Scam Sites Use Chrome's Green HTTPS Lock to Trick Victims

Scam Sites Use Chrome's Green HTTPS Lock to Trick Victims

For Chrome users, the little green HTTPS lock has served a very useful indicator of a site's security. It lets you know that your transactions are safe and that no cybercriminals are intercepting sensitive information you’re sending, such as credit card details or passwords. But while an HTTPS certificate means you’re protected from people eavesdropping, it doesn’t mean anything about the legitimacy of the site itself.

Forbes writer Ian Morris recently encountered a piece of spam that seemed to come from PayPal, asking him to confirm his login credentials – but when he probed further, he discovered that it was a scammer trying to steal his username and password. The site had the little green lock, which means that if he had submitted this info, it would have indeed only ended up in the hands of the people he sent it to - in this case, the scammer. Hardly a relief!

Morris’s fear is that “people will assume that ‘secure’ means that the domain belongs to the company whose name appears in the URL.” Anyone can include a legitimate company’s name in their URL, or add a trusted logo to their site. 

But the problem, Morris explains, is that anyone can now get a security certificate as well. Well-meaning organizations like Let’s Encrypt are trying to make the whole Internet secure, but in the process, their haste to issue free certificates lowers the barrier to entry for organizations to get that little green lock. Unfortunately, the result is confusion over what the HTTPS lock means, and many users blindly take the lock as a sign that the website is 100% secure and legitimate. 

When it comes to the most secure websites such as those of banks and investment management companies, Extended Validation Certificates ensure that sites are who they say they are. To get this certificate requires a non-automated verification of the site’s legitimacy, and costs a fair amount of money; both of those hurdles deter criminals from trying to pose as such sites. Once the certificate is obtained, visitors will see the organization's name in the URL bar before the address.

Screen Shot 2017-04-17 at 10.49.31 AM.png

Unfortunately, not every legitimate site wants to go through this process or spend the money on this, either. Those that do give their viewers the high degree of confidence needed to engage in transactions or hand over sensitive information. But even some of the largest domains simply settle for the standard HTTPS certificate, meaning that you could theoretically get tricked into logging into a fake site when trying to access your Gmail account or other major sites. 

Does this mean you should avoid Gmail? Of course not. The takeaway is that you should always be wary of the sites you’re using, and keep an eye out for anything that seems amiss. It’s still perfectly fine to use HTTPS sites, or even regular HTTP sites – you just have to adjust your browsing habits to accommodate for each. Requests for credential verification, payment details or any other sensitive info should be treated with caution, even if they seems to be coming from a trusted source. The Internet will never be 100% safe, but if users know when to be wary then most of these threats can be avoided.

Written by Nik Vargas