Threat actors are playing by the rules, or at least tricking your browser into thinking they are, in order to deliver more effective attacks.
Wandera researchers noticed an increase in threat actors leveraging HTTPS and SSL certificates to “secure” their phishing sites leading to 60 percent of their monitored malicious traffic being encrypted using HTTPS.
Researchers discovered over 1,150 new HTTPS phishing sites over the course of one day, not including the plethora of the malicious HTTP phishing URLs that we already know exist meaning a new secure phishing site goes up every two minutes.
“Seeing a padlock in the URL bar used to be a reliable safety check but because the vast majority of websites now use encryption, hackers are also ‘securing’ their sites to lure victims into a false sense of security,” researchers said in a SC Media exclusive. “These days, there is no real barrier to entry for getting an SSL certificate, which means it’s incredibly simple for hackers to obtain them while keeping their tracks covered.”
Some certificate issuers are even offering SSL certificates without requiring payments or genuine personal identifiable information needing to exchange hands.
Cybercriminals are exploiting these services that make encryption and identification accessible such as “Let’s Encrypt” for cheap HTTPS setups and reusing these certificates for multiple domains all to achieve the little green padlock in a victim’s browser url bar.
Threat actors are also using domain control validation, in which only the control of the subject has been verified, to hide their identity.
“While validation type is something that only 4 percent of ordinary users (according to a recent Twitter poll by security expert Troy Hunt) might understand or check when assessing the security of a particular site, it is easy for an automated algorithm to take this into account,” researchers said. “As expected, malicious sites that we block use mostly domain-control validation, while organization validation is much more common among top sites.”
Organization validation involves checking that the identity of the company behind the domains was checked against registers, while extended Validation requires the strongest, most rigorous checks of the company identity making it harder for threat actors to spoof.
Fortunately there is hope with services like certificate transparency are publishing all certificates at the time when they are issued, so that anybody can search for any certificate belonging to any domain in hopes of making it easier to monitor fraudulent certificates.