SSL-Enabled Site Sending Malware Disguised as Meltdown/Spectre Fix
1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)

SSL-Enabled Site Sending Malware Disguised as Meltdown/Spectre Fix

Just one more example why the current security indicators have to go.

As we covered last week, Meltdown and Spectre have computer owners scrambling to patch their systems. Many of those patches work. Some slow down performance. Others are just malware.

That’s right, as is wont to happen on the internet, some people have followed up a bad decision by choosing to actively do even more harm. In this case, Malware Bites reports one site that targets German users is sending Smoke Loader malware disguised as a patch.

We identified a recently registered domain that is offering an information page with various links to external resources about Meltdown and Spectre and how it affects processors. While it appears to come from the German Federal Office for Information Security (BSI), this SSL-enabled phishing site is not affiliated with any legitimate or official government entity.

SSL visual indicators need to change

Right up top, this shows that this website had an active SSL certificate. This one was issued by Comodo through Cloudflare (who, to their credit shut this site down within minutes of being notified). Once again, it’s time to beat this dead horse.

The Current SSL Visual Indicators MUST Change

Last year Google changed its visual indicators, it added the word “Secure” next to the green padlock that used to represent a secure connection on its own. This change, putting “Secure” prominently in the address bar, has not worked out like I’m sure Google probably planned. While having your website say “Secure” is certainly an attractive reason to adopt HTTPS, the truth is that it lulls internet users into a false sense of security.

The evidence is there, both anecdotal and statistical. Phishing is at an all-time high, HTTPS phishing is at an all-time (with direct correlation to Google and Mozilla’s UI change). Putting the word “Secure” in an address bar simply for having working SSL is making life easier for hackers and cybercriminals. It is actively aiding them in their malfeasance. That’s just a fact.

And it’s a problem because you don’t know who is on the other end of that connection. Secure doesn’t mean safe in the context of the internet. But in the context of an internet user’s mind, those two words can equate. And that’s a huge problem for the current UI.

Case in point, today’s example. German internet users are being told they have to go patch, they have to go patch. This site looks legitimate, and now because it says “Secure” more people than normally would are just going to trust it.

How is this in the best interest of the user?

(It’s not).


Be the first to comment

Leave a Reply

Your email address will not be published. We will only use your email address to respond to your comment and/or notify you of responses. Required fields are marked *

Captcha *


Patrick Nohe

Patrick started his career as a beat reporter and columnist for the Miami Herald before moving into the cybersecurity industry a few years ago. Patrick covers encryption, hashing, browser UI/UX and general cyber security in a way that’s relatable for everyone.