Bitcoin Forum

Source: https://krebsonsecurity.com/2018/11/half-of-all-phishing-sites-now-have-the-padlock/



Maybe you were once advised to “look for the padlock” as a means of telling legitimate e-commerce sites from phishing or malware traps. Unfortunately, this has never been more useless advice. New research indicates that half of all phishing scams are now hosted on Web sites whose Internet address includes the padlock and begins with “https://”.

Recent data from anti-phishing company PhishLabs shows that 49 percent of all phishing sites in the third quarter of 2018 bore the padlock security icon next to the phishing site domain name as displayed in a browser address bar. That’s up from 25 percent just one year ago, and from 35 percent in the second quarter of 2018.

A PhishLabs survey conducted last year found more than 80% of respondents believed the green lock indicated a website was either legitimate and/or safe.
In reality, the https:// part of the address (also called “Secure Sockets Layer” or SSL) merely signifies the data being transmitted back and forth between your browser and the site is encrypted and can’t be read by third parties. The presence of the padlock does not mean the site is legitimate, nor is it any proof the site has been security-hardened against intrusion from hackers.

I found this cleverly crafted page that attempts to phish credentials from users of Bibox. Check the image below and see if you can spot what’s going on with this Web address:




Load the live phishing page at https://www.xn--bbox-vw5a[.]com/login (the link has been hobbled on purpose) in Google Chrome and you’ll get a red “Deceptive Site Ahead” warning. Load the address above — known as “punycode” — in Mozilla Firefox and the page renders just fine, at least as of this writing.

This phishing site takes advantage of internationalized domain names (IDNs) to introduce visual confusion. In this case, the “i” in Bibox.com is rendered as the Vietnamese character “ỉ,” which is extremely difficult to distinguish in a URL address bar.

If you’re a Firefox (or Tor) user and would like Firefox to always render IDNs as their punycode equivalent when displayed in the browser address bar, type “about:config” without the quotes into a Firefox address bar.

https://krebsonsecurity.com/wp-content/uploads/2018/03/aboutpunycode.png

Then in the “search:” box type “punycode,” and you should see one or two options there. The one you want is called “network.IDN_show_punycode.” By default, it is set to “false”; double-clicking that entry should change that setting to “true.”


Source: https://krebsonsecurity.com/2018/11/half-of-all-phishing-sites-now-have-the-padlock/

To be safe, I do not click on any unauthorized link and always bookmark links to sites I visit regularly.
Also have a unique passcode for every sit you use, and let it be distinctly different from your email password.
This is a growing menace as every day we are besieged with new links on the various platforms we frequent, and it's more difficult to check which is and isn't legitimate.
I sometimes don't a Google search to get which link to use.

This is a sad fact as criminals are getting better at scamming people. But the good thing is even though this common indicators might not be useful anymore we already have other alternatives on detecting a website if it is a phishing site or not. Just like how Chrome have with its extensions, from what I know there are Chrome extensions for detecting a website if it is a phishing site or not and it is really useful for your browser to have such a tool like that especially if you are into visiting a lot of new websites that involves you registering an account.

I never had considered the Padlock Icon as a sign of a website being legit or not. The Padlock Icon is only a sign that the website is operational under the SSL/TLS protocol which means the data you are inputting even though it is encrypted will still be accessed by the one in the receiving end of the website, the only ones who will have a hard time accessing your info are third party users looking to hijack your info from a SSL secured website. There are other obvious ways to detect a phishing website such as looking for trust seals and certifications of reputable clients. Here is the website of footlocker (https://www.footlocker.com/) for example, you will see at the bottom of their website the trust seals of both Norton and McAfee which if you click you will find more information about their certification for the website.

Yes the op might be correct about his assessment but there are still tons of phishing site that are with out the padlock so the best safety measure is to avoid links from an authorized suspicious person

Well they would use a secure transmission - they don't want other sites to steal the information they are stealing from you.

You should also use several emails and not have everything connected with your main email account. Your main email account should only be associated with your job, banking, family and close friends.
Everything else you do online like social media, your hobbies, Bitcointalk, bounty hunting etc should be divided with at least one additional email account.

I use 5 accounts:

1. Work related + Banking
2. For personal use, family and friends
3. Only for Bitcointalk
4. Social media
5. Used for registration on sites, downloading, airdrop/bounty related etc.

I advise you to use bookmarks in your browser. This provides additional protection.

I use several e-mails to work with cryptocurrencies. I have a paper notebook in which I keep all passwords and e-mails. Safety is never superfluous. I advise you not to store information on the computer.

Browsers should highlight "weird" characters in the URL bar, that makes it instantly obvious something fishy is going on.

They can buy cheap SSL in some hosting sites pretty easily these days and they can make phishing sites without giving their real information or they can use a whois guard to protect their information and I think they can also make a prepaid VISA or Master card without KYC and use it to buy a domain and hosting with fake info.

I remembered the news before about apple.com that hackers make a domain name the same as apple.com using a Punycode and lots of people victim with this phishing site before.

That is why we always need to keep checking the URL if the character is correct because there are some phishing site URL looks the same as the original site and always make sure that don't use or should not use the same password as you use in your email or don't give your real information without scanning it using virustotal.

You can make your own password database by saving the password on a spreadsheet just to make sure your email and important accounts are safe and always use an updated antivirus like Kaspersky I used this antivirus for how many years it can block all phishing site and it has a Punycode detection so your PC is safe for any malware and viruses but Kaspersky is expensive compared to other antivirus software.

You can even get free SSLs via Let's Encrypt and via Cloudflare; without any KYC whatsoever. People are completely underestimating how easy to get SSLs are.

Indeed. Remember the "biṇaṇce.com" phishing site? Take note of the dot below both n's. Bolded the characters for visibility.

That's why i always spellcheck the website address. The alphabet have many look like same but in fact they are different, as you give example for "i" and "ỉ" in Vietnamese. I make a search, have some results that you must be careful and check it when you visit a website.

in English	in Vietnamese
a	á, â, ấ, ầ, ạ, ậ, ă, ặ, ắ, ằ, à
i	í, ì, ị, ỉ
u	ư, ú, ù, ụ, ứ, ự, ừ
e	ê, é, ẹ, è, ế, ệ, ề
o	ọ, ó, ò, ơ, ợ, ợ, ớ, ờ

"i" and "j" are two character need to be checked because it looks like same

Or better yet, type the URL manually on your address bar, or bookmark the link on your browser. It's a lot safer that way. and if you're visiting a site for the first time that you've Googled, don't click on the advertisement. Most of the time these types of phishing links are spread through search engine ads.

You should never do that lmao that's just bad practice nowadays.

If people must insist on doing something of the sort, Duckduckgo is a lot cleaner and advertised sites at the top seem to be easier to distinguish than Google's. I wouldn't recommend using it for obscure services though, or even at all. The safest way is still to type the URL out on your own. Even bookmarks, however unlikely, could theoretically be compromised by malware.

Recently, my local ISP has added an anti-phishing service implicitly to my home network and mobile devices, and it has given me an alert when attempting to access the site referenced in the OP. Nevertheless, I will not rely fully on this feature, since phishing sites crop-up really fast and I fear they may not be detected promptly enough in all cases by my ISP.

While looking into it, I came across a report on phishing that shows the extent of the matter (see http://docs.apwg.org/reports/apwg_trends_report_q2_2018.pdf). The report gives us the following summary of facts for Q2 2018 (I have not located a Q3 report):
-   35% of attacks has https and ssl certificates (a bit less that stated in the OP -> different studies I guess). The report includes a chart showing a near to exponential increase on phishing attacks on https hosted sites since 2015.

-   In June 2018, there were 51,401 unique detected phishing sites (100K in April 2018).

-   June 2018 seemed to have 90.882 active email phishing campaigns.

-   During June 2018, at least 227 brands were targeted by phishing alt sites.

-   Phishing attacks target primarily the Payment industry (36%), SSAS/Webmail (21%), Financial Institutions (16%),  Cloud Storage/File Hosting (9%), Social Media (4%), and Others (14%).

 Makes on tremble …

What if your paper notebook gets stolen, catches fire or gets destroyed by water?
Do you have another copy or an encrypted digital copy someplace safe?

Bump since phishing is a constant treat in the crypto sphere.

I am using https://transparencyreport.google.com/safe-browsing/search to check web site safety. Hope google service will be useful for other people.

Yups having bookmarks each site that you think are helpful is another form of security to prevent becoming a victim of phishing sites..thats what i always do whenever theres a sites that attracted my views

Though theres this thread i am using to take more precautions

https://bitcointalk.org/index.php?topic=4264404.0

Having padlocks doesn't mean it's safe from phishing. As long as there's a fill up form you won't know your safe as long as you fill up that form and input what is stated in the fill up form. Some fill up forms is working as it should be but the fill up form is also coded (HTML) to send the information that is submitted in the form. You may have finished signing up but the site owner also receive your information which is why having bookmarks to the sites you regularly access will keep you from phishing scheme. To be honest, I've been phished before but it's not about bitcoin, it's about a game I played before and fallen into a phishing site. Just make sure you add it on your adblocker if you found a phishing site to avoid it in the future.

Now that's scary, since I usually eye for the padlocks. But just to pay several bucks extra doesn't cost much when the returns are greater since more people tend to fall for them.

I have never really given much weightage for that padlock sign, as any site can get it via a free ssl. I have made it a habit to either bookmark my regular sites, or type their entire name.com till I find the legitimate one. I also would advise people whenever you visit a new site you’re not sure off, use a dummy email, and a 16 digit password like i do let them go nuts cracking that.

Scammers tends to target ignorant users.
Any regular user, who haven't good knowledge of Internet security, will consider a website with a green padlock as a legit website.
The green padlock means that the trafic between browser and server is encrypted so no third party can read/modify the data the user sends to the server.

Any phishing website can get a green padlock. SSL certificate costs few bucks.
 

But if they decide not to encrypt the passwords, does the HTTPS do anything? They can be stored in plaintext, right?

If they are running a phishing website then they have no interest in encrypting password. Besides, there is no way the user may know whether the password was encrypted or not.
HTTPS only encrypts data before it reaches the server.
When you type your password, basically, your browser will use the certificate it received from the website to encrypt the password and sends it. When it reaches the server, it will be decrypted and the website owner can see it as you typed it.

Many people have a habit of searching web addresses with google, this is quite a dangerous thing, google is just a smart search engine, it cannot distinguish phishing sites. So the best way is to save the secure domain name on your search toolbar

The reason why Google banned crypto ads, was because they mostly impersonated legit sites and topped them in search results.

Not sure if it was mentioned before but it is sometimes very dangerous to trust the first result of a google search if it has the AD logo. Take a look at a random picture I found with the logo.

https://ntpmarketing.com/wp-content/uploads/2017/11/google-adwords-site-e1512056645105.jpg


In the past, I've seen phishing sites of crypto exchanges being advertised this way that would be placed on top following a google search and below it came the official - legitimate site.   

Exactly, that's why Google Ads came down hard on such ads after that.

Last time I accidentally accessed a phishing link when I searched for an exchange name on Google. The same ad spot on the first page.

I recall there used to be numerous fake Blockchain wallet sites that were advertised via the Google ads and many people used to fall for such sites as the scam site came up first before the actual Blockchain site. Google's indeed banned crypto ads so such phishing sites should no longer be a problem, but it's always a good idea to check the certificate of any site you go on before inputting any actual user information so you're sure that you are using the right site. A few exchanges and other sites even tell you to do this before logging in.

I want to create a new topic about phishing under HTTPS websites, But, because I found this thread, maybe better if I make a post reply to this thread. Sorry for bumping threads.

---

Phishing attempts increase 400%, many malicious URLs found on trusted domains

Secure Socket Layer (SSL) is considered as a secure, means to secure user data on a website. However, a hacker is not a beginner, they are always looking for ways to get victims. If a website that uses SSL (HTTPS://) used to be considered secure if accessing it from all devices, now that can't be said to be 100% correct.

Let's look at the data in the article published by helpnetsecurity.com (the reference is at the end of the post), the article data shown:

• Nearly 24% of malicious programs are found on trusted websites.
• Nearly 29% of phishing websites use HTTPS to deceive victims.

This is an irony for those of us who often use websites. Especially for novice investors or airdrop / bounty hunters. If we don't pay attention to the URL we open, we can become victims of this cyber crime.

Let's look at the thread created by wwzsocki entitled "What is Punycode and how to protect yourself from Homograph Phishing attacks? (https://bitcointalk.org/index.php?topic=5184169.0)". In that thread, there is an example of a phishing website which is a Binance duplication. The website was created using HTTPS on the domain to convince its victims and also trick users by using a similar alphabet.

Another example, from dkbit98, he found a Chainlink duplication website (https://bitcointalk.org/index.php?topic=5195454.0) that also uses HTTPS on the domain to convince its users. Despite the fact that the website is a phishing website that utilizes user typo.

Back to the article, the article mentioned that in 2019, phishing websites had increased by 400%. The terrible thing is, the growth of phishing takes place only in 7 months from January - July 2019. The sectors that are targeted for phishing are:

• 25% are SaaS / Webmail providers
• 19% are financial institutions
• 16% social media
• 14% retail
• 11% file hosting
• 8% payment services companies

If you are still using Windows 7 on your computer OS.

• Between January and June, the number of IPs that host Windows exploits grew 75%
• Malware samples seen on only one PC are at 95.2%, up from 91.9% in 2018
• Out of all infected PCs, 64% were home user machines, and 36% were business devices, likely because home users aren’t protected by corporate firewalls and security policies and may not be updated as regularly.
• Over 75% of malware on Windows system hides in one of three places:
  41% in %temp%, 24% in %appdata% and 11% in %cache%.
• Businesses can easily set policies to restrict execution of any application from the %temp% and %cache% locations, preventing more than 50% of infections.

https://www.helpnetsecurity.com/images/posts2019/webroot-102019-2.jpg

bumping

Time to get rid of this padlock sign once and for all. Just display an explicit warning to the user when SSL is not used...

PhishLabs, the data source behind the link in the OP,  has an update report, and now places the mark at 68% for phishing sites using SSL (see https://info.phishlabs.com/blog/apwg-two-thirds-phishing-sites-ssl-https). Although their data for some Quarters decreases in percentage, it’s fair to assume that SSL certificates is a non-trustworthy indicator on its own, and that the assumption needs to clearly be demystified.

Most browsers have already displayed such warnings when accessing an insecure site.

https://i.ibb.co/wN8J1BK/non.jpg

It's not so much that it's an insecure site on itself, rather the TCP connection between you and the site is not encrypted, which is bad for security.

Exactly. Anyone sniffing around can intercept the data you are sending over insecure networks. That doesn't mean that HTTP can't or shouldn't be used at all. It just shouldn't be used in connection with private data, passwords, logins, pins etc.

So many or almost all of these HYIP's are hosted in a secured SSL, because any website operator can buy a comodo to encrypt it and makes the site legit, but it doesn't guaranty the site is legit, it's not even a factor I looked when looking in a project, the plan, the people behind it are some of the things that you need to look but never the site's encryption.