IT USED TO BE that the little SSL lock icon in your browser meant you were on a safe URL. Not anymore. Hackers have lately begun making phony, malware-infected websites look legit by equipping them with free or cheap SSL certificates.
These easy-to-attain certificates enable phishing attacks that mimic secure sites and lull end users into a false sense of security. In fact, in its 2019 Annual Threat Report, cybersecurity vendor Webroot reports that 77 percent of last year’s phishing attacks impersonated financial institutions, often using HTTPS protocols to lure victims.
Security software makers are pressuring web browser developers to better scrutinize the integrity of SSL certificates. In the interim, MSPs should protect their SMB customers against these malicious impersonators. Webroot CTO Hal Lonas recommends starting with education. “All of us can stand a refresher about the nature of these attacks,” he says, adding that training should be recurring and open-ended. “Once a year is not enough.”
Lonas also suggests using security awareness training solutions that enable administrators to run phishing simulations. “See who falls for it,” he says. “I think it’s eye-opening to go through those things.”
Dave Seibert, CIO of Irvine, Calif.-based IT Innovators, says he reminds users to “put some practical, common sense into whether you click.” For example, he teaches users to reveal a link’s target by hovering over it.
MSPs must go beyond end-user education though. True diligence means employing effective DNS filtering technology as well. “DNS filtering is a great service,” Seibert says. “It will help prevent spoofing and hijacking because it’s a service that looks at where you’re really trying to go.”
Endpoint protection solutions such as anti-virus software and firewalls are also critical. The best systems, according to Lonas, are backed by robust threat intelligence. “We actually look at the endpoint, the network, the website interaction,” he says. “We can consider all the variables along the way. We can determine [whether a site is malicious] on the fly because things don’t seem right—maybe it’s got a cheap certificate or maybe [a] bad domain or bad IP address.”
Finally, Seibert advises against developing so-called “mixed-mode” websites that employ HTTPS only on particular pages. Such sites pose a risk when a user visits a secure page and then moves on to an unsecured one. “It still uses a token, something to identify me,” Seibert says, “and it’s still the same token. So, when I go to the nonsecure page, hackers can get my data.” Better to put the whole website behind HTTPS, he advises.