Phishing web sites are now 3 quarters SSL certificated: any hope?

In no surprise to anyone in this business, Phishlabs has an article talking about the fact that we are now over 3 quarters SSL certificated when it comes to phishing web sites. This means that we can’t rely on the https as part of the URL, like https://www.jaredrimer.net for example.

Usually you can tell it is a phishing site because the domain will not make much sense, like https://www.abmifnt.com for example, or have really long and lengthy URLS that you aren’t expecting to go to.

Some of these phishing sites use short cut services like the one I talked about at one point called cutt.us. Like any service, actors abuse them to get their wares out, and they don’t stop at anything to try and trick each and every one of us in some way or another. If we aren’t careful, we can get bit.

Since 2015, PhishLabs has and continues to track how threat actors abuse HTTPS or SSL certs. In particular, threat actors often use HTTPS on their phishing
sites to add a layer of legitimacy, better mimic the target site in question, and reduce being flagged or blocked from some browsers. 

Last year, threat actors hit a significant milestone in this usage when more than 50% of phishing sites included an SSL certificate. Now, just six months
later, our data suggests that nearly three-fourths of all phishing sites, specifically 74%, now abuse HTTPS.

Just sit there and think about this. 74 percent of sites now use HTTPS and its expected to grow. Because of the stay at home orders, and COVID-19 cases now rising once again across the country, we’re still not done. According to the last paragraph, it says:

Previously, the majority of phishing sites have been on non-free domains. In the past year however, we have seen a year-over-year increase in the use of
free domains. Rather than a threat actor having to access a compromised site or purchase a domain, they can more quickly mobilize their phishing attacks
with a free option.

To read the full article, please feel free to visit Phishlabs and read Abuse of HTTPS on Nearly Three-Fourths of all Phishing Sites by Elliot Volkman for the full details. This can’t be good, and it’ll be a matter of time before we find that all sites will be secured and we have no hope. Thoughts?