In terms of figures, this amounted to 800,000 encrypted transactions that were being blocked each day. The first half average was 600,000.
In response to a query from iTWire, a company spokesperson said that while it had observed many instances of genuine certificates involved in phishing attacks and malware delivery, most certificates in malware callbackwere self-signed.
The company's bi-annual ThreatLabZ research update said attackers were leveraging SSL encrypted channels right through the attack cycle:
- initial delivery vectors like malvertising, compromised sites, phishing pages, and malicious sites hosted the initial loading page;
- this led to the exploit and/or malware delivery stage – use of SSL to deliver exploit and/or malware payloads; and
- call home activity – many prevalent malware families are using the SSL-based command and control communication protocol.
One method used a phishing page on a legitimate domain that had been compromised to deliver malware. Another used newly registered domains with similar but incorrect addresses that were programmed to imitate the websites of well-known brands like DocuSign, Microsoft, Apple and Dropbox.
ThreatLabZ also said it had found new malicious payloads that were using SSL/TLS for communication with command and control server activity, including malicious documents, APKs, and executables.
Deepen Desai, senior director of Research and Security Operations, Zscaler, said, “Web properties are quickly adopting SSL/TLS to curb privacy concerns, but without inspection of encrypted traffic, enterprises run the risk of an attack.
"Yet, SSL inspection can cause significant performance degradation on security appliances. These latest findings suggest that a multi-layer defence-in-depth strategy that fully supports SSL/TLS inspection is essential to ensure enterprises are secure.”