Phishing Sites Using HTTPS Too

When you see the secure HTTPS protocol at the beginning of a web address, or see the green “secure site” padlock symbol, does this mean that the site is safe?  Unfortunately, the answer is NO.  There is some confusion among computer users about what HTTPS really means.  This confusion is being exploited by cyber-criminals running phishing exploits.

HTTPS or secure hypertext transport protocol is a secure computer connection that uses encryption to keep the conversation between your computer’s web browser and the web server you are accessing private.  This is a communication protocol only.  It only means the connection between computers is secure from eavesdropping.

This does not mean the information on the web site is encrypted, it does not mean the personal information you may be sending to the website is encrypted when stored on the web server.  It most definitely does not mean the information on the web site is “safe” from a cybersecurity standpoint.  A page on an HTTPS web site can still host malicious content and be used to download malware to unsuspecting site visitors.  Or it can be a landing page that is part of a phishing scam used to trick people into providing logon credentials or other personal information.

HTTPS was originally adopted by the financial industry to keep banking and investment transactions private.  Recently, Google started on a quest to encourage (or bully) web site owners into using HTTPS by penalizing old-fashioned HTTP website with lower page rank scores and search result placement.  Getting an encryption security certificate used to be expensive, but those rates have dropped, and companies such as Let’s Encrypt have provided a way to get your security certificate for free.  As a result, more website (including mine) are using HTTPS.

From a phishing perspective, this means that a higher percentage of hijacked websites that are used by phishers to host their landing pages are also using HTTPS.  So unwitting victims of a phishing email click on the link, end up on a “secure” site, and falsely assume this means the phishing email was genuine, or the landing page is legitimate.

A more disturbing trend is that phishing scammers are registering malicious or near-miss spoofing domain names and coupling them with HTTPS encryption.  They are using these maliciously registered HTTPS domain names in phishing exploits to wrap themselves in a cloak of respectability.  A recent study showed that nearly 75% of HTTPS phishing sites are hosted on maliciously-registered domains.

The important take away from this article is that the HTTPS designation means nothing when it comes to web site integrity.  To protect yourself from this variant of phishing just use the same techniques you have already learned.

  • Look for mismatched or unusual domains used in the sender’s email address.
  • Use the hover trick to reveal the destination web address  of embedded links.
  • Check email attachments for malware with
  • Look for near-miss domain names in emails and on web sites.
  • And don’t think that the HTTPS security lock means the site is safe or genuine.

More information:



About the Author:

Cybersecurity analyst, pen-tester, trainer, and speaker. Serving small business owners in the St Paul, Minneapolis, and western Wisconsin area since 2001. Cybersecurity and hacking have been a passion of mine since I entered the computer and networking business in 2000. I hold several cybersecurity certifications including Certified Information Systems Security Professional (CISSP), Certified Advanced Security Pratitioner (CASP), and Certified Ethical Hacker (CEH). Other computer industry certifications include A+, Network+ and Microsoft Certified System Engineer (MCSE). As Cybersecurity Analyst at The WyzCo Group, I help our clients experience high levels of security on their computers, networks, and websites. In addition to consulting on security products and services, we also conduct security audits, vulnerability assessments and full penetration tests. We also work with companies and organizations that need to certify compliance with regulations such as PCI-DSS (credit card processing), HIPAA/HITECH (medical records), and GLBA. We also provide Cybersecurity Awareness Training for clients and their employees. I am a frequent speakers at cybersecurity conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference, the (ISC)2 World Congress, and the ISSA International Conference, and many local community organizations, Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2008.

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.