In an era dominated by digitalization, HTTPS phishing attacks have become a major concern for companies and individuals. The security padlock icon, representing the HTTPS protocol, is often seen as a seal of security and reliability.
However, this perception has been skillfully exploited by cybercriminals, who are using SSL certificates to mask their HTTPS phishing attacks, fooling even the most cautious users.
This article aims to debunk the myths surrounding HTTPS and offer insights into how to protect your organization against these hidden threats.
The Security Padlock Myth: Unraveling the False Promise of Protection
Many of us have been taught to look for the security padlock icon when surfing the web, seeing it as a sign that a site is safe and reliable. Unfortunately, this simplistic notion has become dangerous.
The HTTPS protocol and the security padlock icon indicate that the data transmitted between the user’s browser and the web server is encrypted, making it inaccessible to malicious interceptors.
However, this does not guarantee the legitimacy or “good intentions” of the site.
Obtaining an SSL certificate, which enables the HTTPS protocol, involves a Certificate Authority verifying ownership of the domain.
The process does not assess the nature or purpose of the site’s content.
This means that while an HTTPS phishing site may not have direct access to the data entered by a user (thanks to encryption), it can still present misleading or malicious content with the appearance of being safe.
What’s more, with the increasing ease and accessibility of obtaining SSL certificates, many cybercriminals are acquiring them for their phishing sites. This allows them to display the padlock icon, exploiting the user’s trust in the symbol.
A recent survey revealed that a significant number of phishing sites now use HTTPS, making it even more difficult for ordinary users to distinguish legitimate sites from fraudulent ones based solely on the presence of the padlock.
While the padlock indicates encryption and protection against data interception, it is not a guarantee that the site is legitimate or secure in terms of content.
It is essential that users and companies are educated about this distinction in order to surf the web with real security
With this reality in mind, imagine the following situation: you receive an email very similar to the one from your usual bank.
In the content of the email, there is an invitation to check out the new user interface or update your account details, something simple and mundane.
The link in the e-mail takes you to a website that looks incredibly similar to your bank’s. The resemblance is striking.
The address of the bank’s original website is “meubanco.com.br”, but in this case, the address of the website to which the e-mail took you is “meubanco.io”.
The detail of the domain, although subtle, goes unnoticed by the vast majority of users
The site looks legitimately secure, displays the security padlock icon that you have learned to trust, located next to the URL in the browser’s address bar.
Encouraged to proceed, you enter your branch, account number and password. The data is filled in, but an incorrect password message appears on the screen. Immediately afterwards, you are automatically redirected to the bank’s original website, “meubanco.com.br”.
With the feeling of a simple failure, you try again, this time being careful not to get the password wrong. Access to the banking system works perfectly for this second purpose.
However, what is not immediately clear is that, at this point, the cybercriminal has already gained access to your bank details.
During the failed attempt on the phishing site, your information was captured while you believed you were entering it on your bank’s original site.
This alarming situation can occur with any site that requires access information, from banks to e-commerce sites.
The attacker’s objective varies according to their specific goals – be it stealing money directly through fraudulent transactions, gaining access to an account for another form of fraud or even selling these access details to third parties on the DarkWeb.
Understanding this type of attack and knowing how to identify the subtleties that give away a phishing site is essential for navigating safely in the digital age.
Always remember to check the URL, even when the site appears to be secure due to the presence of the padlock icon.
Always stay up to date and aware of the dangers online to protect your personal and financial information.
The Rise of Phishing HTTPS: A Constantly Evolving Threat
Phishing, one of the oldest forms of cyberattack, has adapted and evolved over the years to remain effective.
With the growing adoption of the HTTPS protocol and increased awareness of its importance, cybercriminals saw an opportunity to use this trust to their advantage.
A
study by
Phishlab
s revealed that in 2017, around 25% of all phishing attacks used secure connections and SSL certificates.
This represents a significant increase compared to previous years and highlights the change in cybercriminal tactics.
Rather than being an exception, phishing phishing sites with HTTPS are becoming the norm
As we saw right at the start, the main aim of these attackers is to capitalize on the user’s trust in the padlock icon, leading them to believe that they are in a secure environment and thus more likely to provide personal or confidential information.
In addition, many modern browsers now alert users when they access unencrypted sites, making it even more attractive for attackers to equip their phishing sites with HTTPS.
The evolution of HTTPS phishing attacks highlights the need for a more holistic approach to online security.
It’s not enough just to look for the padlock icon; it’s essential to evaluate the URL, the content of the site and to use robust security solutions that can detect and block phishing sites.
Wildcard Certificates: An Open Door to Multiple Risks
Wildcard certificates are a powerful tool, but if misused they can become a significant vulnerability.
They are designed to be a convenient solution, allowing a single SSL certificate to be used for several subdomains under a main domain.
For example, a wildcard certificate for “*.exemplo.com” could be used for “loja.exemplo.com”, “blog.exemplo.com” and so on.
Why are they attractive?
The main advantage of wildcard certificates is their convenience and cost-effectiveness. Instead of managing and renewing multiple certificates for each subdomain, companies can use a single wildcard.
This can simplify administration and reduce costs.
But where is the danger?
The comprehensive nature of wildcard certificates is a double-edged sword. Although they offer convenience, they also introduce significant risks:
- Extended Commitment:
The biggest risk with wildcard certificates is that if one subdomain is compromised, all the other subdomains under the same certificate could also be at risk.
In a typical scenario, if a specific subdomain is breached, the damage is usually limited to that subdomain.
However, with a wildcard certificate, an attacker who gains access to a subdomain can potentially exploit the certificate to attack other subdomains.
- False sense of security:
The simplicity of wildcard certificates can lead organizations to believe that they are fully protected.
In practice, this mentality can lead to less rigorous management and lax security practices, making it easier for attackers to exploit vulnerabilities.
- Malicious Use of Stolen Certificates:
If a wildcard certificate is stolen or compromised, it can be used by attackers to create phishing sites or other malicious sites that look legitimate.
For example, an attacker could create a fake subdomain such as “pagamento-falso.exemplo.com” using the compromised wildcard certificate, tricking users into thinking they are on a legitimate subdomain of the company.
- Difficulty of Tracking and Revocation:
In the case of compromise, it can be more challenging to track down all the instances where the wildcard certificate has been used.
In addition, revoking a wildcard certificate can have wider implications, potentially stopping operations in several sub-domains simultaneously.
While wildcard certificates offer convenience and efficiency, they also introduce a number of security risks that organizations should consider carefully.
The key is to balance the need for operational efficiency with robust cybersecurity practices.
Good Practices to Protect Your Company: Strengthening the Defense Against Phishing HTTPS
In a scenario where cybercriminals are constantly adapting their tactics, it is essential that companies stay one step ahead by implementing robust security practices.
Here are some detailed strategies that organizations can adopt to protect themselves against threats from HTTPS phishing attacks:
- Continuing Education and Training:
The first line of defense is always the end user. Investing in regular, up-to-date training for employees can help identify and prevent phishing attempts.
Hold regular training sessions, simulating HTTPS phishing attacks to test and educate employees.
- Rigorous verification of URLs and certificates:
Teach users to check the site URL and SSL certificate details before entering any information.
Implement tools that highlight or warn about URLs suspected of HTTPS phishing attacks and provide guides on how users can manually verify SSL certificates.
- Proactive Monitoring:
Keep a close eye on your company’s online presence. Actively monitoring the web for fraudulent copies of your pages can help detect and neutralize threats quickly.
Use brand and phishing monitoring services to identify fraudulent sites that imitate your brand.
- Clear communication with clients:
Keep your customers informed about potential risks and what your company is doing to protect them.
Create a dedicated section on your website for security updates and send out regular communications, especially in response to known threats.
- Implementation of Advanced Security Solutions:
In addition to traditional security solutions, it is essential to adopt specific tools to manage and monitor your SSL/TLS certificates. These tools help to ensure that certificates are always up-to-date, valid and correctly configured, reducing the risk of vulnerabilities.
Security in the Digital Age: More than Just a Padlock
In a world where digitalization permeates every aspect of our lives, online security has become more crucial than ever.
In practice, companies must go beyond traditional security solutions and adopt a holistic approach, considering all aspects, from user education to the implementation of advanced technologies.
HTTPS phishing attacks are just one of many emerging threats, and the real defense lies in continuous preparation, vigilance and adaptability.
In a game of cat and mouse between cybercriminals and defenders, the question remains: is your company really ready to face the challenges of modern digital security?
Eval is official Keyfactor partner
Keyfactor is a leading company in identity management and access security solutions, helping organizations around the world to protect their confidential data and guarantee the integrity of their systems.
As an official Keyfactor partner, Eval is deeply committed to assisting our clients in implementing effective security practices. Our goal is to ensure the protection of code signing keys and compliance with industry standards.
Together, we will work to offer customized and innovative solutions, taking into account the specific needs of each client.
The partnership allows us to provide an even better service to our customers, combining our experience in software security with Keyfactor’s expertise in code signing and SSL/TLS certificate management.
Contact Eval to learn more about how our partnership with Keyfactor can help you strengthen your software security and ensure the integrity of your operations.
Take advantage of the opportunity to work with Eval and Keyfactor to ensure maximum protection and efficiency in your software operations.
We are committed to providing the best security solutions to meet your specific needs and ensure the peace of mind you deserve.
About Eval
With a track record of leadership and innovation dating back to 2004, Eval not only keeps up with technological trends, but we are also in an incessant quest to bring news by offering solutions and services that make a difference to people’s lives.
With market recognized value, Eval’s solutions and services meet the highest regulatory standards for public and private organizations, such as SBIS, ITI, PCI DSS, and LGPD. In practice, we promote information security and compliance, increase companies’ operational efficiency, and reduce costs.
Innovate now, lead always: get to know Eval’s solutions and services and take your company to the next level.
Eval, safety is value.
Written by Arnaldo and Evaldo, proofread by Marcelo Tiziano and designed by Caio Silva.