HTTPS Attacks - Phishing

TLDR: In this scenario, the attacker successfully leverages the user's trust in HTTPS to steal credentials by creating a convincing fake website and prompting users to interact with it through a well-crafted phishing email.

In Layerman"s terms
Protagonists
Bob: A visitor to a small shop.
Alice: The shop owner.
Jack: A prankster.

Jack wants to trick Alice's customers like Bob. Jack sets up a fake booth near Alice's shop that looks identical to Alice's booth. When Bob approaches, thinking it's Alice's booth, Jack (pretending to be Alice) offers special deals and asks for Bob's personal information and payment details. Bob, believing he is dealing with Alice, provides this sensitive information. Jack then uses this information for malicious purposes, such as stealing Bob's money. Meanwhile, Alice is unaware that her customers are being deceived by Jack’s fake booth.

Scenario: Phishing attacks leveraging HTTPS to steal user credentials

Step 1: Fake Social Media Website

Setup:

-An attacker creates a fake login page that is a perfect replica of a popular social media platform's login page. This includes copying the design, layout, logos, and even the small details like privacy policies and terms of service links.

  • The attacker registers a domain name similar to the legitimate social media site, such as https://login-facebook.com. The similarity in the URL helps to trick users into thinking the site is legitimate.
  • The attacker obtains an SSL/TLS certificate for the fake site, ensuring that it uses HTTPS. This can often be done through free certificate authorities like Let's Encrypt.

Purpose: The goal is to create a convincing fake login page that users will not easily distinguish from the real one. The HTTPS padlock in the browser's address bar adds a layer of perceived legitimacy.

Step 2: Phishing Email

Creation:

  • The attacker drafts a phishing email designed to look like an official communication from the social media platform. The email uses the platform's logo, color scheme, and tone of voice.
  • The email claims that there has been suspicious activity on the recipient's social media account, such as a login attempt from an unknown device or location.

Content:

  • The email urges the recipient to take immediate action to secure their account by logging in to verify their identity. It provides a prominent link to the fake login page (https://login-socialmedia.com).
  • The email might also contain warnings about potential consequences if the recipient does not act quickly, adding a sense of urgency.

Delivery:

  • The attacker sends the phishing email to a large number of potential victims, often using email lists obtained from data breaches or purchased from underground forums.

Step 3: User Interaction

Reception:

A user receives the phishing email and, due to the urgency and apparent legitimacy, decides to follow the instructions provided. The user clicks on the link, which opens the fake login page in their browser.

Perceived Security:

The user sees the HTTPS padlock in the browser's address bar, which reassures them that the site is secure. This false sense of security is crucial for the attack's success. Action:

Trusting the site, the user enters their social media username and password into the login form on the fake page.

Step 4: Credential Theft*

Data Capture:

As soon as the user submits their credentials, the information is sent to the attacker's server. The form data might be sent through a backend script that captures the username and password and stores it in a database controlled by the attacker.

Immediate Use: The attacker can use the captured credentials to log into the user's actual social media account. With access to the account, the attacker can perform various malicious actions, such as:

  • Changing the account password to lock the user out.
  • Sending phishing messages to the user's contacts.
  • Accessing private messages and sensitive information.
  • Using the account for further social engineering attacks.

Long-term Use: The attacker can also sell the stolen credentials on underground markets, where other criminals can buy them for their own purposes.

Explanation

Perceived Legitimacy: HTTPS encrypts the data transmitted between the user and the fake website, providing a padlock symbol in the browser's address bar. This symbol is often associated with security and legitimacy, leading users to trust the site.

Deception: The similarity of the fake URL to the legitimate one, along with the HTTPS padlock, effectively deceives users into thinking they are interacting with the real social media platform.

Security Implications: Users' trust in HTTPS is exploited, highlighting the need for additional security measures, such as educating users about phishing attacks and the importance of verifying URLs, even when HTTPS is present.