Introducing the 2024 PKI & Digital Trust Report     | Download the Report

HTTPS Phishing Attacks: How Hackers Use SSL Certificates to Feign Trust

SSL/TLS Certificates

Let’s journey back to 1994. No need to dig out your pager or put on your flannel shirt. This was the year that the first SSL protocol was born. It was launched by Netscape to meet the growing need for added security for that newfangled invention called the Internet.

Several versions of SSL later and it eventually transformed into the TLS we know today. However, like a bad nickname, we still refer to TLS as SSL.

Since those early days of the dawn of the web browser, there have been ongoing issues with the security of SSLs. Cybercriminals love to implement phishing scams using SSL certificates and pose them as trusted sites. This scam has been around since 2005 when the first accounts of phishing using SSL certificates were made.

According to a report by the Anti-Phishing Working Group (APWG) and contributor PhishLabs, in the first quarter of 2021, 83% of phishing sites had SSL encryption enabled. Amazingly, this was the first time that the number plateaued since PhishLabs began the study in 2015.

But organizations can’t use this news as a reason to start letting their guard down against SSL phishing attacks. Especially since phishing threats overall are on the rise with the total number increasing by 22% in the first half of 2021.

Why attackers love to go SSL phishing

It was Ronald Reagan who coined the proverb “trust, but verify” and this is especially true when it comes to SSL certificates. That little padlock symbol in the browser brings with it a sense of trust that you will be protected and not have someone run off with all your money. And it is cyber criminals who are out to break that trust.

SSL certificates are supposed to protect all the things that are gold to a cybercriminal from when you celebrated your birthday to when you made your last banking withdrawal. Fraudulent HTTPS sites are a favorite gateway to this information for hackers who are savvy in how to easily provide a false sense of security. It is relatively simple for them to set up a fake HTTPS site with that trusted padlock in attacks that are often described as “low risk, high reward.”

Attackers’ M.O. is usually to obtain original SSL certificates for lookalike or typo-squatting domains or plain out stealing SSL certificates. Research from Deloitte found that 91% of all cyberattacks begin with a phishing email to unexpecting victims. They are typically lured to the sites via a link in an email sent from a legitimate address such as a reputable company or well-known person.

In the second quarter of this year, 90.5% of phishing sites used Domain Validated (DV) SSL Certificates. Organization Validated (OV) Certificates were the second most popular among cybercriminals and represented 9.51% of SSL Certificates. DV Certificates probably received top billing because they are easy to acquire and are often free. OV Certificates usually require the domain owner to take more steps to authenticate the site.

Only 11 sites had Extended Validation (EV) Certificates. Those sites were all legitimate sites that had been hacked rather than sites built by attackers who had somehow acquired EV certificates.

The various types of HTTPS phishing attacks

Perhaps one of the most well-known examples of using emails and lookalike sites for phishing expeditions is Sony Pictures. In 2014, what most likely happened is hackers sent fake Apple ID emails to people at Sony. Personnel who clicked on the email’s link were taken to an Apple website that looked a lot like the real thing. Hackers were then able to infiltrate the company and steal passwords, logins, and other valuable data.

Despite Apple being popular among attackers, it didn’t even make the top ten on Vade’s annual list of the most impersonated brands in phishing attacks. For the third year running the top spot went to Microsoft. It had 30,621 unique phishing URLs. Facebook followed with 14,876 URLs and PayPal, Chase, and eBay rounded out the top five. 

Here is a closer look at some common types of HTTPS phishing attacks. These techniques are constantly evolving, and many are used in combination for an even greater threat.

  • Man-in-the-Middle (MITM) Attack: Attackers eavesdrop on secure conversations between two parties who think they are just communicating with each other and often gain access using expired SSL certificates.
  • SSL Stripping Attack: This is a form of the man-in-the-middle attack where hackers will downgrade a web connection from the more secure HTTPS to the less secure HTTP by stripping away the encryption.
  • Wildcard Certificates: Attackers use a stolen private key to gain access to a wildcard certificate or they trick the certification authority into issuing it for a fake company.

HTTPS phishing and the COVID-19 pandemic

It is no surprise that cybercriminals would leverage the pandemic for HTTPS phishing attacks. They are preying on people during a difficult time with social engineering tactics that draw them to scam websites touting everything from cures to fake news. 

SpyCloud analyzed a list of over 136,000 hostnames and fully qualified domain names with COVID-19 or coronavirus themes. It found that 78.4% of the COVID-19-themed domains used HTTP and the rest used HTTPS.

Pandemic-related phishing attempts in June 2021 increased 33% compared to a lull in COVID-19-themed threat campaigns through the spring and early summer of 2021 when virus concerns temporarily waned. The June spike occurred right when Google searches for “Delta variant” was peaking.

There has also been an uptick in companies’ HR departments asking employees to send proof of vaccination (with the birth date!) or personal coronavirus test results via an unsecured form or upload that is ripe for hackers. Another method on the rise is sending phishing emails telling employees they are losing their jobs because of the pandemic.

Due to the pandemic, many companies have pivoted to work-from-home situations. However, organizations have been lacking in enforcing their cybersecurity protocols and employees have been operating at home with little oversight. More than half of IT leaders believe employees have picked up bad cybersecurity behaviors since working remotely.

Remote work has led to an increased reliance on cloud applications. Microsoft Office 365 has been a go-to platform for distributed workers, and it is estimated that Office 365 is used by over a million companies worldwide. The problem is that Office 365 is a favorite among hackers. There has been a high volume of multiple corporate phishing attempts to steal Microsoft Office 365 credentials. Victims are often directed to input their Microsoft login credentials on imposter sites that appear real but lack the proper SSL certificate.

Or criminals are attacking Microsoft’s affiliates like its cloud-based email management service Mimecast. Earlier this year, Mimecast claimed that attackers went after the digital certificate it provided to certain customers to securely connect its products to Microsoft 365. The compromised certificate was most likely a trusted SSL certificate that was issued to Mimecast.

Protecting your enterprise from HTTPS phishing

As of February 2021, Google Chrome accounted for around 46% of the overall internet browser market share in the United States. Google reports that over 90% of page loads in Chrome on most operating systems occur over HTTPS compared with HTTP. Starting this year, Google’s Chrome web browser will be rolling out an optional default for “HTTPS-Only Mode.” The new setting will appear as a simple toggle under the settings security page and when set would make HTTP websites inaccessible.

Additionally, Google wants to retire the padlock icon and is considering instead trying a downward-facing chevron/caret that opens a menu to set site permissions and see other site details. In Google’s survey of moderately tech-savvy respondents, only 11% of participants could correctly identify the meaning of the padlock icon. Some thought it was the bookmark icon or the site’s favicon. And this problem is just one more layer in people’s understanding that just because a site has HTTPS, it doesn’t mean that it is guaranteed to be trustworthy.

Your enterprise most likely has a section in your cybersecurity training about phishing attacks but double check that it specifically covers HTTPS related phishing. For a long time, employees have assumed that if they see that padlock symbol then they know the page they are visiting is safe. Educate them on the HTTPS cyber threats to better protect your organization against phishing schemes using SSL certificates.

Here are a few simple tips to share with your company:

  • If an employee receives a suspicious email with a link, direct them to call or email (not reply) to the person directly and ask if they sent it. This goes for people inside and outside the organization.
  • Look closely at the website’s URL and check for misspellings or the wrong domain such as the use of .gov versus .com. Advise them to type the URL directly in their browser instead of clicking directly on the link.
  • Teach the employee how to hover over the link to see if the destination is the correct one. Reinforce that the person is only to hover and not actually click on the link even if it appears to possibly be a safe site.
  • Avoid using wildcard certificates on production systems, which increases the risk and attack surface, if a server or certificate is compromised.