Cyber crooks are using HTTPS domains to deceive users

HTTPS does not in itself mean websites are secure and legitimate

Cyber crooks are increasingly using HTTPS on bogus sites to deceive internet users that they are legitimate.

According to anti-phishing firm PhishLabs, 25 per cent of phishing campaigns identified in the third quarter of 2017 were using HTTPS websites in this way.

Crane Hassold, threat intelligence manager at PhishLabs, said the firm "observed nearly a quarter of all phishing sites hosted on HTTPS domains, nearly double the percentage we saw in the second quarter".

He said: "A year ago, less than three percent of phish were hosted on websites using SSL certificates. Two years ago, this figure was less than one percent."

In the past, getting HTTPS certification wasn't an easy task. Website owners had to invest significant time and money into gaining an SSL certificate. But cyber security firm IT Governance USA says this has changed and that criminals now beleive it is worth their while.

"Gaining SSL certificates is just another way phishers are manipulating people into thinking their sites are legitimate," it said.

"Many legitimate sites went to the effort to assure customers that the site was secure, but criminal hackers rarely did, because they typically have many sites that only exist for a short period of time," added IT Governance.

HTTPS sites commonly cause browsers to display a green padlock symbol, although IT Governance points out that this is not an indication of security at all. It just shows that traffic is encrypted rather than saying anything about the legitimacy of the site.

According to PhishLabs, however, 80 per cent of respondents thought that it was a sign of a website being secure.

IT Governance said consumers should trust nothing from an unsolicited email. It explained that "links can be manipulated, they can go to bogus sites, the 'from' field can be forged, attachments can contain malware, and legitimate information in an email could have been bought or stolen".

The firm added: "Phishing emails are full of information designed to trick you, and as long as you remember that - and are aware of how prominent phishing emails are - it should be easy to avoid falling for a few pieces of information that look legitimate.

"The extra effort it takes to log in manually is negligible, and getting into the habit will help you bypass even the most sophisticated of phishing tricks."