Últimas notícias

Fique informado

The HTTPS Phishing Websites will double by the end of 2014

11/09/2014

Spotlight

Lei da Internet das Coisas segue para sanção presidencial e deve impulsionar o mercado de eIDs

Os equipamentos que utilizam a Internet precisam ser identificados para a autenticação precisa máquina a máquina e, em alguns casos, é primordial estarem blindados contra invasões hackers.

26/11/2020

UAE Pass: a solução de identidade digital que atende mais de 5 mil serviços governamentais nos Emirados Árabes Unidos

UAE PASS é a solução de identidade digital e assinatura digital nacional dos Emirados Árabes Unidos. Os serviços estão disponíveis para cidadãos e residentes dos Emirados Árabes Unidos.

25/11/2020

ITI é um dos representes do Brasil na IV Reunião Ministerial da Red Gealc sobre Governo Digital da América Latina e Caribe

A Rede de Governo Eletrônico da América Latina e Caribe, Red GEALC, reúne – desde 2003 – as autoridades dos órgãos governamentais digitais dos países da região.

19/11/2020

Cidadãos poderão assinar documentos e validar transações com o governo de forma simples e eletrônica

O gestor público poderá adequar o nível de assinatura eletrônica exigido em um serviço levando em consideração o nível de segurança da transação.

18/11/2020

Decreto 14.543/2020 regulamenta o artigo 5º da Lei 14.063/2020

O decreto 14.543/20 define alguns requisitos do artigo 5º Lei 14.063/2020.

16/11/2020

Entenda o Universo dos Certificados de Atributo

# TBT | Este artigo escrito em novembro de 2014, apresenta o que são Certificados de Atributo, como estão regulamentados, na época, para uso na ICP-Brasil, quais suas possíveis utilizações e como se tornar uma EEA – Entidade Emissora de Atributos. 

13/11/2020

A Ameaça do Phishing na Sociedade Conectada

Por Pedro Ivo Lima 3 de mar de 2015 A importância

03/03/2015

According to the investigation conducted by experts at TrendMicro the number of HTTPS phishing sites is increasing and it will double by the end of 2014.

HTTPS

Google considers security a top priority for this reason the company is starting to use HTTPS as a ranking signal. The scope is to encourage the adoption of HTTPS, but the effort was understood by the cyber criminal ecosystem which is improving its techniques. Recently, experts at TrendMicro have discovered a phishing site using HTTPS and the case isn’t isolated, the number of phishing websites is increasing and researchers believe it can double for the end of the 2014.

The experts are also observing the adoption of HTTPS for mobile phishing. As explained by Paul Pajares, Fraud Analyst at TrendMicro, use HTTPS for phishingactivities doesn’t need a supplementary effort for cyber criminals, they can either compromise sites that already use HTTPS, or use legitimate websites that already use HTTPS.

“One of the reasons for this spike is that it is easy for cybercriminals to create websites that use HTTPS: they can either compromise sites that already use HTTPS, or use legitimate hosting sites or other services that already use HTTPS. There is no need for the cybercriminals to acquire their own SSL certificate, since they have just abused or compromised servers that do have valid certificates.” reports the blog post published by TrendMicro.

The post mention the case of a PayPal phishing page recently discovered, the threat actor used HTTPS and valid certificates and deployed the malicious page on a legitimate site that has been compromised. Looking for the “HTTPS” and lock icon in the address is not enough to trust a website, the only way to avoid to be victimized by this type of attacks is to carefully check the digital certificate presented by the website, it must be still valid and its common name is usually the same of the domain name.

The experts recommended not to use mobile devices for transactions outside authorizes apps from legitimate sources, but let me also add that many mobile applications lack in a correct management of SSL certificates advantaging the work of the attackers.

“We recommend that users need to check (via a search engine) that they actually are at the same URL of the company’s site. For example, users search PayPal in any trusted search engines if the URL received or accessed by the user is different from the site they’ve found through search engines, despite that it’s “https” and has “padlock” icon, then it’s probably a malicious site. If it is popular banks or financial institutions, the legitimate site will always appear as a top result. The next step is to check for certificate validity. Compromised HTTPS sites may have valid certificates, but users can still check the Certificate Common Name and organization before giving out login credentials. Note that certificate authorities have not issued certificates for malicious sites. The same thing could be said for desktops PCs.” recommended the post.

According to data provided by TrendMicro, US is the top affected country that visit HTTPS phishing sites (38,38), Brazil and Japan follow it at a distance in the ranking.

With the increasing use of SSL it is important to be aware that threat actors are anyway able to operate.

Pierluigi Paganini

Nenhum comentário até agora

Ir para a discussão

Nenhum comentário ainda!

Você pose ser o primeiro a iniciar a discussão.

<