On podcast 12 of the Security Box, we talked about a blog post that Phish Labs had talking about the APWG trends report. I covered that in a bit of a discussion, but maybe it is time to bring it up now as part of NCSAM’s discussion for this year.
In case you missed the Security Box, podcast 12, here are the show notes for that program.
Now, lets pick apart and discuss some things that got my attention in regards to the article dealing with Phishing.
The article that we’re going to talk about in this blog post is APWG: SSL Certificates No Longer Indication of Safe Browsing. Why specifically this article? Oh don’t worry, we’ll cover other Phishing articles but this one is quite important.
Let us start at the beginning of the Internet, where all we had were text browsers and we connected through Dos. Dos was an operating system that only had text. It did not have fancy graphics, although there may have been some, and it surely didn’t have video and other multimedia. It didn’t have the capability of filling out forms, making online payments, contacting people through forms besides putting other types of things online that we take for granted today.
While there were ways to get files like executables and other types of small files, the protocol has definitely changed. With that, comes the aspect of Phishing.
The protocol in the early days was just called http or hyper text transfer protocol. This protocol was used mainly to serve webb pages and back in the early 90s, and even early decade of the 2000s, that was really all we needed.
As time passed, it became clear that to do credit card transactions and the like, we needed a secure way to do it so they added the “s” for secure. This became the standard with SSL versions and now TLS. SSL is secure sockets layer, TLS is transport layer security. All it does it makes sure that the web sites are secure.
Later on in the last 10 years or less, they came out with firesheep to show that http connections were not safe and https needed to be the standard for true security even if you didn’t do online banking and the like.
Well, when the actors started, their pages were not using https where the S stood for secure. We were taught that if we wanted to put in data such as credit card numbers and other types of info like that online, we need to be on a secure connection. Sighted people looked for a padlock, disabled patrons checked the URL of the web page to hear that it had the S in it.
Examples: http://www.example.com VS https://www.example.com http://example.com vs https://example.com
This is how it has been until recently when the threat actors started to secure their pages thanks to services like Let’s Encrypt.
Without going in to any detail on Let’s Encrypt, let us just say that they do domain validation certificates and I believe they can now work on sites using the control panel we use on Linux boxes which was not the case before.
Let’s fast forward to recent times where recent Phishlabs articles kept indicating that the SSL rate was creeping up, and it was a matter of time.
Under the heading
SSL Abuse Continues to Skyrocket
here is the most important piece of information taken from this article.
PhishLabs, an APWG contributing member, is tracking the increased use of SSL certificates on phishing sites. Threat actors abuse HTTPS certificates to
enhance compromised sites by tricking internet users into believing the site is secure. Alarmingly, almost 80% of phishing sites used SSL certificates
during Q2, meaning users should no longer attribute the certificate as an indicator of safe browsing.
The portion continues:
“The number of phishing sites using TLS continues to increase,” said John LaCour, Founder and CTO of Digital Risk Protection company PhishLabs. “Most web
sites—good and bad—now use TLS. Phishers are hacking into legitimate web sites and placing their phishing files on those compromised sites.”
This exact thing happened to the Jared Rimer Network some years ago, and even effected several sites across my network. Somehow, actors were able to gain access to several of the sites across my network, upload their wares, and we’d be notified about it. I was notified one morning by Phishlabs directly by Email, and I promptly called them at 6:30 am on my way to my day activity. Indicating that I couldn’t get to the page from the email, they indicated that the issue was resolved, which was good news to my ears. I’m sure my provider was notified, cleaned it up, and that was the end of it. This is what needs to happen, because we may not even know that anything is going on.
To the providers credit, they learned quickly. This is because they sent me the reports, and I was to deal with it which I did not have access to do. I get it, its hard to maintain a network when you get reports like this and I did ask for assistance. I definitely thought there was a problem when I was told the passwords were as secure as humanly possible.
Under the section
SSL Growth
it talks about Extended Validation Certificate usage. If you put “Extended Validation Certificate” minus the quotes, a prominent provider named Digicert is mentioned. There are other places to learn about these certificates, and that is not the extent of this article today.
Let’s cover this section under SSL growth for a moment.
In addition, PhishLabs has noted the emergence of phishing sites using Extended Validation (“EV”) Certificates.
“The vast majority of certificates used in phishing attacks — 91 percent — are Domain Validated (“DV”) certificates,” noted LaCour. “Interestingly, we
found 27 web sites that were using Extended Validation (“EV”) certificates.”In order to be issued an Extended Validation certificate, a site must provide verification of its legal identity. In theory, EV certificates indicate that
a site is more trustworthy, and their presence on phishing sites is significant.
It isn’t surprising that the majority of certificates issued today are domain validated. This is because this is the easiest. You either need to have something on a web server that you put up there, or a trusted authority like the control panel group issue validation certs for the domain which is done daily.
As for organization validated (ov) certs, I am not aware how those work, and that is for your research.
The article goes in to much more detail than I could ever cover in sections and give my thoughts on it. As part of NCSAM, check out this article in full, feel free to ask questions, the worst is that I won’t know the answer. I’d rather tell you that I don’t know than to lead you wrong.
Found this article of value? Why not search NCSAM while you’re here to see what else has been covered? We covered NCSAM last year with many articles linking to stuff, and I’m sure that it may be still of value today. I want to thank each and every one of you for coming by and checking out this blog. I hope you find the info of value, and if you have something to share, please get in touch. See you next time!
Updated 4:10 PM 10/6/2020 to fix a broken link
Discover more from The Technology blog and podcast
Subscribe to get the latest posts sent to your email.