Bad news for the SSL good-guys (Three quarters of all phishing sites now use SSL)
The total number of phishing sites detected by the Anti-Phishing Working Group (APWG) worldwide in October through December 2019 was 162,155, following the all-time-high of 266,387 attacks recorded in July through September 2019.
Most menacing, however, were targeting trends exhibited by cybercrime gangs focusing on: users of web-hosted email and social media to multiply the numbers of potential victims; and Business Email Compromise (BEC) schemes of increasing sophistication to exploit key executives’ broader access to corporate resources – and greater payments authority.
SSL use for more effective phishing
The researchers at APWG member PhishLabs documented the rising use of SSL certificates on phishing websites. Almost three-quarters of all phishing sites now use SSL protection. This was the highest percentage since tracking began in early 2015, and is a clear indicator that users can’t rely on SSL alone to understand whether a site is safe or not.
APWG member RiskIQ analyzed 2,149 confirmed phishing URLs reported to APWG in Q4 2019, and found that the most popular top-level domains used by the phishers are the generic .com, .org, .net and .info TLDs.