The use of valid, easy to obtain digital transport layer security (TLS) certificates by fraudsters impersonating real sites show no sign of abating, statistics from internet services company Netcraft indicate.
Thousands of TLS certificates have been issued for phishing sites with host names such as login-appleid.com-direct-apple.com. Netcraft said the majority were issued by just two certificate authorities, Let's Encrypt and Comodo.
Let's Encrypt is a certificate authority run by the Internet Security Research Group. Supported by digital rights lobby group the Electronic Frontier Foundation and tech companies like Cisco, Akamai, Mozilla and OVH, it provides free SSL/TLS certificates with the aim to secure internet traffic.
Comodo is a commercial certificate authority. Netcraft noted that betweeen January 1 and March 31 this year, it blocked 47,500 sites with valid TLS certificates. Of these, 61 percent were issued by Let's Encrypt, and 36 percent by Comodo.
Fraudsters are drawn to Let's Encrypt and Comodo as both offer free, automated domain-validated certificates to end users.
Netcraft said the use of TLS by phishing sites is particularly dangerous to consumers, as legitimate organisations will mark them as trustworthy.
"Consumers have been trained to look for padlocks, security indicators, and https:// in the address bar in their browser before submitting sensitive information, such as passwords and credit card numbers, to websites," Netcraft said.
Let's Encrypt checks sites against Google's safe browsing API to combat phishing and malware dissemination. Netcraft said this is not effective when certificates are issued automatically and installed before the deceptive phishing content has been uploaded, detected and blocked by the Google security feature.
While certificate authorities argue they are not well placed to police the issuance of TLS certificates, Netcraft suggested they should check the hostnames for hints that fraud might be afoot.
As an example, Netcraft pointed to the update.wellsfargo.com.casaelogica.cl hostname, which it said a certificate authority would be better placed to prevent misuse, rather than the registrar for casaelogica.cl domain name, as the latter contain no hints that it might be used for phishing.