SSL Certificate

Spike in Phishing Attacks with Websites Using Genuine SSL Certificates

July 5, 2017 | By Kimberly Reynolds

Phishing and spear-phishing attacks are being unleashed in new forms. Cyber criminals are evolving and updating their different forms of attacks. Websites with genuine SSL Certificates are used in this sophisticated form of attack that can fool most website visitors and even moderately IT security savvy personnel. A website with an SSL certificate is considered to be secure – Yes.

An SSL Certificate is a cost effective way for online businesses to protect customer transactions. SSL (Secure Sockets Layer) establishes an encrypted link between the website visitor’s web browser and the business entity’s server. This helps ensure that all communication between the web server and browser remains private and encrypted. SSL certificates are issued by certificate authorities (CAs). There are different types of certificates designed to suit the type of business – the number of domains, sub-domains, whether the business has to accept card payments, etc…,

Spike in Phishing Attacks with Websites Using Genuine SSL Certificates

Typically, a website secured with SSL would display “https://” with a lock symbol, and it may also display a green address bar. The address bar may also display whether the website is “Secure” or “Insecure”. A website without an SSL certificate would display just “http://” and this is considered insecure. Browsers are recommending that all websites get SSL certificates. The advantages are many as – SSL secured websites demonstrate security and trust.

How Cyber Criminals get Genuine SSL Certificates

However, cyber criminals are not far behind. They are unleashing attacks using websites having valid SSL certificates. So, how were they able to acquire genuine SSL certificates. Most CAs offer Free SSL certificates and Domain-Validated certificates. These certificates are issued automatically after the domain is validated. The organization is not validated.

When issuing SSL certificates, CAs are to adhere to the baseline requirements as specified by the CA/Browser Forum. However, there have been instances of certain rogue CAs not abiding with the requirements (not making necessary checks). The avenues available – ie getting a domain validated a certificate or getting an SSL certificate from a rogue CA, has made it easy for cyber criminals to get genuine SSL certificates.

Armed with valid SSL certificates for their malicious websites, their attacks are disguised and hence appear more legitimate. Reports reveal that the number of attacks using legitimate SSL certificate websites has increased. And this will continue to increase as long as free SSL certificates and only-domain-validated certificates are issued.

An important factor that all website visitors must know is that malicious websites can also acquire an SSL certificate. The displayed SSL certificate only denotes that the website has a valid digital certificate and any communication with it would be encrypted. That is all.

Lately, cyber criminals are using this technique to target online payments system enterprises such as PayPal. When users share critical information through these malicious websites, critical data – such as credentials and card data can get stolen.

Mitigation Measures

Cyber security experts recommend that enterprises that need to store or process user information and payment card data must go in for Organization-Validated Certificates and Extended Validation certificates that involve more validation norms.

Website users on their part must carefully observe the website address and watch out for any misspelling. Further, they can try to identify the type of SSL certificate of the visited website. Any website that needs to accept card payments and login credentials must have SSL certificates as mandated by the Payment Card Industry Data Security Standards.

compare ssl certificate

Posted in SSL Certificate,Technology

Be Sociable, Share!

Leave a Comment


* fields are mandatory