You may have heard that you should look for the padlock symbol at the top of a website before entering your password or credit card information into an online form. It's a well-meaning tip, but new data shows that it's not enough to protect your sensitive information.
In the end, the fraudsters became more savvy and started adding the padlock, whichin most browsers, to their websites too. This means that a padlock does not guarantee the security of a website.
According to data from the PhishLabs cybersecurity firm, reported for the first time by security editor Brian Krebs, almost half of the fraudulent pages have a padlock – to indicate that the site is secure – next to the URLs of their websites. Fraudsters take advantage of the fact that many people rely on the padlock symbol to decide whether or not to trust a website, according to a report from the anti-phishing task force dating back to October.
"Phishers take advantage of unclear security messages" around the symbol, said the report's authors.
The result is that there is no trick to protect you from the dark side of the Internet. You must be more careful than ever to avoid scam artists and check more than one sign of the legitimacy of a website.
This means that you must make sure that the URL of the website is correct and, as much as possible, type the URL in the browser instead of following a link contained in an email. Tools such as password managers and security software can also help: to prevent you from being trapped by a very convincing fraudulent website, they will warn you when a URL does not match the site. Legitimate web or prevent you from opening a fraudulent website. .
"Awareness is really key," said Adam Kujawa, director of the research division of the Malwarebytes cybersecurity company. "It's up to the user to say, is this really legitimate?"
What does the padlock really mean
The padlock has always been an imperfect symbol. It is there to tell you something specific, and also quite technical, and it's hard to understand with a simple picture.
The lock is supposed to inform you that a website sends and receives information from your web browser over an encrypted connection. That's all. You can say that a website has an encrypted connection because it starts with the letters https and not http. Nowadays, websites use an encryption standard called TLS. With a secure connection, no one can read your web traffic as it passes through the vast global Internet infrastructure.
This is why an encrypted connection is a good thing: it can scramble confidential information such as passwords and credit card numbers, so that only the website intended to receive it can read them. It's really important for things like online shopping or connecting to your bank's website.
This is also why it is always true that you should never enter your information if a website does not have a secure connection.
But many people do not know that the lock means something so specific, said John LaCour, chief technology officer at PhishLabs. "We used ways to lock in the" safe "sense, he said.
Criminals can also use security features
Scammers who want to entice you to enter sensitive information can also put a green lock on their websites, and they do it more and more. When PhishLabs started collecting data in early 2015, less than half a percent of phishing websites had a lock. The number has grown rapidly, reaching about 24% by the end of 2017 and now over 49% in the third quarter of 2018.
It makes sense that fraudsters are increasingly using the lock, LaCour said. Indeed, it has become easier and cheaper for website creators to use an encrypted connection, thanks to recommendations from cybersecurity experts from Google, Electronic Frontier Foundation and other technology heavyweights.
Criminals can now easily obtain certificates for locks and encryption, and they can do so without revealing their identity.
In addition, changes made by major browsers such as Chrome and Firefox have created sites without TLS encryption.users, with a very visible warning that the site is not secure. This gave extra motivation to criminals to post the lock on their websites, LaCour said, and thus avoid being suspicious.
"The lock does not tell you anything about the legitimacy of the site," he said. "It only tells you that your data is encrypted because it is sent over the Internet."
This is not all bad news
According to Nick Sullivan, head of cryptography at Cloudflare, a company that helps organizations encrypt their websites is probably the best choice for fraudsters who use encryption on their phishing websites.
Indeed, sending valuable information that everyone can intercept and read is always a bad idea, even if your immediate problem is that you just send your bank account information to a rogue located in another country.
"There is nothing wrong with phishing sites having encryption," Sullivan said.
CNET's Holiday Gift Guide: The place to find the best tech gifts for 2018.
Security: stay abreast of the latest violations, hacks, patches, and all the cybersecurity issues that keep you awake at night.