Cyber criminals using the cover of SSL encryption to target organisations

News by Jay Jay

Cyber-criminals using the cover of SSL encryption to launch millions of phishing attacks, botnet attacks, and malware attacks on organisations' IT systems: 400% rise in SSL-based phishing attacks in 2018.

Cyber-criminals are using the cover of SSL encryption to launch millions of phishing attacks, botnet attacks, and malware attacks on organisations' IT systems, with a 400 percent rise in SSL-based phishing attacks in 2018.
According to Zscaler's new 2019 Cloud Security Insights Threat Report, cyber-criminals are using the cover of SSL traffic to attack organisations not only because encryption prevents attribution of cyber-attacks, but also because many organisations do not use security solutions that can inspect SSL at scale to unearth the threats within.
Another factor that supports the massive rise in SSL-based threats in the past year or so is that SSL certificates are now widely available at no charge. This allows even hackers with small resources to use this vector to carry out a variety of attacks such as phishing attacks, botnets, browser exploitation, and malicious content.
Between July and December 2018, Zscaler observed and blocked over 1.7 billion SSL-based threats which translated to an average of 283 million advanced threats blocked per month. These included over 2.7 million phishing attacks over encrypted channels every month, 32 million botnet callback attempts per month, and an average of 240,000 browser exploitation attempts per month.
With the ever-increasing concerns over data privacy, there has been a massive trend toward Internet properties having encryption by default. This is a great thing for privacy, but it presents a challenge to IT security. Decrypting, inspecting, and re-encrypting traffic is nontrivial, causing significant performance degradation on traditional security appliances, and most organisations are not equipped to inspect encrypted traffic at scale," said Amit Sinha, chief technology officer at Zscaler. 
"With a high percentage of threats now delivered with SSL encryption, and over 80 percent of Internet traffic now encrypted, enterprises are blind to over half of malware sent to their employees," he added.
The firm added that in the second half of 2018, there was also a notable increase in JavaScript skimmer-based attacks which criminals used to carry out malicious campaigns targeting e-commerce websites within the confines of the SSL environment. "These attacks start with the e-commerce sites being compromised and injected with malicious, obfuscated JavaScript, which, in turn, tries to tap into purchase transactions," said Deepen Desai, vice president of Security Research at Zscaler.
Commenting on the widespread availability of SSL certificates at no charge, Paul Bischoff, privacy advocate at, told SC Media UK that the biggest takeaway from this is that green padlocks on websites no longer guarantee that such websites are genuine as criminals can use SSL encryption on their sites just like everyone else.
"Enterprises need to train staff on other methods of identifying phishing sites. In particular, double checking that the domain in the URL contains no spelling errors, subdomains, or character replacement (l-I, 0-O, etc) and matches the domain of the site exactly as if you were to search it on Google," he added. 
Javvad Malik, security advocate at AT&T Cybersecurity, also said that even when SSL is used, phishing attacks ultimately will still target a user, so having good user awareness and training to inform them of the dangers of phishing attacks, how best to spot them, and how to respond to them will remain a vital part of an organisations defence.
"From a technology perspective, having SSL inspection capabilities can help monitor traffic, and when used in conjunction with threat data in an automated manner, malicious domains and actions can be quickly detected and blocked," he added.
When asked how organisations can protect their devices from SSL-based advanced threats, Jonny Milliken, manager, research at Alert Logic, said that the best way to combat this is to employ defence in depth using a range of host and network technologies as well as a strong threat intelligence component to monitor for leaked credentials or other data. 
"Attackers are always inventing or using new ways to breach defences, and you need to have as many weapons as possible in your own arsenal to fight back," he said.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews