We're Hiring!
Take the next step in your career and work on diverse technology projects with cross-functional teams.
LEARN MORE
Mountain West Farm Bureau Insurance
office workers empowered by business technology solutions
BLOG
4
26
2018
3.1.2023

How Secure is HTTPS? TLS/SSL Increasingly Used to Transmit Malware

Last updated:
9.16.2020
3.1.2023
No items found.

Encryption over the HTTP protocol, also known as HTTPS or TLS over HTTP is the reason you see a little lock icon next to your web URL. As you likely know, a website using HTTPS has encrypted network traffic. In other words, outside parties or malicious software should not be able to intercept your communications to and from that website, because it is encrypted. Any time you perform a transaction over the internet that involves financial or personal information, you should be certain the web server is using HTTPS.

However, even as TLS (Transport Layer Security, referring to encrypting at the Transport Layer of the seven layer OSI model of networking) has spread to over half of the internet, clever cybercriminals have engineered network packets that actually use TLS within their malware to disguise it.

HTTPS is increasingly being used as a vehicle for malware to spread across the ‘net. While your information may be secure while it is transmitted, the website you’re visiting could still accidentally slip malware to your computer, or host it on its own servers, harvesting your information or installing a virus.

Here’s how TLS / SSL is being used by malicious actors across the net.

 

Using TLS To Hide Malware

Google reports that 93% of web traffic it encounters uses encryption. That’s great – it means that network packets, which can hold any info you send or receive over the internet, from private communications to your credit card number, are very likely to be shielded from interception en route.

Various types of malware have been coded to use TLS as a shield of their own, however. In 2016, Cisco reported some 12% of malware taking advantage of TLS protocol. One year later, Cyren claimed that 37% of malware was using HTTPS; while Zscaler saw closer to a 60% average. (Of course, these companies do have cybersecurity products to sell.)

This means that malware can appear to be a fully secured, genuine packet entering or leaving a website.

This malware doesn’t always hit the same network ports, so excluding a single port as a security rule may not be an effective strategy to stop TLS-obscured malware. However, it appears that malware over TLS may be more likely to use one of several specific cyrpto parameters, TLS extensions, and key sizes. A pattern could be determined to help screen from this data.

Once malware reaches its destination, it can attack using variety of vectors, just as if it were traveling over an unsecured internet. An encrypted malware packet could use script injection to insert a script into an advertisement on an unrelated website, for example. That website may appear secure as it has its own HTTPS certificate, but the undetected malware was able get through by disguising itself as a secured packet. From there it can steal visitor information or download scripts onto visitor devices.


Vetting Websites for Legitimacy

You also can’t trust a website simply because it has HTTPS installed. While malware infections are possible for legitimate and apparently secure sites, as described above, there are also myriad phishing sites that portray themselves as official, while simply existing to harvest your information.

These websites originally were not supposed to be able to obtain an HTTPS certificate, which is a file that certifies the site as using the encryption protocol. Symantec (via VeriSign), GeoTrust, Comodo, Digicert, and others offer certificate services that run into the hundreds of dollars and involve the third party examining your website.

However, low cost and free HTTPS certificate providers have popped up all over, allowing websites that are very likely to be phishing or distributing malware to appear more legitimate.

 

How to Stop Encrypted Malware Traffic

It seems like every time a security solution arrives, hackers are ready to subvert it. In this case, for sensitive information that is exposed to public network traffic, organizations may want to deploy deep packet inspection. Many IPS/IDS systems, firewalls, vulnerability protection, anti-malware, and anti-virus services include this feature, but not all are configured to look within the encrypted layer. SSL inspection may become more and more important as malware continues to proliferate under its guise.

Recent Blog Posts

lunavi logo alternate white and yellow
3.27.2024
03
.
27
.
2024
Utilizing Bicep Parameter Files with ALZ-Bicep

Ready to achieve more efficient Azure Deployments? You can use Bicep parameters instead of JSON which opens new opportunities for deployment. Let Lunavi expert, Joe Thompson, show you how.

Learn more
lunavi logo alternate white and yellow
3.26.2024
03
.
04
.
2024
Anticipating Surges in Cyber Attacks and Bolstering Your InfoSec Defenses in 2024

Learn how to navigate 2024 with the right InfoSec defenses to protect your organization against a rising number of cyber attacks.

Learn more
lunavi logo alternate white and yellow
3.26.2024
01
.
03
.
2024
Microsoft Copilot is Re-Shaping the Innovation Frontier

Microsoft 365 Copilot has been released, and it's changing the way we work. More than OpenAI or ChatGPT, read how Copilot can seamlessly integrate with your workflow.

Learn more