Experts On Cybercriminals Hide Malware & Phishing Sites Under SSL Certificates

Dark Reading recently wrote about cybercriminals increasingly relying on SSL certificates to lull people into a false sense of security when clicking malicious links. The assumption that HTTPS links and the accompanying lock icon protect employees from an attack can threaten businesses without sufficient SSL inspection. Nearly 52% of the top 1 million websites were available over HTTPS in 2019, Menlo Security researchers report. Nearly all (96.7%) user-initiated online visits are served over HTTPS; however, only 57.7% of URLs in emails are HTTPS links. This means a web proxy or next-gen firewall — which many businesses have long relied on for online access visibility and control, researchers note — could miss the threats present on malicious websites if SSL inspection is not enabled.

Experts Comments

April 10, 2020
Javvad Malik
Security Awareness Advocate
KnowBe4
By hiding malware and phishing sites under SSL certificates, it makes it more difficult for tools to detect and block without inspecting SSL traffic. It's why it's important to layer on the human element to be able to recognize phishing attacks and report them to the IT teams. No one offering will be able to stop all threats, which is why a layered approach that includes employees undergoing regular security awareness and training is an important part of any security strategy.
April 10, 2020
Erich Kron
Security Awareness Advocate
KnowBe4
For many years, we taught people to look for the lock symbol in their browser URL bar and told them that if it was missing or red, this was a sign of an untrustworthy website. Unfortunately, that advice is far less valuable in our modern world where getting an SSL certificate, the part that makes the lock appear is free, easy and automated. Services such as Let's Encrypt allow people to get these SSL certificates easily and without cost, a wonderful thing for smaller organizations or blogs that .....Read More
For many years, we taught people to look for the lock symbol in their browser URL bar and told them that if it was missing or red, this was a sign of an untrustworthy website. Unfortunately, that advice is far less valuable in our modern world where getting an SSL certificate, the part that makes the lock appear is free, easy and automated. Services such as Let's Encrypt allow people to get these SSL certificates easily and without cost, a wonderful thing for smaller organizations or blogs that want to follow best practices by encrypting the data between the browser and the website; however, the bad actors are using it for their purposes as well. The encryption that occurs between the browser and the website also has a hidden downside, as it makes the data being exchanged unreadable by the tools that help spot malware and the bad things being used to attack the users. While many corporate networks and computers are configured to allow SSL inspection, a way to see the web traffic as it enters and leaves the corporate network, with users working from home due to the COVID-19 pandemic and using personally owned equipment much more often, these protection tools are often not in place. Because these tools are not in place outside of the corporate network, it is more important than ever to teach people how to hover over links to make sure they are being taken to legitimate websites, teach them how to spot similar looking website names, often made to look alike using tricks like replacing the letter "o" with a zero to fool people, and to spot phishing emails the attackers are using more than ever. Also, whenever possible, people should use company-issued devices and computers, preferably with a VPN connection to the organization's protected network, to conduct business. This allows some of the tools offered by the organization's network to provide some level of protection.  Read Less
What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.