Skip to main content
banner image
venafi logo

Advanced Threats Concealed by SSL Transactions Increased by 30% in H2 2017

Advanced Threats Concealed by SSL Transactions Increased by 30% in H2 2017

Encrypted malware
February 13, 2018 | David Bisson

The number of SSL-encrypted transactions concealing advanced threats increased by 30 percent in the second half of 2017, reveals a report.

In its February 2018 SSL Threat Report, Zscaler tracked an average of 800,000 SSL-protected communications harboring malicious elements every day in H2 2017. That's up from 600,000 each day over the previous six months.

The report notes that computer criminals abuse SSL across the entire lifecycle of their attacks. They begin with a delivery vector such as phishing, which grew 300% in 2017. Many of these pages are hosted on a legitimate domain where nefarious individuals have compromised the site's digital certificate.

Next, the campaigns deliver their malicious payloads over SSL/TLS from Dropbox, AWS, and others. Banking trojans such as Dridex and Emotet made an appearance in approximately sixty percent of attacks. They were followed by ransomware families in a quarter of cases and infostealers at 12 percent of campaigns.

Upon successful installation, those threats also use encrypted communications to receive commands from their command and control (C&C) servers.

Deepen Desai, director of security research at Zscaler, explains these types of attacks reflect the ability of bad actors to abuse SSL for nefarious purposes:

"While great for privacy, SSL is becoming a significant blind spot for companies as the percentage of encrypted traffic has risen sharply over the years. And, while obtaining the digital certificates for SSL used to require a rigorous vetting process for web sites, they can now be more easily obtained, in some cases, for free."

Indeed, Zscaler found that most websites in an arbitrary sampling of 6,800 attacks involved a valid certificate that malefactors compromised. Other campaigns used short-lived attacks specifically to deliver malware.

Concurrently, the cloud-based information security company detected domain validated (DV) certificates in 74% of attacks. It reasons the rate is so high given the comparatively shorter validity period, laxer vetting process, and lower price (sometimes free) of DV certificates over the more trustworthy organization validation (OV) and extended validation (EV) certificates.

Acknowledging those threats, Zscaler recommends that organizations use a multi-layer defense that ideally includes HTTPS inspection done well to protect their certificates.

Detect and block the misuse of keys and certificates today.

Related blogs

Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

man shrugging his shouldders, torso shot, dressed in business attire

Jury Out on Whether Reducing Certificate Lifetimes Would Actually Improve Security

Elizabeth Warren image Corporate Executive Accountability Act

Can Encryption Save Execs from Blame in Breaches? [Ask Infosec Pros]

Why Encryption Should Be the Next Step in Operationalizing GDPR Compliance

Why Encryption Should Be the Next Step in Operationalizing GDPR Compliance

About the author

David Bisson
David Bisson

David is a Contributing Editor at IBM Security Intelligence.David Bisson is a security journalist who works as Contributing Editor for IBM's Security Intelligence, Associate Editor for Tripwire and Contributing Writer for Gemalto, Venafi, Zix, Bora Design and others.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud


Venafi Cloud manages and protects certificates



* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
(@%+^!#$?:,(){}[]~`-_)
* Please fill in this field
* Please fill in this field
* Please fill in this field
*

End User License Agreement needs to be viewed and accepted



Already have an account? Login Here

×
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more
Chat