A new ‘secure’ phishing site is established every 2 minutes.

Recently, Google’s Chrome browser has started to roll out updates to label all HTTP sites as ‘not secure’. This is a significant step forward in establishing HTTPS as the de facto standard for web communication, sending users a clear message ‘if the site doesn’t encrypt your content, you shouldn’t use it’.

HTTPS has been around for some time. However, it was not until quite recently (late 2016) that we reached the tipping point, with HTTPS used for more than 50% of all web traffic. HTTPS usage is now even more prevalent on mobile; among the mobile traffic that we observed in 2018, 89% of requests were encrypted using HTTPS.
Unfortunately, attackers are also adjusting to this new paradigm and are exploiting the public notion that sites using HTTPS are secure by adopting this standard for their malicious sites. In fact, according to our data, 60% of malicious traffic is encrypted using HTTPS.

Encryption + identification = secure communication

For a secure data transfer to take place we need two things – encryption (HTTPS) and identification (SSL Certificates).

  • HTTPS plays an important role in security and privacy by decreasing the visibility of traffic to anyone who might be monitoring it. This allows users to send sensitive information, such as usernames and passwords or credit card details across the internet without it being found by a hacker. In some cases companies may decrypt traffic by using firewalls to inspect communication for security reasons, thereby positioning themselves as a trusted middleman.
  • An SSL certificate binds a cryptographic public key to a website. As such, certificates are crucial for establishing a secure end-to-end connection to a website. Without them, browsers are unable to distinguish if they are communicating directly with the desired site or whether there is some malicious party in the middle. Certificates are issued by Certification Authorities (CAs) and every website owner who wants to use HTTPS must obtain one.

Encryption and its supporting infrastructure actually gives us a very rich source of information. In short, it is possible for us to obtain a list of newly registered domains and the accompanying certificates that enable the sites to transmit data using HTTPS.

Certificate Transparency keeping CAs in check

Even though strict and rigorous processes should be in place for the vetting that precedes certificate issuance, unfortunately, issuance of rogue certificates does happen. To make it easier to monitor fraudulent certificates, a new system called Certificate Transparency (CT) was established.
CT is a system of publicly accessible logs that aims to publish all certificates at the time when they are issued so that anybody can search for any certificate belonging to any domain. Following Google’s move to require CT for all certificates (which was delayed multiple times), CAs are forced to submit their certificates to CT logs.
Initiatives such as Facebook’s Certificate Transparency Monitoring tool show just how important CT really is for the large technology players. CT has already proven itself useful in helping to discover erroneous issuance of certificates such as when Symantec issued a rogue certificate for google.com.
Google is the main driver behind CT – besides development of CT and the aforementioned changes in Chrome, Google maintains a large number of CT logs. Furthermore, a curious observer might spot the unusually high number of certificates for the Google-owned flowers-to-the-world.com domain appearing in the logs (this can reach more than 100 per day for this single domain). These certificates are issued by Google and are apparently used for monitoring performance and compliance of the logs.
SSL certificates themselves contain a large amount of information and this metadata is used by Wandera to assess the reputation of a domain we observe.

Hackers leverage services that make encryption and identification accessible

Attackers use domain validation to hide their identity

One of the most important pieces of certificate information is the validation type. There are three different types of validation, which are based on how strongly the publisher was evaluated before the certificate was issued:

  • Domain-Control Validation (only the control of the subject domain was verified)
  • Organization Validation (the identity of the company behind the domains was checked against registers, etc.)
  • Extended Validation (requires the strongest, most rigorous checks of the company identity).

While validation type is something that only 4% of ordinary users (according to a recent Twitter poll by security expert Troy Hunt) might understand or check when assessing the security of a particular site, it is easy for an automated algorithm to take this into account.
As expected, malicious sites that we block use mostly domain-control validation, while organization validation is much more common among top sites.

Note: Phishing and scams are often published on sites where third-party content is allowed, such as blog spaces. Hence, the owner of the certificate is not always the one responsible for the phishing/scam page, and this has to be taken into account when researching this field.

Attackers use Let’s Encrypt for cheap HTTPS setup

Services such as Let’s Encrypt are enabling website owners to set up HTTPS easily and cheaply, thus contributing to a safer and better Internet. However, attackers can also utilize these services to make their sites look more trustworthy. Based on an analysis of our traffic, Let’s Encrypt certificates are used on a much higher proportion of malicious sites using HTTPS than they are across randomly sampled HTTPS sites from our traffic (61.1% vs 13.5%).

Attackers reuse certificates for multiple domains

Another example of useful information that can be extracted from the certificates are Subject Alternative Names (SANs). This field lists all domains where the certificate is valid. In this way, it can be possible to link numerous malicious domains that share a certificate together.
Below is an example screenshot of SANs listed in a certificate belonging to vend[.]world sites – a known group of phishing sites.

You can’t always trust the padlock

HTTPS is finally becoming the standard protocol for web traffic. Providers like Let’s Encrypt provide ways to set up HTTPS easily and for free, which is a good thing because it makes encryption easily accessible to small sites and contributes to safer internet. However, hackers are adjusting their obfuscation techniques to exploit user reliance on HTTPS as a trusted checkmark of a ‘secure’ site.
MI:RIAM analyzed certificate registration events across the globe and out of these supposedly secure domains, there is an average of 30 new phishing sites and a further 18  suspicious URLs published every hour. That’s a new secure phishing site every two minutes. In a particularly bad 24 hour period, MI:RIAM discovered over 1150 new HTTPS phishing sites, and that is not including the plethora of malicious HTTP phishing URLs that we already know exist.
[text-blocks id=”mobile-phishing-report-2018″]