The internet community has been taught that one of the key steps in protecting their personal information online is to ensure that it is entered only over an encrypted connection, perhaps by looking for the lock symbol in the browser address bar or web addresses beginning with https://. As a result, phishing attacks which make use of SSL certificates are especially dangerous as most users associate the presence of a valid SSL certificate with an increased level of assurance. Such attacks erode the reputation of Certificate Authorities and SSL certificates.
While the majority of phishing attacks run over HTTP, a significant number run on sites for which SSL certificates have been issued. In July 2012 alone, Netcraft found phishing attacks using a total of 505 unique valid SSL certificates from widely trusted issuers.
Alert valuable customers who are unwitting participants in phishing attacks
Although in some cases certificates have been issued specifically for the purposes of phishing, the more common case is where well intentioned, bona fide certificate owners find that they are unwittingly providing facilities for phishing because their site has been compromised by an attacker.
Having access to timely, professionally validated alerts when phishing attacks occur is operationally efficient and responsible for certificate authorities, as well as an important part of preserving their company’s reputation. It gives post issuance information on troublesome certificates and domains of which the certificate authority might otherwise be blissfully unaware.
Phishing alerts are also a very valuable service for certificate holders, for whom it may be the first notification of a serious problem, giving them an opportunity to engage the attacker and regain control of their site before more harm is done.
GlobalSign commenced providing this service to all of its certificate owners in August 2012 (press release), and in the first month of the service around 70 distinct certificate owners were alerted to phishing attacks on sites where their certificates were deployed.
During July 2012, Netcraft blocked hundreds of phishing sites which presented unique SSL certificates:
|Certificate Authority (CA)||Unique certificates||…with matching Common Names||…and accessed by https://|
Taking certificate authority market shares into consideration, GoDaddy has a lower proportion of its SSL certificates used in phishing attacks than the other large CAs, in part because it provides the hosting for a large proportion of the certificates which they issue, and is a long term user of Netcraft’s feed to remove phishing attacks.
Proactive stance against fraud
Netcraft first launched its anti-phishing system in 2005. All phishing sites are carefully validated before an alert is raised. Well over 71 million unique phishing sites have been detected and blocked by Netcraft’s system to date [January 2020].
Netcraft’s malicious site feeds are used in all major web browsers and it is also licensed by many of the leading anti-virus, content filtering, web-hosting and domain registration companies.
Netcraft’s phishing site alerts present an excellent opportunity for service providers to win new customers and reassure existing ones by taking a proactive stance against fraud.