Over the past five years, the Internet has seen the mass migration of websites from HyperText Transfer Protocol (HTTP) to its extension, HTTP Secure (HTTPS). HTTPS is a communication protocol that encrypts the data exchanged between sites and user agents. The trend also caught on among cybercriminals, as attacks using encrypted phishing sites are steadily on the rise.

A new report revealed that 68% or over two-thirds of phishing websites now employ Secure Sockets Layer (SSL), up from last year’s rate of 49%. Phishers use the same modus operandi, such as setting up a lookalike website to masquerade as the real thing. The only difference now is they’re choosing to employ HTTPS to lend their sites more legitimacy.

How Do Phishing Sites Using HTTPS Look Like?

Just like legitimate websites, HTTPS-protected phishing sites—those that display a padlock icon beside the web address—render the same way on most browsers. Google Chrome may flag some of them, with the browser showing a red warning screen. Chrome is often successful at flagging deceptive sites, even encrypted ones, as it maintains its blacklist service.

In terms of spoofed brands, the most popular targets are those that can potentially yield the highest rewards for attackers. Phishing campaigns are often directed at websites offering memberships, software-as-a-service (SaaS) products, and financial services. PayPal, for one, topped a list of phishers’ favorites in the third quarter of 2019.

Techniques are also unchanged. Phishing emails still mostly encourage victims to click a link. The said link often redirects them to a copycat landing page where they are supposed to pay for, say, a missed bill or penalty that was entirely fabricated by the perpetrators.

In fact, a phishing campaign employing the exact technique was found targeting over 700,000 PayPal customers in Europe. Attackers used new generic top-level domains (gTLDs) and country-code TLDs (ccTLDs), such as .info, .cx, and .ae, for their phishing pages.

It seems that the age-old way of initially identifying phishing sites, that is, the lack of a padlock icon beside the URL or the use of HTTP instead of HTTPS isn’t foolproof anymore. A more technical means such as using domain monitoring and research tools such as Domain Reputation API may be needed.

Performing Website Due Diligence with Domain Reputation API and Other Domain Tools

With their target website’s replicas, fraudsters can fool thousands of non-tech-savvy customers. However, users can block phishing campaigns at the network level by employing threat intelligence tools and intrusion prevention systems (IPSs).

Network and website administrators, for instance, can use a browser-enabled blacklist to block phishing sites from being accessed by their users. When cybercriminals use HTTPS for their sites, one way to spot a legitimate from a fraudulent site is by scrutinizing its SSL certificate.

Let’s take the case of PayPal. Its real domain is paypal.com but we found a fake version of the domain used in phishing campaigns—https://PaypaI.user-security-ref086[.]com. We ran it on Domain Reputation API and got this result:

Note that the suspicious site has a recently obtained SSL certificate, which shouldn’t be the case with PayPal as it’s an established brand. The site also has a low reputation score, which could point to involvement in malicious activity.

Website administrators can integrate Domain Reputation API into solutions and configure it to screen payment portals (even those that use HTTPS) for invalid or suspicious SSL certificates and malware before allowing access to them.

Let’s take a look at PayPal’s WHOIS information this time. We used WHOIS Search to retrieve it:

As shown, the real PayPal domain was created in 1999, a year after its founding date. Its WHOIS records also present all registrant contact details. The fake domain, on the other hand, revealed little information about their owners when we checked (most info was redacted).

What do the results tell us? Established companies always have publicly available WHOIS records. Illegal operators, on the other hand, are likely to hide their details from the public. Malicious URLs also have several security-related issues and misconfigurations that domain tools are likely to detect.

Based on these findings, administrators can implement the necessary countermeasures to stave off attacks, notably by adding the sites to their blacklist.

PayPal, for its part, can contact the fraudulent sites’ registrars to request a takedown. It can also file Uniform Domain Name Dispute Resolution (UDRP) cases against their owners. And to protect its customers from fraud, it can keep tabs on such websites by adding them to Brand Monitor. As purchasing all similar-sounding domains is expensive, keeping track of who owns them and their activities and warning users against them can be a less costly alternative.

* * *

Keeping one’s accounts secure starts with excellent online security hygiene. As criminals are abusing security protocols now more than ever, it’s wise to perform a background check on a website before transacting with them. Domain Reputation API, WHOIS Search, and Brand Monitor can help companies fend off phishing campaigns to ensure that their web properties and customers are safe.