Scammers are increasingly abusing consumer awareness of sites that encrypt data sent over the internet using HTTPS, particularly through a spike in phishing attacks that hope to win the confidence of victims by using the protocol on spoofed sites.
“For quite a while now, the security community has been educating users about the importance of secured communication. Users have been taught that important connections will be secured with HTTPS,” wrote Anna Shirokova and Ivan Nikolaev, researchers with the Cisco Talos team, who Thursday explained the HTTPS phishing problem in a report.
Raised awareness has created a “strange side-effect” where consumers trust anything secured with HTTPS, they said, adding that trust is increasingly being abused by scammers especially through phishing attacks.
“During our analysis, we have observed domains being used for phishing, as well as by scammers, offering fake technical support and by advertisers promoting products of questionable quality,” they wrote.
Attackers are impersonating well-known domains such as Apple.com, Facebook.com, Microsoft.com and PayPal.com, and sign phony sites they use as phishing domains, such as apple.com-133[.]com and facebook.com-secured[.]com, with legitimate certificates.
“This means that the users who visit the domain and look at the URL will see the little green lock. Rarely will anyone check the actual certificate,” Shirokova and Nikolaev said.
Phishing emails often link to spoofed sites, and when they are viewed in a mobile browser or inside a narrow browser window, often the only thing the target sees is HTTPS in the URL and the first half of a spoofed domain such as Microsoft.com-pl-lot1[.]oficjalne-prezenty-gadzet[.]top.
Researchers said attackers are taking advantage of certificate authorities such as Let’s Encrypt which provides certificates for free, no questions asked.
“We acknowledge there is a problem here, but the solutions are not very clear cut,” said Josh Aas, the executive director of Let’s Encrypt in an interview with Threatpost. He points out that Let’s Encrypt’s primary mission is to prevent surveillance and censorship on the web.
Aas said, certificate authorities should not subjectively prohibit domains from getting certificates because it would be essentially censoring the web as HTTPS becomes more mandatory.
Phishing sites abusing SSL and TLS certificates is nothing new. Last month, a report by The SSL Store said last year 15,270 free SSL certificates were issued to sites that contained the word “PayPal” in the domain name or the certificate identity. It claimed 97 percent were issued to phishing sites.
“The crux of the problem is this green lock and what people think it means. It means the connection is encrypted, not that the content of the site is safe,” Aas said. “Browsers are over-promising. What we need is content awareness.”
For now, the best course of action, according to Aas, is to rely on frameworks such as Google Safe Browsing and Microsoft Smartscreen becasue they have the ability to block sites reported to them as unsafe.