SSL certificate abuse is driving an increasing number of phishing attacks, and little is being done to stop it.
Last month, cybersecurity vendor Lookout announced that it had detected a phishing campaign targeting the United Nations and several U.N. humanitarian organizations, including but not limited to UNICEF. Lookout's blog post detailed the "several noteworthy techniques employed in this campaign" including keylogging and mobile-aware malware used to steal users' login credentials via legitimate-looking websites. But perhaps more importantly, the campaign used authentic SSL certificates to orchestrate the attack.
An SSL (Secure Sockets Layer) certificate authenticates the identity of a website and encrypts data being transmitted between the website and the visitor. Websites with valid SSL certificates receive a green lock that sits next to the URL in modern web browsers indicating to users that the website connection is secure. If there is no certificate, most browsers will make it much harder to visit the website, often displaying a difficult-to-bypass message that says the website is unsafe.
While certificateless sites are often associated with malicious domains used for phishing attacks and other threats, security vendors have noted a growing trend of such domains having valid SSL certificates, which give the websites an appearance of legitimacy. Anti-Phishing Working Group (APWG), an international nonprofit organization, found that SSL certificate usage in phishing domains reached a new high in the first quarter of this year; according to the APWG's study, 58% of phishing sites used certificates, up from 46% in the previous quarter.
APWG co-founder and secretary general, Peter Cassidy, explained that it's worth the trouble for cybercriminals to get valid SSL certificates for spoofed domains because they increase the likelihood that users will click on the phishing links.
"Let's say they're going after a union pension fund that's very local, and they've got a list of email addresses related to people of retirement age in that locality," Cassidy said. "It makes it worth their while to get a bogus domain name, relate it to that specific union and/or that locality and to use that list and to take the time to get a certificate to make that green mark show up so when people click on the link, they see a familiar name, they see a green lock, and they see -- if they're involved -- familiar brand names and logos. So, if they want to take the time to do that and get the green lock to give people confidence, it's worthwhile doing."
Certificates can be obtained either directly from certificate authorities (CAs) or through third parties such authorized certificate resellers or web hosting providers (the U.N. phishing attacks used free Let's Encrypt certificates procured through web hosting platform cPanel). Some CAs offer paid certificates and some offer certificates at no cost. Unfortunately, there is little stopping threat actors who are operating a malicious website from getting an SSL certificate.
"There are entities that are responsible for issuing SSL certificates, and there are entities that are responsible for renting a host out and providing an IP address and providing a place for you to register your content. Those two entities are separate, and there is no mechanism or guardrails in place to prevent a bad IP address from getting an SSL certificate. That's just not really the way SSL is set up," Lookout principal security researcher, Jeremy Richards, said. "These SSL certificates are free and they're provided by either Let's Encrypt or cPanel in this case. The hosting provider, just because of jurisdiction, doesn't have to comply with DMCA takedown requests, so they will advertise that on their website that they do not respond to DMCA takedown requests, and they're anonymous so you can pay in cryptocurrency and they don't require an IP."
In the case of the U.N. phishing attacks, Lookout's report noted, "The associated IP network block and ASN (Autonomous System Number) is understood by Lookout to be of low reputation and is known to have hosted malware in the past." There's nothing stopping the threat actors behind the campaign from acquiring the certificates, and once they get certificates, they can be difficult to revoke unless you are the customer who purchased the certificates or the organization that's being spoofed, such as UNICEF.
Despite the phishing domains being flagged in Lookout's report, six certificates were still valid at the time of publication, and the others were no longer valid because they had passed their expiration dates.
In the case of a malicious website being used for phishing, the site would show a legitimate-looking login page for, say, Red Cross that features a green lock next to the URL. This shouldn't happen, experts said, but it does.
"More than 50% of the phishing sites today have certificates on them and have valid, publicly trusted certificates," said Tim Callan, senior fellow at Sectigo, a CA and PKI management vendor.
How can certificate abuse be prevented? Cassidy called it one piece of a much larger issue, that being phishing threats. "If you fix the certificate issue, you make it harder for the bad guys," he said, "but you don't programmatically suppress the whole problem."
Peter CassidyCo-founder and secretary general, APWG
Cassidy said the technology industry needs to explore an orchestrated approach that "looks at the technology dimension, the infrastructure dimension, even the shape of the browser and what a person has to do in order to understand and make a good decision -- make a precise and safe decision -- and the human behavior dimensions all at once," he said. "There's no silver bullet. That's absolutely true. What's not needed is more proposed silver bullets."
Callan offered a more concrete solution for the certificate issue, pointing to extended validation (EV) certificates, which requires a higher level of authentication for the organization than a standard domain certificate. " The actual identity of the organization needs to be authenticated using codified methods that are required by the CA/Browser Forum, which is the industry-standard body that governs SSL certificates," Callan said. "And these are methods that are using best practices. These methods have been undefeated in more than a decade worth of widespread global use."
While EV certificates have stricter requirements for authentication, there's been a debate among web browser companies about how effective EV certificate indicators are for protecting users from malicious sites. Microsoft Edge, for example, displays EV certificates with a green lock and company name in the address bar. However, Google and Mozilla both removed EV certificate indicators this summer for their Chrome and Firefox, respectively, citing research that showed the indicators "does not protect users as intended," according to Google.
Still, Callan said EV certificates are a better, more trustworthy option than domain certificates and that users should be educated about the differences. "Obviously there's the opportunity that someone won't get the message. But the more that we communicate that, the more that we get it out there, the more likely it is that they will get the message," Callan said. "And I don't want to pretend that that would prevent 100% of people falling for this trick because it wouldn't. But what it would do is it would prevent some of the people from falling for this trick, and it would give people a method to ensure that they were really connecting to the real organization. Otherwise, they just don't have that method."