A massive effort to encrypt web traffic over the last few years has made green padlocks and "https" addresses increasingly common; more than half the web now uses internet encryption protocols to keep data protected from prying eyes as it travels back and forth between sites and browsers. But as with any sweeping reform, the progress also comes with some new opportunities for fraud. And phishers are loving HTTPS.

On Tuesday, the phishing research and defense firm PhishLabs published new analysis showing that phishers have been adopting HTTPS more and more often on their sites. When you get a phishing email or text, the sites they lead to—that try to trick you into entering credentials, personal information, and so on—implement web encryption about 24 percent of the time now, PhishLabs found. That's up from less than three percent at this time last year, and less than one percent two years ago.

Some phishing sites come by HTTPS only incidentally, or as an added bonus. Phishers often hijack legitimate sites for their own uses, so the more HTTPS is deployed around the web overall, the more likely a that a phisher might compromise a site that implements it. But PhishLabs notes that phishers create their own sites almost as often as they steal those of others. In those cases, phishers actively chose to implement web encryption. The green padlock lends legitimacy, a patina of security that helps trick web users into trusting a site and giving up their valuable information.

"In two extremely prevalent types of phishes targeting PayPal and Apple, about 75 percent were using HTTPS sites," says Crane Hassold, a threat intelligence manager at PhishLabs who worked on the research. "The attackers are making that choice even though this is not needed to complete the crime."

Other researchers see the trend as well. During a 24-hour period this month, the anti-phishing firm PhishMe observed and analyzed over 200 examples of phishing pages that were using HTTPS. "The HTTPS connection ensures that the data is encrypted when it is transmitted, but forged pages that falsely replicate an organization send the information to a criminal instead of the legitimate organizations," says Brendan Griffin, a threat intelligence manager and malware analyst at PhishMe.

Some Like It HTTPS

Web giants like Google have led a big push over the last few years to promote and even require HTTPS. And the non-profit Internet Security Research Group has been offering free verification certificates, which a site need for HTTPS to work, through its Let's Encrypt initiative since last year. Let's Encrypt, which is known as a "certificate authority" because it verifies web servers to implement encryption, has now issued more than 100 million certificates.

'The fact that they're taking a little bit of extra time to do it means it’s worthwhile to them.' Crane Hassold, PhishLabs

These collective efforts have been paying off. In April 2016, 42 percent of page loads on the Firefox browser were to encrypted sites. In January the number hit 50 percent, and it's now up to an impressive 67 percent. But advocates have long known that the privacy and security gains would come with some detrimental side effects.

"HTTPS is taking off at a rate that I think is really unprecedented for any change on the web," says Josh Aas, the executive director of ISRG. "The whole web becoming encrypted is really, really good for people. And of course the bad guys are going to follow along down that trend, that’s to be expected, but in the overall picture the situation is much better than it was."

Mixed Messages

Certificate authorities like ISRG argue that their scope is too limited to meaningfully police the web. They don't have the resources, means, or opportunity to screen sites for attacks like phishing or malware. Besides, a site often won't have any content on it at all yet when a domain owner requests an encryption certificate. And even if certificate authorities did have the resources and expertise to make content-based decisions, they don't have the ability to really penalize sites. Revoking an HTTPS certificate doesn't take a site down or remove abusive content.