• Trend Micro
  • About TrendLabs Security Intelligence Blog
Search:
  • Home
  • Categories
    • Ransomware
    • Vulnerabilities
    • Exploits
    • Targeted Attacks
    • Deep Web
    • Mobile
    • Internet of Things
    • Malware
    • Bad Sites
    • Spam
    • Botnets
    • Social
    • Open source
Home   »   Bad Sites   »   Phishing Safety: Is HTTPS Enough?

Phishing Safety: Is HTTPS Enough?

  • Posted on:September 5, 2014 at 12:45 am
  • Posted in:Bad Sites
  • Author:
    Paul Pajares (Fraud Analyst)
0

It was recently reported that Google would improve the search ranking of  HTTPS sites in their search engine. This may encourage website owners to switch from HTTP to HTTPS. Cybercriminals are also taking part in this switch. For example, we recently spotted a case where users searching for the secure version of a gaming site were instead led to a phishing site.

We researched phishing sites that used HTTPS and were blocked by Trend Micro web reputation technology from 2010-2014. Based on our investigation, the number of phishing sites is increasing and we expect it to double towards the latter part of 2014 due to the holiday season.

HTTPS_count

Figure 1. Number of HTTPS phishing sites from 2010 to 2014

One of the reasons for this spike is that it is easy for cybercriminals to create websites that use HTTPS: they can either compromise sites that already use HTTPS, or use legitimate hosting sites or other services that already use HTTPS. There is no need for the cybercriminals to acquire their own SSL certificate, since they have just abused or compromised servers that do have valid certificates.

This technique of leveraging HTTPS is also seen in mobile phishing. Just recently, we spotted a Paypal phishing page that employed HTTPS and valid certificates. It appears that the spoofed page is hosted on a legitimate site, which suggests this site has been compromised.

To detect if a particular site is a phishing site, users need to check the validity of the certificate and look for a common name, which is usually same with the domain name. In the screenshot, mobile.paypal.com is the common name and the Organization is Paypal, Inc. The phishing site’s certificate does not have these characteristics.

legvsphishingsite

Figures 2-3. Screenshots of legitimate site (left) and phishing site (right)

In our previous blog entry, we mentioned that mobile users should look for the “HTTPS” and lock icon in the address bar before giving credentials away. However, in this recent mobile phishing attack, looking for these may not be sufficient enough.  Some of the mobile browsers do not necessarily expose the SSL lock easily. For instance, in Windows mobile browser (IE), it shows the lock icon but users cannot click on it to see the certificate details.

We recommend that users need to check (via a search engine) that they actually are at the same URL of the company’s site. For example, users search PayPal in any trusted search engines if the URL received or accessed by the user is different from the site they’ve found through search engines, despite that it’s “https” and has “padlock” icon, then it’s  probably a malicious site. If it is popular banks or financial institutions, the legitimate site will always appear as a top result.

The next step is to check for certificate validity. Compromised HTTPS sites may have valid certificates, but users can still check the Certificate Common Name and organization before giving out login credentials. Note that certificate authorities have not issued certificates for malicious sites. The same thing could be said for desktops PCs.

While some sites have a green icon bar in the address bar as a security indicator, users still need to check the common name and organization. For example, users search for the Bank of America login page and click on the top result. In the login page, they can check for the green icon bar and the domain name, (which in this case is bankofamerica.com).

When they click the green icon bar, a window will pop up. Users can then check for the “Issued to” which is equivalent to “Common Name.”  Note that the Common Name should be similar to the domain name.

boagreenbaricon

Figure 4. Check the green icon bar and the domain name to determine if it is a legitimate site

As more and more sites use SSL due to the boost in Google search rankings, users will have to become aware that the padlock of HTTPS is no longer a sign that they are visiting a safe site. They must first check the certificate before proceeding to give enter credentials and personal identifiable information (PII). In addition, it is also recommended also not to use mobile devices for transactions outside authorizes apps from legitimate sources.

Based on feedback from the Smart Protection Network data, the top affected countries that visit HTTPS phishing sites are US and Brazil.

Affected Countries-01

  Figure 9. Top affected countries

Trend Micro protects users from phishing sites by blocking these sites via the Smart Protection Network.

Learn how to protect Enterprises, Small Businesses, and Home Users from ransomware:
ENTERPRISE »
SMALL BUSINESS»
HOME»
Tags: HTTPSphishingSSL

Security Predictions for 2020

  • Cybersecurity in 2020 will be viewed through many lenses — from differing attacker motivations and cybercriminal arsenal to technological developments and global threat intelligence — only so defenders can keep up with the broad range of threats.
    Read our security predictions for 2020.

Business Process Compromise

  • Attackers are starting to invest in long-term operations that target specific processes enterprises rely on. They scout for vulnerable practices, susceptible systems and operational loopholes that they can leverage or abuse. To learn more, read our Security 101: Business Process Compromise.

Recent Posts

  • Our New Blog
  • How Unsecure gRPC Implementations Can Compromise APIs, Applications
  • XCSSET Mac Malware: Infects Xcode Projects, Performs UXSS Attack on Safari, Other Browsers, Leverages Zero-day Exploits
  • August Patch Tuesday Fixes Critical IE, Important Windows Vulnerabilities Exploited in the Wild
  • Water Nue Phishing Campaign Targets C-Suite’s Office 365 Accounts

Popular Posts

Sorry. No data so far.

Stay Updated

  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © Trend Micro Incorporated. All rights reserved.