Phishing Alerts for SSL Certificate Authorities

Rapidly identify customers who are using your issued certificates to host phishing sites

The internet community has been taught that one of the key steps in protecting their personal information online is to ensure that it is entered only over an encrypted connection, perhaps by looking for the lock symbol in the browser address bar or web addresses beginning with https://. As a result, phishing attacks which make use of SSL certificates are especially dangerous as most users associate the presence of a valid SSL certificate with an increased level of assurance. Such attacks erode the reputation of Certificate Authorities and SSL certificates.

Daily trend of phishing attacks for a single certificate authority

While the majority of phishing attacks run over HTTP, a significant number run on sites for which SSL certificates have been issued. In July 2012 alone, Netcraft found phishing attacks using a total of 505 unique valid SSL certificates from widely trusted issuers.

Alert valuable customers who are unwitting participants in phishing attacks

Although in some cases certificates have been issued specifically for the purposes of phishing, the more common case is where well intentioned, bona fide certificate owners find that they are unwittingly providing facilities for phishing because their site has been compromised by an attacker.

Having access to timely, professionally validated alerts when phishing attacks occur is operationally efficient and responsible for certificate authorities, as well as an important part of preserving their company’s reputation. It gives post issuance information on troublesome certificates and domains of which the certificate authority might otherwise be blissfully unaware.

Phishing alerts are also a very valuable service for certificate holders, for whom it may be the first notification of a serious problem, giving them an opportunity to engage the attacker and regain control of their site before more harm is done.

Immediate benefits

GlobalSign commenced providing this service to all of its certificate owners in August 2012 (press release), and in the first month of the service around 70 distinct certificate owners were alerted to phishing attacks on sites where their certificates were deployed.

During July 2012, Netcraft blocked hundreds of phishing sites which presented unique SSL certificates:

Certificate Authority (CA) Unique certificates …with matching Common Names …and accessed by https://
Symantec 216 41 21
Comodo 130 16 7
Go Daddy 67 19 8
Other 41 11 6
GlobalSign 39 2 1
DigiCert 12 2 2

Taking certificate authority market shares into consideration, Go Daddy has a lower proportion of its SSL certificates used in phishing attacks than the other large CAs, in part because it provides the hosting for a large proportion of the certificates which they issue, and is a long term user of Netcraft’s feed to remove phishing attacks.

Proactive stance against fraud

Netcraft first launched its anti-phishing system in 2005. All phishing sites are carefully validated before an alert is raised. Well over 9.9 million unique phishing sites have been detected and blocked by Netcraft’s system to date [August 2014].

Netcraft’s phishing feed is used in all major web browsers and it is also licensed by many of the leading anti-virus, content filtering, web-hosting and domain registration companies. At least three separate third-party studies have found Netcraft’s anti-phishing blocklist to be the most comprehensive feed available.

Netcraft’s phishing site alerts present an excellent opportunity for service providers to win new customers and reassure existing ones by taking a proactive stance against fraud.

More Information

Please contact us (sales@netcraft.com) for pricing or further details about any of our services.