In the past, a green padlock icon would inform the user that a site is secure and legit, whether it was true or false. Now, that is no longer the case. We are seeing more and more phishing sites using SSL/TLS certificates to try and fool people into thinking that a phishing site is actually legitimate. The appearance of free SSL/TLS certificates, which can be applied with ease (Let’s Encrypt, Comodo and more), allow scammers to harness SSL certificates to their own agenda, giving misguided people the felling of false security.
The only real security feature in SSL/TLS certificates is that a certificate authority (CA) has to issue them, which should verify the identity and authorization of the person receiving a signed certificate. This is a deeply flawed system prior to the presence of free CAs. The free CAs simply removed the pretense that any real identity verification or authorization should take place, allowing almost anyone to get a certificate for almost any domain. (Whether or not they have the authority to do so) For instance, using Let’s Encrypt, it’s possible for a ThreatSTOP employee to get an SSL/TLS certificate for many of our competitors.
While this trend creates challenges, it also gives us opportunities. As certificates became more widespread, so has the transparency of the certificates given. Certificate Transparency SSL certificates are openly available to follow in order to see if a new certificate has been generated, and to which domain. This transparency helps site owners follow all certificates issued to their domains, while helping security researches follow new certificates as they are generated and issued. Plus, to which domains they’ve been given.
There are two ways phishers will use SSL/TLS certificates.
One is that they will use the domain of the target they are impersonating directly. This requires them to somehow redirect traffic for the valid domain to an IP address they control. This is possible (with malware such as DNSChanger) but it is complicated. They also create domains with a given brand in them, but it is a new domain entirely. For instance, instead of paypal.com, they could create paypal-com-user-verification.com. It is possible to use Certificate Transparency reports to look for brand impersonation of new domains.
Today, it is possible to see new domains and do the same kind of analysis as they are registered. However, all new domain name monitoring services work on a 24-hour delay. Certificate Transparency is essentially real-time monitoring of certificates as they are issued. This allows companies to interdict such resources much quicker, while letting security companies like ThreatSTOP block threats almost immediately as they are created.
Based on the work by other members of the security community, chief among them Cali Dog Security, who helped making this data approachable via Cert Stream. Also, a great code base from @x0rz, who laid the ground work with Phishing_catcher.
With this, the ThreatSTOP Security team is happy to announce a new feed blocking phishing domains based on newly generated SSL certificates. The new target will be called “SSL Phishing Sites” and is available now. As with all Phishing targets please keep in mind that this target is also prone to some degree to false positives.
To learn more about how ThreatSTOP protects your organization against phishing attacks like these, all at an affordable cost, check us out below. We offer a free, 14-day trial or you can request a quick demo of our platform.