Encryption over the HTTP protocol, also known as HTTPS or TLS over HTTP is the reason you see a little lock icon next to your web URL. As you likely know, a website using HTTPS has encrypted network traffic. In other words, outside parties or malicious software should not be able to intercept your communications to and from that website, because it is encrypted. Any time you perform a transaction over the internet that involves financial or personal information, you should be certain the web server is using HTTPS.
However, even as TLS (Transport Layer Security, referring to encrypting at the Transport Layer of the seven layer OSI model of networking) has spread to over half of the internet, clever cybercriminals have engineered network packets that actually use TLS within their malware to disguise it.
HTTPS is increasingly being used as a vehicle for malware to spread across the ‘net. While your information may be secure while it is transmitted, the website you’re visiting could still accidentally slip malware to your computer, or host it on its own servers, harvesting your information or installing a virus.
Here’s how TLS / SSL is being used by malicious actors across the net.
Google reports that 93% of web traffic it encounters uses encryption. That’s great – it means that network packets, which can hold any info you send or receive over the internet, from private communications to your credit card number, are very likely to be shielded from interception en route.
Various types of malware have been coded to use TLS as a shield of their own, however. In 2016, Cisco reported some 12% of malware taking advantage of TLS protocol. One year later, Cyren claimed that 37% of malware was using HTTPS; while Zscaler saw closer to a 60% average. (Of course, these companies do have cybersecurity products to sell.)
This means that malware can appear to be a fully secured, genuine packet entering or leaving a website.
This malware doesn’t always hit the same network ports, so excluding a single port as a security rule may not be an effective strategy to stop TLS-obscured malware. However, it appears that malware over TLS may be more likely to use one of several specific cyrpto parameters, TLS extensions, and key sizes. A pattern could be determined to help screen from this data.
Once malware reaches its destination, it can attack using variety of vectors, just as if it were traveling over an unsecured internet. An encrypted malware packet could use script injection to insert a script into an advertisement on an unrelated website, for example. That website may appear secure as it has its own HTTPS certificate, but the undetected malware was able get through by disguising itself as a secured packet. From there it can steal visitor information or download scripts onto visitor devices.
You also can’t trust a website simply because it has HTTPS installed. While malware infections are possible for legitimate and apparently secure sites, as described above, there are also myriad phishing sites that portray themselves as official, while simply existing to harvest your information.
These websites originally were not supposed to be able to obtain an HTTPS certificate, which is a file that certifies the site as using the encryption protocol. Symantec (via VeriSign), GeoTrust, Comodo, Digicert, and others offer certificate services that run into the hundreds of dollars and involve the third party examining your website.
However, low cost and free HTTPS certificate providers have popped up all over, allowing websites that are very likely to be phishing or distributing malware to appear more legitimate.
It seems like every time a security solution arrives, hackers are ready to subvert it. In this case, for sensitive information that is exposed to public network traffic, organizations may want to deploy deep packet inspection. Many IPS/IDS systems, firewalls, vulnerability protection, anti-malware, and anti-virus services include this feature, but not all are configured to look within the encrypted layer. SSL inspection may become more and more important as malware continues to proliferate under its guise.