experience Avast, Norton, Trend Micro, Kaspersky, Bitdefender, McAfee, Sophos, Avira and Adguard all do. Regarding network protection, that would be great to see.

Eset monitors SSL/TLS connections by default on Windows OS vers.. As far as those other vendors, don't know if they even have Mac OS vers..

Link to comment
Share on other sites

  • Most Valued Members
On 20/12/2017 at 11:14 AM, itman said:

Eset monitors SSL/TLS connections by default on Windows OS vers.. As far as those other vendors, don't know if they even have Mac OS vers..

I should have been clearer — I was talking about the macOS versions. These vendors are the ones I have tried or used on macOS.

So ESET is the only vendor so far that doesn't monitor SSL/TLS on macOS.

Edit: Looks like it is now slowly being done!
"Added: Partial support of HTTPS protocol in Web Access Protection and Web Control Protection (e.g., HTTPS blocking but no SSL scanning)"

Edited by planet
Added new info
Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...