You may have heard you should look for the padlock symbol at the top of a website before entering your password or credit card information into an online form. It’s well-meaning advice, but new data shows it isn’t enough to keep your sensitive information secure.
As it turns out, fraudsters got wise and started adding the padlock, which until recently was a bright green in most browsers, to their websites too. That means a padlock is no guarantee that a website is safe.
That’s according to data from cybersecurity firm PhishLabs, first reported by security writer Brian Krebs, which shows that almost half of all fraudulent pages have a padlock — meant to indicate that the site is secure — next to the URLs of their websites. Scammers are taking advantage of the fact that many internet users rely on the padlock symbol to decide whether to trust a website, according to an October report from the Anti-Phishing Working Group.
“Phishers are taking advantage of unclear security messaging” around the symbol, the report’s authors said.
The upshot is that there’s no one trick to protect you from the dark side of the internet. You have to be savvier than ever to avoid scammers and check for more than one sign that a website is legitimate.
That means making sure the website’s URL is correct and, whenever possible, typing the URL into the browser instead of following a link from an email. Tools like password managers and security software can also help: To stop you from being fooled by an extra convincing scam website, they’ll warn you when a URL doesn’t match the legitimate website or stop you from opening a scammy site to begin with.
“Awareness really is key,” said Adam Kujawa, director of the research arm of cybersecurity company Malwarebytes. “It’s up to the user to say, is this actually legit?”
The lock is supposed to tell you that a website sends and receives information from your web browser over an encrypted connection. That’s all. You can tell a website has an encrypted connection because it starts with the letters https, not http. These days websites use an encryption standard called TLS. The secure connection makes it so nobody can read your web traffic as it travels through the internet’s vast, global infrastructure.
The lock doesn’t tell you anything about the legitimacy of the site.
That’s also why it’s still true that you should never enter your information if a website doesn’t have a secure connection.
But lots of people don’t know the lock means something so specific, said John LaCour, Chief Technology Officer at PhishLabs. “We’ve dumbed thing down to lock meaning ‘safe’,” he said.
It makes sense that scammers would be using the padlock more and more, LaCour said. That’s because it’s gotten easier and cheaper for website creators to use an encrypted connection, thanks to pushes from cybersecurity experts at Google, Electronic Frontier Foundation and other tech heavyweights.
Criminals can now easily obtain certificates that enable the padlock to show up and encryption to take place, and they can do it without revealing very much about who they are.
What’s more, changes at major browsers like Chrome and Firefox have made sites without TLS encryption look much more dangerous to users, with a very visible warning that the site isn’t secure. That provided extra motivation for criminals to show the padlock on their websites, LaCour said, and avoid looking obviously shady.
“The lock doesn’t tell you anything about the legitimacy of the site,” he said. “It only tells you that your data is encrypted as it’s sent over the internet.”
It’s not all bad news
That’s because sending valuable information that anyone could intercept and read is always a bad idea, even if your immediate problem is that you’ve just sent off your bank account information to a scammer in another country. “There’s nothing bad about phishing sites having encryption,” Sullivan said. CNET’s Holiday Gift Guide: The place to find the best tech gifts for 2018. Security: Stay up-to-date on the latest in breaches, hacks, fixes and all those cybersecurity issues that keep you up at night.
Source : msn