Technology

Phishing Sites Are Using The Green Padlock Symbol To Fool You

Phishing Sites Using Green Padlock Symbol
Image Source: KrebsonSecurity (screenshot)

Most internet users, if not all, have come to understand that the green padlock symbol next to a web address in their browser is supposed to indicate that the site is safe and free from any malware. However, new data disproves this widely-held belief.

Is the green padlock symbol useless?

The new data comes from cyber-security firm PhishLabs, which reports that scammers have got smarter as they are intentionally adding the padlock symbol to their phishing sites as well. It means even if a website has a padlock, there is no guarantee that it is safe.

According to the data from PhishLabs, almost half of the fraudulent pages they flagged had a green padlock symbol near the URLs of their phishing sites. Scammers know internet users view this green padlock symbol as a sign of safety, so they are increasingly using this symbol to fool users. In 2015, less than half a percent of phishing websites featured the padlock, but by late 2017, the number jumped to 24%.

Security expert Brian Krebs of Krebson Seurity goes so far as to say the padlock symbols are “useless.” The expert notes that the symbol does not imply a website is safe; rather, it indicates that the data exchanged between the website and the user is encrypted. Since the data is encrypted, it can’t be read by third parties, but it does not mean the site is legitimate.

“The presence of the padlock does not mean the site is legitimate, nor is it any proof the site has been security-hardened against intrusion from hackers,” Krebs said.

However, we would argue that the padlock is not totally useless. The symbol is still important for websites which require you to enter sensitive information, like an online shopping site. Thus, an online shopping site without the padlock symbol could prove dangerous as hackers can easily see your credit card info or personal details. Nonetheless, the absence of padlock does not necessarily mean scammers created the website.

 Time to get smarter

According to Nick Bilogorskiy, a cyber-security strategist at Juniper Network, it is very easy for scammers to obtain the green padlock. It does not cost anything to get an SSL certificate from Let’s Encrypt to obtain the padlock. Let’s Encrypt is the biggest certificate issuer globally.

In December 2017, a survey by PhishLabs found that 80% of responders associated the padlock with a website being legitimate or safe. However, this new data suggests there is no sure-fire way to protect ourselves from scammers or hackers. Even though browser makers are working with security firms to keep users safe, scammers are coming up with new and innovative ways to steal your personal data.

Thus, you should not rely solely on any third-party solution. Rather, be smart to avoid scammers by verifying the legitimacy of the website yourself, like by ensuring that the URL of the website you want to access is correct and typing the URL instead of following any link. Further, you can use tools like password managers and security software. Such tools will warn you if the URL is fake or if you are accessing any unsafe site.

Another embarrassment for Google

In related news, Google removed 13 gaming apps from the Play Store recently after a security researcher claimed they were spreading malware. All 13 apps were from the same developer, and two of them were trending on the store when the researcher first reported them.

All the infected apps were from the developer Luiz O Pinto. Before Google removed the apps, they were downloaded 580,000 times. Users who downloaded the app thought they installed a driving game, but in reality, they got apps filled with bugs and malware. The apps crash each time a user tries to open them, and if they do open, they start downloading a payload which installs malware in the background. Google confirmed that the apps violated its policy and were removed from the Play Store.

This is another embarrassment for Google, which has long been criticized for having a laid-back attitude towards mobile security. Apple, on the other hand, is far too selective when it comes to approving apps for the App Store. However, Google has adopted a more aggressive approach lately when it comes to battling malicious apps in the Play Store. In 2017, the search giant pulled more than 700,000 malicious apps from the store.