It was recently reported that Google would improve the search ranking of HTTPS sites in their search engine. This may encourage website owners to switch from HTTP to HTTPS. Cybercriminals are also taking part in this switch. For example, we recently spotted a case where users searching for the secure version of a gaming site were instead led to a phishing site.
We researched phishing sites that used HTTPS and were blocked by Trend Micro web reputation technology from 2010-2014. Based on our investigation, the number of phishing sites is increasing and we expect it to double towards the latter part of 2014 due to the holiday season.
Figure 1. Number of HTTPS phishing sites from 2010 to 2014
One of the reasons for this spike is that it is easy for cybercriminals to create websites that use HTTPS: they can either compromise sites that already use HTTPS, or use legitimate hosting sites or other services that already use HTTPS. There is no need for the cybercriminals to acquire their own SSL certificate, since they have just abused or compromised servers that do have valid certificates.
This technique of leveraging HTTPS is also seen in mobile phishing. Just recently, we spotted a Paypal phishing page that employed HTTPS and valid certificates. It appears that the spoofed page is hosted on a legitimate site, which suggests this site has been compromised.
To detect if a particular site is a phishing site, users need to check the validity of the certificate and look for a common name, which is usually same with the domain name. In the screenshot, mobile.paypal.com is the common name and the Organization is Paypal, Inc. The phishing site’s certificate does not have these characteristics.
Figures 2-3. Screenshots of legitimate site (left) and phishing site (right)
In our previous blog entry, we mentioned that mobile users should look for the “HTTPS” and lock icon in the address bar before giving credentials away. However, in this recent mobile phishing attack, looking for these may not be sufficient enough. Some of the mobile browsers do not necessarily expose the SSL lock easily. For instance, in Windows mobile browser (IE), it shows the lock icon but users cannot click on it to see the certificate details.
We recommend that users need to check (via a search engine) that they actually are at the same URL of the company’s site. For example, users search PayPal in any trusted search engines if the URL received or accessed by the user is different from the site they’ve found through search engines, despite that it’s “https” and has “padlock” icon, then it’s probably a malicious site. If it is popular banks or financial institutions, the legitimate site will always appear as a top result.
The next step is to check for certificate validity. Compromised HTTPS sites may have valid certificates, but users can still check the Certificate Common Name and organization before giving out login credentials. Note that certificate authorities have not issued certificates for malicious sites. The same thing could be said for desktops PCs.
While some sites have a green icon bar in the address bar as a security indicator, users still need to check the common name and organization. For example, users search for the Bank of America login page and click on the top result. In the login page, they can check for the green icon bar and the domain name, (which in this case is bankofamerica.com).
When they click the green icon bar, a window will pop up. Users can then check for the “Issued to” which is equivalent to “Common Name.” Note that the Common Name should be similar to the domain name.
Figure 4. Check the green icon bar and the domain name to determine if it is a legitimate site
As more and more sites use SSL due to the boost in Google search rankings, users will have to become aware that the padlock of HTTPS is no longer a sign that they are visiting a safe site. They must first check the certificate before proceeding to give enter credentials and personal identifiable information (PII). In addition, it is also recommended also not to use mobile devices for transactions outside authorizes apps from legitimate sources.
Based on feedback from the Smart Protection Network data, the top affected countries that visit HTTPS phishing sites are US and Brazil.
Figure 9. Top affected countries
Trend Micro protects users from phishing sites by blocking these sites via the Smart Protection Network.