This post was authored by Anna Shirokova and Ivan Nikolaev
John Smith had a lot of friends and liked to travel. One day he got an email that read: “Money has been sent to your PayPal account”. The sender appeared to be a person he met from recent trip to Cape Town. John Smith was curious and followed the link to PayPal (hxxps://paypal.com-receipt-gifts.online/) which looked a little bit suspicious. Luckily, John had recently taken a phishing awareness training and remembered that HTTPS meant the website is safe. He saw a green padlock next to the URL, decided that everything was fine, typed his PayPal username and password and pressed enter. This is the end of our story but just the beginning of John’s problems.
For quite a while now the security community has been educating users about the importance of secured communication . Users have been taught that important connections will be secured with HTTPS. How can you tell if your connection is secured with HTTPS? Simply check whether there is a little green lock next to the URL in the address bar of the browser.
Making users aware of communication security is a very important effort. Unfortunately, it has created a strange side-effect of many users trusting anything secured with HTTPS. Green lock means secure which means safe to use. The attackers have been quick to adapt and found a way to use the trust of HTTPS to their own advantage. One of the attack vectors where HTTPS is abused is phishing.
Watch out! Phishing domains
A very common and effective technique used by the attackers is impersonating well-known domain names that users already know and trust, such as the ones illustrated by the green text in Figure 2. The red text is to highlight the counterfeit portion of the domain name.
All these domains look very suspicious to a security professional but may appear perfectly legitimate to an untrained eye. These domains often have a very short time-to-live and are dropped after a few days of use. This renders blacklists ineffective against them because they need to be constantly updated with fresh domains.
During our analysis, we have observed these domains being used for phishing, as well as by scammers offering fake technical support and by advertisers promoting products of questionable quality.
HTTPS – using a good thing for a bad cause
Attackers have started to abuse users inherent trust in HTTPS. They do it by signing phishing domains with a certificate. These are usually obtained from certificate authorities like Let’s Encrypt which provides certificates for free . This means that the users who visit the domain and look at the URL will see the little green lock. Rarely will anyone check the actual certificate.
Above are examples of two phishing campaigns both using HTTPS. As you can see, the locks are green. The websites look legitimate, especially if you make the window narrow enough to cover most of the URL. But if you enter your credentials they will probably steal your money and selfie photos.
Prevention best practices
User education is a very important step in phishing prevention. However, there will always be people who will be tricked, despite the training. Network monitoring tools help to fill the gap and detect successful phishing attempts. Cognitive Threat Analytics (CTA) discovers hundreds of phishing domains every week, including sophisticated ones which use HTTPS. CTA models the network and spots anomalies in data. This way it is able to discover previously unseen phishing domains and warn the analysts.
Watch more about CTA as part of Cisco Security solutions: