The site safety and credibility represented by the green padlock in your browser is being taken advantage of by cybercriminals looking to lull users into a false sense of security.
It’s nearly a requirement today – websites need to leverage SSL certificates to ensure user interaction with the site is secure. Over the years, it’s been used as a means to establish that a site is authentic, and that it’s safe to provide payment or personal details without worry.
But cybercriminals are taking advantage of the relative ease of obtaining SSL certificates for free, and using them as part of social engineering scams that involve impersonating reputable sites. Vendors such as Let’s Encrypt offer their services as a “free, automated, and open Certificate Authority”. It’s the free and automated that should have you worried – this means sites like this can be used to quickly provision domains for phishing or command & control and establish encryption on the fly – increasing the chances of a successful attack.
According to F5Labs’ 2018 Phishing and Fraud Report, 93% of phishing sites, and 68% of malware sites used encryption. This use of encryption also thwarts an organization’s ability to inspect traffic for threats.
Along with providing contextual details, the use of encryption is just one additional factor cybercriminals use to build up trust with the potential victim. Users need to be educated via Security Awareness Training on the tactics used in phishing attacks (including the use of encryption), how to spot them and how to avoid becoming a victim – only putting the organization at risk.