Cybersecurity In-Depth: Feature articles on security strategy, latest trends, and people to know.

Criminals Hide Fraud Behind the Green Lock Icon

Criminals are using free certificate services to apply real security certs to fraudulent sites — and to take advantage of victims looking for surfing safety.

(Image: Irina/Adobe Stock)

The "green lock" icon, harbinger of safe browsing, is becoming a trap for unwary consumers. Already abandoned by Google for its Chrome browser, the green lock is an increasingly unreliable indicator of safety, and its near-ubiquity is to blame.

In its "State of E-Commerce Phishing" report for 2019, NormShield reported that the number of potential phishing domains registered in 2019 was up by 11% over 2018. But the number of phishing domains with legitimate certificates for encryption more than tripled in the same time.

"Year over year, month over month, phishing is becoming more prevalent," says Bob Maley, NormShield's CSO. "The bad actors are getting these phishing domains and registering them. Then they are standing up phishing sites on those domains that are essentially clones of the various e-commerce sites to fool the end user into believing they're on a legitimate e-commerce site."

Part of that successful camouflage is the green lock icon that indicates encrypted legitimacy to users. It became a problem through products and services designed to make it easier for small organizations to properly protect their websites: Free and open certificate authorities like Let's Encrypt provide the same level of encryption (and same appearance of legitimacy) to criminal phishing sites they provide to legitimate small businesses.

At this time of year, especially, researchers see an increase in criminals registering typo-squatting and phishing domains that are a single character different from a legitimate domain, Maley says. Other techniques for tricking victims include domains with two letters transposed from those of a legitimate site and those with common misspellings of well-known domains.

In addition, criminal sites don't even have to trick the user into clicking on an "almost right" link. Researchers at Babel Street have found criminals using domain redirection to take users typing innocuous URLs, such as, to a variety of different sites selling both legal and counterfeit drugs. URL redirection can add a significant layer of obfuscation to criminal phishing (and commerce) sites.

And those criminal domains of all types are multiplying at a high rate. The NormShield report predicts there will be more than 9,000 phishing domains targeting just the top 50 commerce websites by the end of 2019. Maley says the proliferation of these sites and the increased email traffic during the end-of-year holiday shopping season makes this a highly lucrative — and very effective — time of year for criminals.

So what is a company or individual to do to protect themselves from these threats? According to the report, one tip for organizations setting up filters and anti-malware rules is to look for the registrar for the domain; criminals have a very real fondness for free and low-cost registrars, with Go-Daddy the No. 1 registrar, responsible for roughly 30% of the phishing domains.

For users, the researchers have two pieces of advice, one obvious and one subtle. The obvious tip is to avoid clicking on URLs that come in holiday promotional email, especially those that promise entry to sweepstakes and contests. Instead, users should type in the address of retailers' sites by hand, being careful not to make typos.

The more subtle tip is to watch the behavior of password managers. These are tied to specific, legitimate URLs in order to fill in account information. If a password manager balks or unexpectedly refuses to provide credentials, it could be, Maley says, a strong indication that the website is not what it claims to be.

Related Content:


About the Author(s)

Curtis Franklin, Principal Analyst, Omdia

Curtis Franklin Jr. is Principal Analyst at Omdia, focusing on enterprise security management. Previously, he was senior editor of Dark Reading, editor of Light Reading's Security Now, and executive editor, technology, at InformationWeek, where he was also executive producer of InformationWeek's online radio and podcast episodes

Curtis has been writing about technologies and products in computing and networking since the early 1980s. He has been on staff and contributed to technology-industry publications including BYTE, ComputerWorld, CEO, Enterprise Efficiency, ChannelWeb, Network Computing, InfoWorld, PCWorld, Dark Reading, and on subjects ranging from mobile enterprise computing to enterprise security and wireless networking.

Curtis is the author of thousands of articles, the co-author of five books, and has been a frequent speaker at computer and networking industry conferences across North America and Europe. His most recent books, Cloud Computing: Technologies and Strategies of the Ubiquitous Data Center, and Securing the Cloud: Security Strategies for the Ubiquitous Data Center, with co-author Brian Chee, are published by Taylor and Francis.

When he's not writing, Curtis is a painter, photographer, cook, and multi-instrumentalist musician. He is active in running, amateur radio (KG4GWA), the MakerFX maker space in Orlando, FL, and is a certified Florida Master Naturalist.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights