HackDig : Dig high-quality web security articles for hackers

Demystifying two common misconceptions with e-commerce security

Online shopping has seen a dramatic increase in the months following the Covid-19 outbreak as more and more people opt-out of visiting physical stores. Such a phenomenon does not go unnoticed or without additional consequences. During the same time period, we have seen an increase in the usual scams but also digital skimming, the online equivalent of credit
Publish At:2020-11-20 12:42 | Read:113 | Comments:0 | Tags:Cybercrime e-commerce HTTPS iframe Magecart merchant padlock

Digicert revokes a raft of web security certificates

byPaul DucklinHere’s a bureaucratic nightmare that unfolded over the weekendDigicert is one of the Big Five commercial CAs, short for certificate authorities – companies that sign and vouch for the digital certificates that put the the S in HTTPS and the padlock in your browser’s address bar.As we’ve mentioned before, web certificates
Publish At:2020-07-13 11:32 | Read:414 | Comments:0 | Tags:Cryptography CA Digicert https TLS web certificate

United States wants HTTPS for all government sites, all the time

byPaul DucklinThe US government just announced its plans for HTTPS on all dot-gov sites.HTTPS, of course, is short for for “secure HTTP”, and it’s the system that puts the padlock in your browser’s address bar.Actually, the government is going one step further than that.As well as saying all dot-gov sites should be available over HTTP
Publish At:2020-06-23 12:49 | Read:550 | Comments:0 | Tags:Uncategorized Encryption https TLS US government web securit

Abuse of HTTPS on Nearly Three-Fourths of all Phishing Sites

<p>Since 2015, PhishLabs has and continues to track how threat actors abuse HTTPS or SSL certs. In particular, threat actors often use HTTPS on their phishing sites to add a layer of legitimacy, better mimic the target site in question, and reduce being flagged or blocked from some browsers.&nbsp;</p> <p>Last year, threat actors hit
Publish At:2020-06-16 16:16 | Read:448 | Comments:0 | Tags:APWG https

The Problem with HTTPS

Reading Time: ~ 3 min. Despite the intent of ensuring safe transit of information to and from a trusted website, encrypted protocols (usually HTTPS) do little to validate that the content of certified websites is safe. With the widespread usage of HTTPS protocols on major websites, network and security devices relying on interception of user traffic to ap
Publish At:2020-04-14 12:47 | Read:716 | Comments:0 | Tags:Business + Partners Threat Intelligence https threat intelli

Chrome may bring back ‘www’ with option to show full URLs

byLisa VaasEnough people must have griped about the loss of “www” and “https” in Chrome’s address bar to make Google rethink it: Chromium developers are testing a new Omnibox context menu that would give users the option to “Always Show Full URLs.”You can see what the final rendition of the “Show Full URLs̶
Publish At:2020-03-30 10:29 | Read:897 | Comments:0 | Tags:Google Google Chrome Web Browsers Always Show Full URLs Cana

Firefox 76 will have option to enforce HTTPS-only connections

byJohn E DunnConverting websites from HTTP to HTTPS over the last decade must count as one of the most successful quiet security upgrades ever to affect web browsing.Using an HTTPS site means that your browser and the site establish an encrypted connection which can’t be snooped on by ISPs, rogue Wi-Fi access points, or anyone else trying to monitor the cont
Publish At:2020-03-27 10:24 | Read:887 | Comments:0 | Tags:Firefox Google Mozilla Security threats Web Browsers browser

Rocket Loader skimmer impersonates CloudFlare library in clever scheme

Fraudsters are known for using social engineering tricks to dupe their victims, often times by impersonating authority figures to instill trust. In a recent blog post, we noted how criminals behind Magecart skimmers mimicked content delivery networks in order to hide their payload. This time, we are looking at a far more clever scheme. This latest skim
Publish At:2020-03-10 12:32 | Read:857 | Comments:0 | Tags:Threat analysis HTTPS JavaScript Magecart skimmer skimming C

APWG Year-End Report: 2019 A Roller Coaster Ride for Phishing

<p>The latest Phishing Activity Trends Report from the Anti-Phishing Working Group (APWG), which compiles insights from member companies, announced that the year-end number of reported phishing websites for 2019 reached a record high. Most menacing; however, are the trends of phishing gangs targeting users of web-hosted email, social media, and busines
Publish At:2020-03-03 17:11 | Read:836 | Comments:0 | Tags:APWG BEC https social media

Let’s Encrypt issues one billionth free certificate

byDanny BradburyLast week was a big one for non-profit digital certificate project Let’s Encrypt – it issued its billionth certificate. It’s a symbolic milestone that shows how important this free certificate service has become to web users.Publicly announced in November 2014, Let’s Encrypt offers TLS certificates for free. These cert
Publish At:2020-03-02 09:21 | Read:1010 | Comments:0 | Tags:Cryptography ACME Automated Certificate Management Environme

APWG: Two-Thirds of all Phishing Sites Used SSL protection in Q3

<p>This week, APWG released its <u>findings from Q3</u> that compiles insights from their member companies and provides an analysis of how phishing is changing. The key findings from the latest report show that phishing attacks continued to rise throughout the year, 40% of BEC attacks involve domains registered by the threat actor, and now
Publish At:2019-11-14 16:15 | Read:979 | Comments:0 | Tags:APWG https

COMpfun successor Reductor infects files on the fly to compromise TLS traffic

In April 2019, we discovered new malware that compromises encrypted web communications in an impressive way. Analysis of the malware allowed us to confirm that the operators have some control over the target’s network channel and could replace legitimate installers with infected ones on the fly. That places the actor in a very exclusive club, with capa
Publish At:2019-10-03 07:00 | Read:1697 | Comments:0 | Tags:APT reports Featured Browser Digital Certificates Encryption

49 Percent of Phishing Sites Now Use HTTPS

<p><img src="https://info.phishlabs.com/hs-fs/hubfs/Green%20Pad%20Lock%20HTTPS.png?width=195&amp;name=Green%20Pad%20Lock%20HTTPS.png" alt="Green Pad Lock HTTPS" width="195" style="width: 195px; float: right; margin: 0px 10px 10px 0px;">Since 2015 there has been a steady increase in threat actors’ use of SSL certificates to add an air of legit
Publish At:2019-09-19 22:40 | Read:987 | Comments:0 | Tags:https

More Than Half of Phishing Sites Now Use HTTPS

<p>As more of the web further embrace HTTPS and SSL certs, it’s becoming a requirement that threat actors use it, too. By the end of Q1 2019, more than half of all phishing sites have employed the use of HTTPS, <a href="http://docs.apwg.org/reports/apwg_trends_report_q1_2019.pdf">now up to 58%</a>. This is a major milestone and shows that t
Publish At:2019-09-19 22:40 | Read:785 | Comments:0 | Tags:https

APWG: Phishing Continues to Rise, Threat Actors Love Gift Cards

<p>This week APWG released its <u>findings from Q2</u> of this year that compiles insights from their member companies and provides an analysis of how phishing is changing. This quarter's report shows that phishing attacks continue to increase, both SaaS and email service providers are prime targets, BEC attacks are focused on getting gift
Publish At:2019-09-19 22:40 | Read:1006 | Comments:0 | Tags:Phishing APWG BEC https

Tools