80% of phishing sites identified in 2020 were using SSL certificates. A lock in the address bar is not a security sign

PhishLabs researchers, in collaboration with Anti-Phishing Working Group (APWG), have begun a campaign to track malicious sites on the Internet protected by the HTTPS encryption protocol, used to secure online communications by applying encryption to data exchanged between the user’s browser and the website.

APWG is an international effort in which large corporations, law enforcement agencies and security solution developers collaborate to strengthen the fight against phishing and other similar attack variants.

The use of this protocol is especially important on e-commerce websites or where password-protected accounts are used. Threat actors have found a way to use this tool for their own benefit, tricking users into believing that they visit safe sites when they are actually visiting phishing platforms.

John LaCour, researcher and co-founder of PhishingLabs mentions in his report: “The number of phishing sites using security tools has increased considerably and will continue to do so; because most websites use TLS, threat actors are committing legitimate websites to inadvertently place malicious content for victims.”

La imagen tiene un atributo ALT vacío; su nombre de archivo es apwg01.jpg
SOURCE: PhishLabs

According to the researcher, during the second quarter of 2020 the number of phishing websites using a certificate increased by 77.6% compared to the previous quarter. The worst part is that more than 35% of the certificates detected on malicious websites were issued by Let’s Encrypt, the most recognized certification authority.

LaCour also mentions that more than 90% of the certificates used in phishing attacks are validated domain certificates, and that 27 external validation websites were detected, representing a much larger risk scenario.

Obtaining such certificates requires validation of the legal identity of applicants; a threat actor cannot obtain this external validation certificate by itself, so detecting these phishing sites involves deploying a much more ambitious hacking campaign and with the ability to seriously compromise the resources of a legitimate company.