For years Google, Firefox, Apple and Microsoft relentlessly made the point, in order to avoid rogue sites make sure your browser “padlock” is either locked, green or otherwise “secure”. Now, cybersecurity firms are stressing those padlocks are not enough.
“You must look beyond the lock,” said Dean Coclin, senior director of business development at DigiCert. “They simply can’t be trusted anymore.”
On Monday, the Anti-Phishing Working Group released a study (PDF) that tracked a large uptick in phishing attacks in Q2 of 2020. The surge links to rogue in sites using the cryptographic protocol Transport Layer Security or TLS, most commonly referred to by its legacy name Secure Sockets Layer, or SSL.
SSL padlocks indicate a browser is using a secure and encrypted communication pipe to the server hosting the desired website. SSL warnings are also complimented by the additional HTTPS indication within a browser address bar, meaning the browser is transmitting information safely using Hypertext Transfer Protocol Secure.
Certificate Abuse Skyrockets
According to the Anti-Phishing Working Group (APWG) report, 80 percent of phishing sites used SSL certificates in Q2, according to APWG. Attacks ranged from phishing lures pointing to bogus wire transfer sites and social media platforms Facebook and WhatsApp being pelted with links to shady domains.
Pockets of abuse of TLS/SSL certificates have nagged the industry for years. But today the problem has become chronic, Coclin said. “Ever since the last major browser added SSL warnings to its address bar the bad guys have been also been using SSL/TLS padlock,” he said.
Phishers Up Anti with Abuse of Extended Validation Certificates
Rogue domain certificates have been mostly limited to bad actors acquiring what are called Domain Validated certificates acquired for free from services such as Let’s Encrypt.
Domain Validation certificates are a bare-bones solution for securing communications between a web browser and a server using TLS encryption. Several free services automated self-serve system that only checks that an applicant has control over a domain before issuing a free certificate. It’s a system ripe for abuse when issuing domain validation certificates, experts say.
Considered more secure are Extended Validation and Organizational Validation certificates. These higher-level certificates used by banks, insurers and ecommerce sites require extensive vetting of applicants to ensure sites are who they say they are. But now, the APWG reports that Extended Validation certificates may not be as trustworthy as once thought.
“In addition, the observed emergence of phishing sites using Extended Validation certificates in Q2 is a stark reminder that phishers are increasingly turning security features against users,” the report stated.
Of the attacks looked at in the APWG report, 91 percent of certificates used in phishing attacks were Domain Validate. “Interestingly, we found 27 web sites that were using Extended Validation certificates,” according to John LaCour, founder and CTO of Digital Risk Protection company PhishLabs.
“This use of Extended Validation certificates is a serious business. The point of an Extended Validation certificate is that they require verification of the requesting entity’s legal identity before the certificate is issued,” according to the report.
Hackers behind the Extended Validation certificates, didn’t acquire the certificates legitimately, rather they were stolen from hacked sites that already had them, the report states.
Attackers “are increasingly turning security features against users”, wrote PhishLabs in a recent blog post on the topic.
The primary concern has been that Domain or Extended Domain certificates offered criminals an easy way to facilitate website spoofing, server impersonation, man-in-the-middle attacks and a way to sneak malware through company firewalls.
Unsuspecting users might think they are communicating with trustworthy sites because the identity of the site has been validated by a CA, without realizing that these are either hijacked Extended or Domain validated certificates.
The remedy, Coclin said, from browser firms has been to rollout new safe-browsing tools such as Google’s Safe Browsing for Chrome and Microsoft’s SmartScreen filter which facilitates safe browsing for Internet Explorer and Edge browsers.
Coclin warns these are stopgap solutions and what really needs to be done is overhaul of the domain registration system. “Why people are allowed to register clearly fraudulent domains in the first place, I don’t know,” he said. “The problem is, nobody wants to own this problem. And until someone does, you must look beyond the padlock.”