Security Experts:

SSL Increasingly Abused by Malware, Phishing: Report

There has been a significant increase in the number of phishing and malware attacks abusing SSL and TLS technology, according to Zscaler’s SSL Threat Report for the second half of 2017.

In the first half of 2017, Zscaler’s products blocked roughly 600,000 threats hidden in encrypted traffic every day, but that number grew to 800,000 in the second half of the year, which represents an increase of 30 percent.

Malicious actors have used SSL-encrypted channels for the initial delivery of malvertising, phishing and compromised websites, to distribute malware payloads and exploits, and for communications between the infected host and command and control (C&C) servers.

In the case of phishing attempts, Zscaler saw a 400 percent increase in the first half of 2017 compared to 2016. Overall, in 2017, phishing activity jumped by nearly 300 percent.

Phishing pages served over HTTPS are either hosted on a compromised website that has an SSL certificate, or they are hosted on malicious sites that imitate well-known brands and rely on certificates obtained by the cybercriminals themselves. Services such as Let’s Encrypt make it easier for malicious actors to obtain free certificates that they can use in their operations.

Most phished brands

In the case of malware attacks, Zscaler said SSL/TLS channels were used 60 percent of the time to deliver banking Trojans throughout 2017, and ransomware was spotted in one-quarter of attempts. Many attackers obtained an encrypted distribution channel for their malware by hosting it on legitimate services such as Box, Dropbox, Google and AWS.

An analysis of roughly 6,700 SSL transactions blocked by Zscaler showed that a majority of abused certificates belonged to legitimate sites that had been compromised.

The security firm also found that the types of certificates that are most abused by cybercriminals are domain validated (DV) certificates, which have a validity of three months and are obtained more easily. DV certificates, particularly ones obtained for free, were spotted in 75 percent of cases.

More than half of certificates were valid for less than one year, and roughly one-third of those had a validity period of three months or less.

Related: Stack Ranking SSL Vulnerabilities: The ROBOT Attack

Related: Stack Ranking SSL Vulnerabilities: DUHK and ROCA

Related: US-CERT's Warning on SSL Interception vs. Security is a False Dichotomy

view counter
Eduard Kovacs is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.