The Rise of HTTPS Phishing

HTTPS phishing exploits our trust in the secure HTTPS domains - read on to see how you can avoid this sneaky phishing.

18-09-2023 - 7 minute read. Posted in: phishing.

The Rise of HTTPS Phishing

Understanding HTTPS phishing attacks

Cybersecurity is more important than ever right now, since online communication and transactions are considered the norm. Phishing attempts are one of the major issues that people and businesses deal with ever since online communication arose with e-mails.

In comparison to other types of phishing, HTTPS phishing has become a particularly serious menace to people and organizations.

This article tries to go further into the subject of HTTPS phishing, examining what it is, how it operates, and most importantly, how to protect yourself from becoming a victim of this sneaky cybercrime.

What is a phishing attack?

Definition of phishing

Phishing is a type of cyber attack that involves tricking individuals into providing sensitive information online, such as login credentials, personal details, or financial information. These attacks are designed to exploit the trust that people place in online communications and transactions. Phishing attacks can be launched through various means, including email, social media, and malicious websites. The goal is to deceive victims into revealing their sensitive data, which can then be used for malicious purposes.

Types of phishing attacks

There are several types of phishing attacks, each with its own unique characteristics and tactics. Email phishing is the most common, where attackers send emails that appear to be from legitimate sources. Spear phishing is a more targeted approach, where attackers customize their messages to a specific individual or organization. Voice phishing, or “vishing,” involves phone calls where attackers impersonate trusted entities to extract information. Search engine phishing involves creating fake websites that appear in search results, tricking users into entering their sensitive information. Despite their differences, all these attacks share the common goal of tricking victims into revealing sensitive information.

Phishing attack statistics

According to the Anti-Phishing Working Group (APWG), phishing attacks are on the rise, with the total number of phishing sites increasing by 22% in the first half of 2021. Additionally, 83% of phishing sites had SSL encryption enabled in the first quarter of 2021, making it more difficult for victims to identify malicious links. These statistics highlight the growing sophistication of phishing attacks and the importance of staying vigilant to protect against them.

What is a phishing attack

Phishing attacks are a sort of cybercrime in which criminals pose as trustworthy organizations and senders in order to trick people into giving sensitive information to the cybercriminals. Phishing attacks often involve social engineering attacks, where criminals manipulate individuals into revealing sensitive information.

The criminals are often on the hunt for

  • Usernames
  • Passwords
  • Credit card numbers
  • Personal information

These assaults frequently take the guise of innocent-looking e-mails, texts, or websites that trick users to click on malicious links or download harmful contents.

The evolution of HTTPS

The secure version of the HTTP protocol, known as Hypertext Transfer Protocol Secure (HTTPS), is used to send data from your browser to the website you're connected to. Sensitive information stays private and is difficult for hackers to access thanks to HTTPS, which encrypts the data that is transmitted.

It's the simple “S” that helps users know that the website they're browsing is in fact safe to use, and that their data is encrypted on that particular website.

Phishers exploiting HTTPS

Although HTTPS is a significant improvement for online security, it has also given cybercriminals a new vulnerability to exploit. The misleading practice of HTTPS phishing, commonly referred to as “secure phishing” or “ssl phishing,” involves fraudsters building fake websites with HTTPS encryption to look genuine and reliable.

Victims are more willing to share sensitive data when they are on a HTTPS website - and the hacker has thus created a false sense of security.

HTTPS phishing works on the same idea of typosquatting; it’s a hacking attack where the hacker exploit a user’s belief in what they access.

How HTTPS spear phishing works

HTTPS phishing attacks typically follow a set of steps:

Making a Fake Website: Hackers make a fake website that seems remarkably similar to a real one. They frequently copy the target site’s layout, language, and even URL structure.

Getting SSL/TSL certificates: Hackers buy Secure Sockets Layer (SSL) and Transport Layer Security (TLS) certificates for their fake websites. These certificates are needed for HTTPS encryption and are issued by Certificate Authorities (CAs). To obtain certificates, hackers can use false information or exploit weaknesses in the CA system.

Getting people on the hook: Some of the hackers’ methods for luring victims onto the fake website include sending convincing emails or messages. These messages frequently convey a sense of urgency, tempting victims to act right away - in other words, hackers use social engineering to appeal to peoples’ emotions. These phishing emails can often bypass spam filters, making it easier for them to reach their targets undetected.

The user’s role: Users are asked for private information, such as login credentials, credit card information, or personal information, as soon as they visit the fake website. To further reassure users of the site’s legitimacy, the address bar may even show a lock icon next to the URL - this is another general safety check that legitimate websites also use. This helps the hacker, since people oftentimes believe the website is genuine with this icon.

Data gathering: The hackers collect the data that the victims submit. Then, this data is exploited illegally for a variety of crimes like identity theft, money laundering, or unauthorized account access.

Types of phishing scams

Email phishing

Email phishing is one of the most common types of phishing attacks. It involves sending an email that appears to be from a legitimate source, such as a bank or online retailer, but is actually a phishing attempt. The email may contain a malicious link or attachment that, when clicked or opened, can install malicious code on the victim’s device or steal sensitive information. Phishing emails can be designed to look identical to actual security notices from companies, making them difficult to detect. These emails often use social engineering tactics to create a sense of urgency, prompting the recipient to act quickly without verifying the authenticity of the message.

It might seem like a lost cause avoiding HTTPS phishing, but there are still a few things you can do to avoid becoming the next victim of this devious phishing:

  • Stay updated on phishing techniques and common warning signs. When emails or messages include links, use caution, especially if the sender request any type of private information.

  • Check the website's URL carefully before providing any sensitive information. Look for spelling errors, extra characters, or domain variants that can point to a fraudulent website.

  • Check if the website is SSL certified. To view the SSL certificate details, click the padlock icon in the address bar. Make sure the name of the website appears in the certificate's data.

  • Choose a browser that updates its security features frequently and provides good phishing protection.

  • Use security tools or browser add-ons that can identify and block well-known phishing websites.

  • Turn on MFA whenever you can to increase the security of your online accounts.

  • Be cautious of unsolicited e-mails, especially those that request that you click on links or provide personal data. Before you do anything, make sure the sender is who they say they are.

Staying vigilant in the digital world

HTTPS phishing represents a sophisticated and dangerous evolution of conventional phishing attacks. Even the most cautious users can be tricked by cybercriminals by taking advantage of the trust and security that HTTPS encryption offers.

It's important to practice vigilance, keep yourself informed, use accessible tools and tactics to preserve your online presence, and protect yourself from these threats by keeping up with them.

Technology is constantly evolving, and so are hackers' strategies. You can securely navigate through the digital landscape once you're aware of its dangers - by being proactive and vigilant you're well on your way.

This post has been updated on 17-01-2025 by Sarah Krarup.

Author Sarah Krarup

Sarah Krarup

Sarah studies innovation and entrepreneurship with a deep interest in IT and how cybersecurity impacts businesses and individuals. She has extensive experience in copywriting and is dedicated to making cybersecurity information accessible and engaging for everyone.

View all posts by Sarah Krarup

Similar posts