The entire InfoSec community, including myself, has been vocal about the necessity of switching websites to the HTTPS protocol. It appears, however, that hackers utilizing social engineering methods like phishing have found a way to use this to their advantage. As reported by Anna Shirokova and Ivan Nikolaev of the CISCO Talos team, there has been an uptick in “domains being used for phishing, as well as by scammers offering fake technical support and by advertisers promoting products of questionable quality.”
The difference from previous instances of such attacks, which are quite commonplace, is that these domains are able to give the semblance of HTTPS via appearance of the green padlock next to the malicious URL. To some, the green padlock is all that is needed for reassurance that the web domain they are visiting is secure. While HTTPS is without a doubt able to be trusted in the proper context due to its encryption protocols, it is not a magic bullet protection from scammers and hackers.
Consider the following domains that were utilized in the Talos team’s report:
To the trained eye, these should immediately raise suspicions, as the extraneous information in red is an obvious sign that the domain is not legitimate. The problem is, these very domains all had the green padlock, so to a less-informed individual who only uses that as a vetting criteria, these sites were OK to enter sensitive data on.
One might wonder as to how these malicious sites even received HTTPS certification. In Threatpost’s article on this subject, some of the blame was laid at the feet of services like Let’s Encrypt (whose mission I personally support). Let’s Encrypt’s purpose is to give greater privacy protection against mass surveillance for all who require it. The issue is that the certificates that Let’s Encrypt provides are freely given without any further inquiry.
In an interview with Threatpost, Let’s Encrypt’s executive director Josh Aas stated, “we acknowledge there is a problem here, but the solutions are not very clear cut,” and he further went on to say that “the crux of the problem is this green lock and what people think it means. It means the connection is encrypted, not that the content of the site is safe.”
While it is not a new phenomenon for SSL and TLS certificates to be abused, it appears to be an exponentially increasing issue in terms of Internet presence and danger. Crackdowns on services like Let’s Encrypt will only hurt the vast majority who need the increased protection of HTTPS (and help the malicious actors, government or otherwise, who wish to breach civilian privacy). Ultimately it comes down to educating the public on the nature of malicious domains and how to recognize them should they be encountered in the wild.
As it is with many issues in Information Security, a great deal of the possible attacks can be avoided with common sense. This common sense is taught by those in our field. It is simply up to the public to listen to us and know how to evaluate potential threats.