Why SSL Certificates Have Become the New Frontier of Phishing

In 2020 so far, over half of all phishing sites the OpSec AntiFraud Security Operations Center have detected have an SSL certificate associated with the site. How much value do consumers place on the presence of a security certificate on a website?

From my very scientific Facebook poll of non-industry friends and family, the average user tends to think that the padlock, or the “s” in https, means they are visiting a valid, legitimate site, and any communication with that website is secure. Unfortunately, that is not accurate. The padlock icon (or the word “Secure” or sometimes the organization name) along with the “s” in https, indicates that the owner of the website has purchased an SSL certificate which encrypts the data transmitted from the user’s browser to the website. It does not verify that the website itself is legitimate and good-intentioned. This is an important distinction.

What’s an SSL Certificate?

SSL is short for Secure Sockets Layer and is the name for the technology used in establishing an encrypted communication channel between a web server and a browser, denoted by the “s” at the end of http in the website address. The purpose is to make sure the data that is transmitted remains private. Utilizing SSL to protect user’s data is an industry standard. In order to create an SSL protected communication channel, the website owner purchases an SSL Certificate from a Certificate Authority (CA).

There are different levels of SSL Certs available for purchase:

• The base level certificate provides for “domain validation” only – which is simply confirming that the email address of the person purchasing the cert matches the email address on the whois record for the domain.
• “Organization validated” certs have a more extensive validation process, including confirming domain ownership and organization identity. Organization validated certs are recommended.
• “Extended Validation” (EV) certs are most commonly used for financial and ecommerce sites because the CA uses a rigorous authentication method before the cert is issued, and browsers generally display the organization’s name in the address bar for verification.

HTTPS Does Not Mean the Site is Safe

Not too long ago most cybercriminals did not register SSL Certs for their phishing sites since it was costly, and CAs vetted the organization before granting an SSL Cert. Recently organizations like Let’s Encrypt, who led the initiative on this, have changed the landscape by removing fees for issuing domain validated SSL certs, and have offered a greatly simplified process for utilizing a SSL Cert. Their goal was a good one: to convert unsecure traffic to secure traffic for a large number of sites that either couldn’t afford to purchase a cert, or didn’t have the tech savvy to administer a cert. Unfortunately, this has led to extremely heavy misuse of this initiative by cybercriminals.

Cybercriminals use the free 90 day certs to take advantage of the general consumer perception that a https/padlock/”secure” designation indicates a safe site. The SSL cert conveys a false sense of security and lures more consumers to fall prey to phishing sites.

Web Browsers Can’t Protect Against This Problem

Web browsers have long encouraged consumers to trust the https secure designation, trusting that if an SSL Cert is purchased the intention is altruistic on the part of the domain owner. It’s only been in the last few years it’s become obvious this trust is misplaced, and that the level of cert purchased is important.

Web browsers are only providing limited protection by sometimes indicating a site is not secure if it doesn’t have a cert, and unfortunately there is no easy indicator for a consumer to verify the type of cert purchased for the website. There are also no additional checks to validate affiliation with the brand or organization contained in the domain name (if any).

OpSec AntiFraud has Adjusted Phishing Detection to Meet this Threat

To respond to this threat, we started ingesting feeds of SSL certificate creations from certificate authorities to detect phishing attacks several years ago. SSL certificates are created on hostnames across gTLDs and ccTLDs – though sometimes we can’t see the phishing site because it’s on a file path not identified in the SSL certificate creation. But given that our customer’s brand name was contained within the hostname we realized the value of sharing this intelligence with our customers.

On Thursday, July 30, we released the newest iteration of our EWS reporting to include SSL certificate intelligence directly to our customers. This data gives our customers the ammunition to better protect their employees and their organization from targeted attacks by blocking or diverting traffic coming from these unaffiliated domains or hostnames.