{"id":2342,"date":"2020-03-27T03:27:43","date_gmt":"2020-03-27T00:27:43","guid":{"rendered":"http:\/\/kusuaks7\/?p=1947"},"modified":"2023-12-22T16:55:58","modified_gmt":"2023-12-22T16:55:58","slug":"https-phishing-the-rise-of-url-based-attacks","status":"publish","type":"post","link":"https:\/\/www.experfy.com\/blog\/software-ux-ui\/https-phishing-the-rise-of-url-based-attacks\/","title":{"rendered":"HTTPS Phishing: The Rise of URL-Based Attacks …"},"content":{"rendered":"\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t

A new FireEye report shows a recent spike in URL-based HTTPS phishing attacks<\/h2><\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\tIf you\u2019re a regular reader of Hashed Out, you know that\u00a0we have been sounding the alarm on HTTPS phishing<\/a>\u00a0for a\u00a0couple of years now<\/a>. Recently, the Anti-Phishing Working Group published a study that found\u00a058% of all phishing websites are now served via HTTPS<\/a>. Some reports put that number as high as 90%.\n

\"HTTPS<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t

\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\tOn Tuesday,\u00a0FireEye released its Q1 2019 Phishing Trends report<\/a>\u00a0and one of its key findings is that HTTPS phishing is continuing to evolve.\n
In 2018, FireEye reported that URL-based attacks had overtaken attachment-based attacks as a means of delivery. This trend continued in Q1 2019. URL-based attacks are harder to identify because they require a more dynamic means of detection.<\/blockquote>\nSo, today, we\u2019re going to talk about what URL-based HTTPS phishing is, the rate at which it\u2019s increasing and we\u2019ll wax philosophic about how get here.\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\tLet\u2019s hash it out.\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t

Free SSL and the rise of HTTPS Phishing<\/h2><\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\tThe original SSL certificate was actually Organization Validation. And at least part of the thinking was that since we\u2019re trying to teach users that HTTPS is synonymous with security, it would be kind of counterproductive if malicious actors could easily slap a certificate on their website and make it say \u201chttps:\/\/.\u201d\n

\"\"<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t

\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\tThat was a somewhat noble, if deeply flawed approach. Obviously, there shouldn\u2019t be an economic barrier to HTTPS. All websites should be encrypting their connections,\u00a0it\u2019s basically a standard at this point<\/a>\u00a0thanks to the browsers. The downside of that is when something is universally available \u2013 when there is zero barrier \u2013 bad guys can get it, too.\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\tNow we\u2019re kind of at a crossroads where the old talking points, about looking for the protocol and the padlock, are being taken advantage of by phishing websites and criminals. There\u2019s already so much that can be done to make a website look convincing, that extra little flourish just really brings it home sometimes.\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\tNow, we are not blaming free SSL \u2013 we have to make this disclaimer every single time \u2013 public CAs are a good thing. But like all good things people find ways to take advantage.\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\tHTTPS phishing is one of the most pernicious ways of all of them.\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t

What is URL-based HTTPS phishing?<\/h2><\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\tGenerally, when we refer to HTTPS phishing we\u2019re discussing the landing page or watering hole site that a user arrives at. It\u2019s easy to get confused because phishing is often considered to be \u201cjust an email thing,\u201d but really, the email is usually just the opening salvo. Sometimes it asks you to open an attachment. Other times it takes you to a malicious website.\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\nThe problem is that phishing can be combated with education. Studies show that with phishing simulations run over time, and with enough frequency, employees can show marked improvement when it comes to identifying phishing emails. And a couple of the tenants of those educational simulations are not to trust attachments and to avoid following suspicious links.\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\"\"\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\tSo, as the proverbial game of cat and mouse continues now the criminals are evolving.\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\tFireEye identifies two different variants of URL-based attacks \u2013 well, really one is a variation of the other \u2013 but the premise is basically the same in each: send an email with no content; only a believable link in the body.\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\tNow, I realize that sounds incredibly dumb. And it wouldn\u2019t work on its own if it\u2019s emanating from a random email address that the target wouldn\u2019t recognize. But when coupled with other tactics, it\u2019s clearly working well enough that FireEye has noticed a 26% increase over the first three months of 2019.\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t
\n
\n

[Overall,] FireEye saw a 17% increase in phishing attacks in Q1 2019 compared to Q4 2018. In a typical attack, the email appeared to come from a well-known contact and\/or trusted company.<\/p>\n<\/blockquote>\n<\/figure>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t

\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\tIn fact, URL-based attacks are now the most prevalent method for delivering a malicious payload.\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\tQuick example, with a little social engineering, you can change the \u201cfrom:\u201d field in an email to someone in the company. Here\u2019s an email purporting to be from our owner:\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\"\"\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\tSpearphishing email purportedly from Rapid Web Services, LLC CEO\/Owner John Tuncer\n\n\nNow, if you\u2019re diligent you could verify the actual address it came from or check the email header, but a lot of people aren\u2019t going to do that.\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\nYou can see how someone could fall for it.\u00a0This looks like it came from Dan in sales and he\u2019s always sending you funny stuff<\/em>\u00a0and you\u00a0click<\/strong>\u00a0on it.\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\tSo, that\u2019s the first variant, the content-less email. It\u2019s literally just a link.\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\tThis has the added benefit of making it harder for spam filters to detect. The lack of content in the email itself doesn\u2019t give the filter enough to know whether or not it\u2019s malicious. And obviously, as we just touched on it plays on the curiosity and impetuousness of the target.\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\tThen there\u2019s a variant of the no content email, which is to make the link non-clickable. That way it makes it even harder for the filter to detect because there\u2019s no active link in the email. The link isn\u2019t active until the target pastes it into their browser\u2019s address bar.\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\tIt almost seems like the sender just forgot to hit return on the line before sending the email.\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

Now, these emails occur without the HTTPS component, too. You don\u2019t HAVE to have an SSL certificate to do it. But, being able to affix HTTPS to the beginning of that URL adds another layer of believability and, as we\u2019ve discussed, sometimes it\u2019s that last little brush stroke that pushes it over the threshold.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t

\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\tAgain, the only defense with any level of efficacy is education.\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t

What do we do about HTTPS phishing?<\/h2>\n<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\tAt this point, it\u2019s probably too late to put the toothpaste back into the tube. And some in the industry are taking action. Google, which has really led the way on the entire HTTPS initiative, is in the process of scaling back its visual indicators.\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\"\"\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\tIdeally, it wants to remove the protocol (https:\/\/) and the padlock from the address bar entirely and just give HTTPS sites neutral treatment.\u00a0HTTP sites are already receiving a negative indicator<\/a>. The idea would be that HTTPS is now the status quo.\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\tThe bigger question the industry is wrestling with is how do you treat the higher-validation certificates. Historically, OV has received the same treatment as DV. It might be worth continuing to allow OV sites to use the padlock. And of course the debate over EV never ends. At this point it\u2019s not even really worth re-hashing as everyone seems to be so entrenched in their beliefs on the topic.\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\tSuffice to say, at the very least\u00a0we can\u2019t keep giving DV sites positive indicators<\/a>. In the long run, we would be wise to overhaul our trust indicators entirely.\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\tAs always, leave any comments or questions below\u2026<\/em>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\"\"\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

is the voice of record in the SSL\/TLS industry.” <\/p>

#HTTPS PHISHING<\/a><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<\/div>\n\t\t","protected":false},"excerpt":{"rendered":"

A new FireEye report shows a recent spike in URL-based HTTPS phishing attacks If you\u2019re a regular reader of Hashed Out, you know that\u00a0we have been sounding the alarm on HTTPS phishing\u00a0for a\u00a0couple of years now. Recently, the Anti-Phishing Working Group published a study that found\u00a058% of all phishing websites are now served via HTTPS.<\/p>\n","protected":false},"author":603,"featured_media":8333,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"content-type":"","footnotes":""},"categories":[200],"tags":[93],"ppma_author":[3312],"class_list":["post-2342","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-software-ux-ui","tag-internet-of-things"],"authors":[{"term_id":3312,"user_id":603,"is_guest":0,"slug":"patrik-nohe","display_name":"Patrik Nohe","avatar_url":"https:\/\/secure.gravatar.com\/avatar\/?s=96&d=mm&r=g","user_url":"","last_name":"Nohe","first_name":"Patrik","job_title":"","description":"Patrick Nohe, Content Manager for The SSL Store™ and  Hashed Out's Editor-in-Chief, started his career as a beat reporter and columnist for the Miami Herald before moving into the cybersecurity industry a few years ago."}],"_links":{"self":[{"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/posts\/2342","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/users\/603"}],"replies":[{"embeddable":true,"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/comments?post=2342"}],"version-history":[{"count":10,"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/posts\/2342\/revisions"}],"predecessor-version":[{"id":35153,"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/posts\/2342\/revisions\/35153"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/media\/8333"}],"wp:attachment":[{"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/media?parent=2342"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/categories?post=2342"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/tags?post=2342"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/ppma_author?post=2342"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}