Phishing crews increasingly are using sites with valid SSL certificates in order to make their attacks appear more legitimate, a new report shows.
In the last couple of years it has become much easier and faster for site owners to obtain SSL certificates for their sites, thanks to the emergence of free CAs such as Let’s Encrypt. This has led to a big uptick in the use of encrypted connections by sites across the web, both legitimate and otherwise. New research from PhishLabs shows that attackers are taking advantage of the easy availability of certificates in order to add a layer of legitimacy to their malicious sites. In the first quarter of 2017, more than 10 percent of all phishing attacks involved a site with a legitimate SSL certificate, the company said, up from about five percent in the fourth quarter of 2016.
The key to these attacks is the visual cue in the browser that will tell victims that the site they’re on is ok. In fact, the browser is just indicating that the site has a valid digital certificate and that the connection is encrypted; it doesn’t mean the site isn’t malicious.
“Depending on the browser, victims visiting a website with a valid SSL certificate will see a lock icon and/or the word ‘Secure’ in the URL bar, indicating that it is a ‘trusted’ website. By using these certificates, phishers give their fraudulent sites a hint of legitimacy by giving victims a visual cue of security,” the report says.
“The surge in the number of phishing attacks using SSL certificates can be linked to an extraordinary rise in the number of attacks using this technique targeting two companies: PayPal and Apple. More than 70% of all secure phishing sites in the first quarter of 2017 targeted one of these two companies. As a percentage of their overall volume, more than a quarter of PayPal phishing attacks and 18% of Apple phishing attacks used SSL certificates in the first three months of 2017. Only four percent of all the phishing attacks targeting other organizations used SSL certificates.”
The use of SSL certificates to give phishing sites a shiny veneer is a troubling development. One of the key pieces of advice that security experts give users about identifying phishing attacks is to look at the URL and the icon in the address bar to look for misspellings and the lock icon. The use of a valid certificate eliminates one part of the usefulness of that advice.
Overall, PhishLabs said phishing volume increased 20 percent from the fourth quarter of last year, and attacks targeting payment services spiked by more than 75 percent.
“The total number of phishing attacks targeting payment service companies in the first three months of 2017 was 76% higher than the first quarter of last year and is the largest quarterly volume we’ve observed in the past three years. This growth can be primarily attributed to a significant surge in phishing attacks targeting PayPal, which comprises 93% of all volume within the payment service industry,” the report says.