These days most ordinary web users should at least be vaguely aware of the existence of phishing websites.
A phishing website is a website made by a cyber attacker to impersonate a trusted website or company in order to socially engineer sensitive data or computer access from the target of a cyber attack. For instance, a cyber attacker could make a website that spoofs the real netflix.com. A user may try to enter their sensitive Netflix account credentials into the phishing site’s webform. The user may have their credit card data linked to their Netflix account so that they can be charged for their legitimate Netflix services. When the cyber attacker has access to the victim’s Netflix account through that means, they could have the victim’s credit card data too. They could add the credit card data to a database of breached credit cards to be sold on the Dark Web for the purposes of financial fraud.
Any trusted company could be spoofed by a cyber attacker’s phishing site—social media networks, big tech companies and banks are especially popular. If a cyber attacker acquires online banking credentials by impersonating a financial institution’s website, they could have full access to the target’s money! Phishing websites are also often used to transmit web malware.
But if the address bar or omnibar in the web browser shows a padlock icon and HTTPS, most users could assume that it’s evidence of the website’s legitimacy. If it has the padlock, it can’t possibly be a phishing website, it’s proof that this is the company’s real website! I would love authenticated HTTPS to be evidence of a safe website, but unfortunately it isn’t. If you see properly implemented HTTPS and TLS certificates, that’s only proof that the data being transmitted between your web browser and the web server is encrypted.
HTTPS phishing websites are on the rise! According to data from PhishLabs, 49% of all phishing sites in the third quarter of 2018 rendered as HTTPS sites with padlocks. That’s an increase from 25% in 2017, and 35% in the second quarter of 2018. In time, perhaps the vast majority of phishing sites will be HTTPS.
I have a theory as to why HTTPS phishing sites could be increasing. Cyber attackers obviously understand that their potential victims are a lot more likely to trust a HTTPS website. So, they will go to the effort of acquiring TLS certificates so that their web servers can use HTTPS and so that web browsers will indicate that the website is properly TLS encrypted.
The most difficult type of TLS certificate to acquire is extended validation. They are relatively expensive to acquire from a certificate authority, and they require quite a bit of paperwork and evidence that the company behind the TLS certificate is legitimate and authorizes the certificate. The company’s name will usually be displayed in green in the address bar to indicate an extended validation TLS certificate. They’re commonly used by large organizations which have the resources for that sort of effort, and they’re usually very trustworthy certificates.
Organization validated (OV) TLS certificates are also often used by large organizations and are also generally very trustworthy. OV TLS certificates require a certificate authority to verify the domain ownership, plus the organization’s information, such as where they’re based. These types of certificates would be relatively difficult, but not impossible for a cyber attacker to acquire in the legitimate manner.
Domain validation (DV) TLS certificates are the easiest to acquire. A certificate authority just needs to verify that the domain is registered and an administrator is aware of and approves of the certificate request. They’re often inexpensive to acquire, and sometimes they can even be acquired for free through certificate authorities like Let's Encrypt. It’s good that domain validation certificates and free or cheap certificate authorities exist because often legitimate entities need proper HTTPS websites, but they have little money or limited resources. For example, it’s best that the website for your town’s food bank has an encrypted website. Unfortunately, the food bank’s revenue is very low and as much of their money as possible should be spent on buying food for the people in your town who need the help. Web browsers like Chrome or Firefox will tell users that their website isn’t safe if it’s delivered through plaintext HTTP! So cheap and easy TLS certificates can be a social good.
Unfortunately, I suspect that the existence of DV TLS certificates can also be exploited by cyber attackers. It would be worthwhile to examine how many HTTPS phishing websites have DV TLS certificates.
My other theory is that the TLS certificates for HTTPS phishing websites could also often by acquired illegitimately by stealing machine identities from legitimate entities. There are many possible cyber attacks that can be used to steal a TLS certificate. Often when certificates are tied to domains and the domain is acquired by a different entity, certificates can be incorrectly acquired that way. There’s also man-in-the-middle attacks and the like for acquiring certificates maliciously.
My hunch tells me that the certificates for HTTPS phishing sites are a combination of easily acquired DV certificates, and certificates acquired maliciously through cyber attack.
HTTPS phishing sites often will spoof a legitimate domain name by using a Punycode attack. Punycode characters look like the ordinary Latin alphabet but use lookalike characters from different character sets in Unicode. For example, “gⱷⱷgle.com” looks like “google.com” until you examine the characters very closely.
Ultimately the best way for users to assure that they are using a company’s real website is to type the site’s proper URL into their address bar. That’s how I try to avoid phishing websites. I will never click on a hyperlink sent to me in an email, I will enter the company website’s real domain name into my address bar instead.
But I also have another concern about a vulnerability which could be exploited by cyber attackers to make effective phishing websites which spoof legitimate websites. In Google Chrome 71, developers will be testing functionality for Signed HTTP Exchanges. What are Signed HTTP Exchanges? According to the Google Developers’ blog:
“Signed HTTP Exchange (or ‘SXG’) is a subset of the emerging technology called Web Packages, which enables publishers to safely make their content portable, i.e. available for redistribution by other parties, while still keeping the content’s integrity and attribution. Portable content has many benefits, from enabling faster content delivery to facilitating content sharing between users, and simpler offline experiences.
So, how do Signed HTTP Exchanges work? This technology allows a publisher to sign a single HTTP exchange (i.e., a request/response pair), in the way that the signed exchange can be served from any caching server. When the browser loads this Signed Exchange, it can safely show the publisher’s URL in the address bar because the signature in the exchange is sufficient proof that the content originally came from the publisher’s origin.”
Those signatures may also be a machine identity that a cyber attacker can hijack for themselves! If cyber attackers can maliciously acquire TLS certificates, signatures for Signed HTTP Exchanges could be maliciously acquired as well. Chrome could be one of the first web browser platforms to support SXG, and SXG cyber attacks for spoofing legitimate web content are inevitable in the near future. Time may tell whether I’m correct about that. But it’s not something that I would like to be correct about.
Web users should be educated about these new ways to spoof real web entities for the purpose of phishing attacks.
Organizations need to make sure they monitor their digital certificates for signs of misuse. To do that, they need to obtain complete visibility over their certificates. Learn how Venafi can help.