Skip to main content
banner image
venafi logo

Advanced Threats Concealed by SSL Transactions Increased by 30% in H2 2017

Advanced Threats Concealed by SSL Transactions Increased by 30% in H2 2017

Encrypted malware
February 13, 2018 | David Bisson

The number of SSL-encrypted transactions concealing advanced threats increased by 30 percent in the second half of 2017, reveals a report.

In its February 2018 SSL Threat Report, Zscaler tracked an average of 800,000 SSL-protected communications harboring malicious elements every day in H2 2017. That's up from 600,000 each day over the previous six months.

The report notes that computer criminals abuse SSL across the entire lifecycle of their attacks. They begin with a delivery vector such as phishing, which grew 300% in 2017. Many of these pages are hosted on a legitimate domain where nefarious individuals have compromised the site's digital certificate.

Next, the campaigns deliver their malicious payloads over SSL/TLS from Dropbox, AWS, and others. Banking trojans such as Dridex and Emotet made an appearance in approximately sixty percent of attacks. They were followed by ransomware families in a quarter of cases and infostealers at 12 percent of campaigns.

Upon successful installation, those threats also use encrypted communications to receive commands from their command and control (C&C) servers.

Deepen Desai, director of security research at Zscaler, explains these types of attacks reflect the ability of bad actors to abuse SSL for nefarious purposes:

"While great for privacy, SSL is becoming a significant blind spot for companies as the percentage of encrypted traffic has risen sharply over the years. And, while obtaining the digital certificates for SSL used to require a rigorous vetting process for web sites, they can now be more easily obtained, in some cases, for free."

Indeed, Zscaler found that most websites in an arbitrary sampling of 6,800 attacks involved a valid certificate that malefactors compromised. Other campaigns used short-lived attacks specifically to deliver malware.

Concurrently, the cloud-based information security company detected domain validated (DV) certificates in 74% of attacks. It reasons the rate is so high given the comparatively shorter validity period, laxer vetting process, and lower price (sometimes free) of DV certificates over the more trustworthy organization validation (OV) and extended validation (EV) certificates.

Acknowledging those threats, Zscaler recommends that organizations use a multi-layer defense that ideally includes HTTPS inspection done well to protect their certificates. 

Detect and block the misuse of keys and certificates today.

Related blogs

Like this blog? We think you will love this.
Featured Blog

How DoS/DDoS Attacks Impact Machine Identity, Digital Certificates

For safe and secure utilization of machine identities such as SSL/TLS cer

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

Subscribe Now

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

David Bisson
David Bisson

David is a Contributing Editor at IBM Security Intelligence.David Bisson is a security journalist who works as Contributing Editor for IBM's Security Intelligence, Associate Editor for Tripwire and Contributing Writer for Gemalto, Venafi, Zix, Bora Design and others.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more