Criminals Hide Fraud Behind the Green Lock Icon

The "green lock" icon, harbinger of safe browsing, is becoming a trap for unwary consumers. Already abandoned by Google for its Chrome browser, the green lock is an increasingly unreliable indicator of safety, and its near-ubiquity is to blame.

In its "State of E-Commerce Phishing" report for 2019, NormShield reported that the number of potential phishing domains registered in 2019 was up by 11% over 2018. But the number of phishing domains with legitimate certificates for encryption more than tripled in the same time.

"Year over year, month over month, phishing is becoming more prevalent," says Bob Maley, NormShield's CSO. "The bad actors are getting these phishing domains and registering them. Then they are standing up phishing sites on those domains that are essentially clones of the various e-commerce sites to fool the end user into believing they're on a legitimate e-commerce site."

Part of that successful camouflage is the green lock icon that indicates encrypted legitimacy to users. It became a problem through products and services designed to make it easier for small organizations to properly protect their websites: Free and open certificate authorities like Let's Encrypt provide the same level of encryption (and same appearance of legitimacy) to criminal phishing sites they provide to legitimate small businesses.

At this time of year, especially, researchers see an increase in criminals registering typo-squatting and phishing domains that are a single character different from a legitimate domain, Maley says. Other techniques for tricking victims include domains with two letters transposed from those of a legitimate site and those with common misspellings of well-known domains.

In addition, criminal sites don't even have to trick the user into clicking on an "almost right" link. Researchers at Babel Street have found criminals using domain redirection to take users typing innocuous URLs, such as metropolitanbaptistchurch.org, to a variety of different sites selling both legal and counterfeit drugs. URL redirection can add a significant layer of obfuscation to criminal phishing (and commerce) sites.

And those criminal domains of all types are multiplying at a high rate. The NormShield report predicts there will be more than 9,000 phishing domains targeting just the top 50 commerce websites by the end of 2019. Maley says the proliferation of these sites and the increased email traffic during the end-of-year holiday shopping season makes this a highly lucrative — and very effective — time of year for criminals.

So what is a company or individual to do to protect themselves from these threats? According to the report, one tip for organizations setting up filters and anti-malware rules is to look for the registrar for the domain; criminals have a very real fondness for free and low-cost registrars, with Go-Daddy the No. 1 registrar, responsible for roughly 30% of the phishing domains.

For users, the researchers have two pieces of advice, one obvious and one subtle. The obvious tip is to avoid clicking on URLs that come in holiday promotional email, especially those that promise entry to sweepstakes and contests. Instead, users should type in the address of retailers' sites by hand, being careful not to make typos.

The more subtle tip is to watch the behavior of password managers. These are tied to specific, legitimate URLs in order to fill in account information. If a password manager balks or unexpectedly refuses to provide credentials, it could be, Maley says, a strong indication that the website is not what it claims to be.

Related Content: