APWG: SSL Certificates No Longer Indication of Safe Browsing

by Jessica Ellis on September 28, 2020

The Anti-Phishing Working Group (APWG) has released its
Phishing Activity Trends Report analyzing phishing attacks and identifying theft techniques reported by its members for Q2 of 2020. Key highlights of the report include a significant increase in wire transfer loss attributed to business email compromise (BEC) attacks and a 20% increase in BEC attacks targeting the social media sector. In addition, the observed emergence of phishing sites using Extended Validation (EV) Certificates in Q2 is a stark reminder that phishers are increasingly turning security features against users.

SSL Abuse Continues to Skyrocket

PhishLabs, an APWG contributing member, is tracking the increased use of SSL certificates on phishing sites. Threat actors abuse HTTPS certificates to enhance compromised sites by tricking internet users into believing the site is secure. Alarmingly, almost 80% of phishing sites used SSL certificates during Q2, meaning users should no longer attribute the certificate as an indicator of safe browsing.

“The number of phishing sites using TLS continues to increase,” said John LaCour, Founder and CTO of Digital Risk Protection company PhishLabs. “Most web sites—good and bad—now use TLS. Phishers are hacking into legitimate web sites and placing their phishing files on those compromised sites.”

Sponsorships Available

In addition, PhishLabs has noted the emergence of phishing sites using Extended Validation (“EV”) Certificates.

“The vast majority of certificates used in phishing attacks — 91 percent — are Domain Validated (“DV”) certificates,” noted LaCour. “Interestingly, we found 27 web sites that were using Extended Validation (“EV”) certificates.”

In order to be issued an Extended Validation certificate, a site must provide verification of its legal identity. In theory, EV certificates indicate that a site is more trustworthy, and their presence on phishing sites is significant.

Emergence of Unique Phishing Campaigns Remains Consistent

APWG tracks the number of unique phishing sites across the globe based on reported phishing URLs by its members. In Q2, the total number of phishing sites decreased by 11% from Q1, with a total of 146,994 detected.

The report also finds that the number of unique phishing campaigns during Q2 has remained comparable to previous quarters with 127,787 submissions received from consumers and the general public.

Webmail sites and SaaS remain the most targeted industries during Q2, representing almost 35% of all attacks. Notably, attacks targeting the Social Media sector have increased 20% since Q1, with the majority of attacks pursuing Facebook and WhatsApp.

BEC Wire Transfer Losses Soar

BEC attacks continue to originate predominantly from free webmail accounts with 72% of attacks sent from providers such as Gmail. According to APWG, nearly a quarter of BEC attacks in Q2 were sent from email accounts hosted on domains registered by scammers.

The amount of money demanded during a BEC attack has increased dramatically when threat actors pursue funds through wire transfer. In Q2 transfer requests averaged $80,183, while in Q1 the amount was $54,000.

More than 200 BEC campaigns are attributed to the emerging Russian actor group “Cosmic Lynx.” These sophisticated attacks span 46 countries and target large, multinational organizations with a dual impersonation scheme. The average amount requested by Cosmic Lynx in its attacks is $1.27 million.

Download the
Phishing Activity Trends Report 2nd Quarter 2020.

Additional Resources: