Skip to content
New Report: Get your copy of The 2024 State of the Internet Report! | Download Today
Blogs

How Censys Search Helps Prevent Phishing Attacks by Monitoring SSL/TLS Certificates

Share

January 8, 2025
Tags:

Even with AI advances, old school cyber threats still loom large. The longer a tactic has been in play, the longer attackers have to master their techniques and roll out successful adversarial attacks. In fact, phishing attacks remain one of the most prevalent cyber threats, and while phishing remains a longstanding tactic, AI enhancements have only bolstered the success of social engineering efforts. In short, despite time and technology, phishing attacks are still capable of wreaking havoc.

According to research by Proofpoint, 71% of organizations were victims of phishing attacks in the last year, with results from successful phishing attacks including loss of data and IP (33%), ransomware infection (32%), and financial penalties (22%). And while phishing is commonly targeted over email, one overlooked yet critical aspect of phishing prevention is the management and monitoring of SSL/TLS certificates.

The connection between phishing attacks and SSL/TLS certificates lies in the role these certificates play in establishing trust and secure communication online. Attackers exploit weaknesses in SSL/TLS certificates, their mismanagement, or users’ misplaced trust in them to carry out phishing attacks.

Establishing Trust Through SSL/TLS Certificates

SSL/TLS certificates are used to secure websites by encrypting communications between the user and the server. When users see the padlock icon or “HTTPS” in their browser’s address bar, they often assume the website is safe and legitimate.

Phishers exploit this trust in two ways:

  • Obtaining Certificates for Fake Sites: Attackers can obtain valid SSL/TLS certificates for phishing websites that mimic legitimate ones. Many certificate authorities (CAs) issue certificates without thoroughly verifying the applicant’s intent, allowing attackers to make their fraudulent sites appear credible.
  • Relying on Misplaced User Trust: Many users believe that the presence of a padlock guarantees the legitimacy of a site, but it only indicates a secure connection—not that the site is trustworthy.

Exploiting Expired or Misconfigured Certificates

Organizations that fail to properly manage their SSL/TLS certificates can unintentionally aid phishing attacks:

  • Expired Certificates: If a legitimate website’s SSL/TLS certificate expires and remains unrenewed, attackers can exploit this oversight. They may create phishing sites impersonating the legitimate domain, misleading users who are used to interacting with the site.
  • Misconfigured Certificates: Weak configurations or the use of deprecated protocols can introduce vulnerabilities that attackers exploit, such as SSL stripping or downgrade attacks. These weaknesses can help phishers intercept traffic or manipulate secure connections.

Using Rogue or Compromised Certificate Authorities (CAs)

Phishers can leverage compromised or rogue CAs to issue valid SSL/TLS certificates for fraudulent domains. These certificates make phishing websites appear authentic, even to cautious users who verify the presence of HTTPS.

Phishing as an Attack Vector

In phishing campaigns, attackers frequently use domain names and SSL/TLS certificates that closely resemble legitimate ones. For example:

  • Homograph Attacks: Attackers register domains using characters that look similar to legitimate ones (e.g., substituting “rn” for “m”). Combined with a valid SSL/TLS certificate, these fake domains can easily deceive users.
  • Man-in-the-Middle (MITM) Phishing: Exploiting SSL/TLS vulnerabilities, attackers can position themselves between the user and the legitimate website, intercepting credentials or other sensitive data.

Without proper monitoring, organizations may inadvertently expose themselves to these risks.

Preventing Phishing with Proactive Certificate Management

Censys Search provides organizations with unparalleled visibility into SSL/TLS certificates across the internet. With the world’s largest database of X.509 certificates—housing over 17 billion certificates and growing—Censys empowers security teams to identify and address vulnerabilities before they are exploited.

Censys Search can help mitigate phishing risks by:

  • Tracking Expired or Misconfigured Certificates: Censys allows organizations to proactively monitor their SSL/TLS certificates. By identifying expired or misconfigured certificates, security teams can act quickly to update or replace them, preventing attackers from exploiting these weaknesses.
  • Identifying Certificate Authorities (CAs): By providing detailed insights into the CAs used by an organization, Censys helps ensure that only trusted CAs issue certificates for its domains. This reduces the risk of attackers using rogue CAs to generate malicious certificates.
  • Ensuring Certificate Security: Security teams can use Censys to verify that all certificates meet current best practices for encryption and configuration. This minimizes vulnerabilities like those exploited by older attack techniques (e.g., SSL stripping or POODLE).

Real-Life Example: How to Run a Censys Search Query for SSL/TLS Certificates

Let’s take a look at how Censys can help find expired certificates tied to your organization. We can start with a query that uses regular expression (regex) to enumerate your search for certificates with a high degree of fidelity. In this hypothetical, we’ll say your organization’s name is ACME.

((services.tls.certificate.names=/(.*)acme.(.*)/ or name=/(.*)acme.(.*)/

or dns.names=/(.*)acme.(.*)/ or dns.reverse_dns.names=/(.*)acme.(.*)/))

From here, we can add a clause that looks at the validity length of the returned certificates. Let’s choose one that has no life left at all.

((services.tls.certificate.names=/(.*)acme.(.*)/ or name=/(.*)acme.(.*)/ or

dns.names=/(.*)acme.(.*)/ or dns.reverse_dns.names=/(.*)acme.(.*)/)) and

services.tls.certificate.parsed.validity_period.length_seconds=0 

This returns all of our exposed certificates. However, we can still look further. Which certificate issuers are you using? We’ll add another clause that excludes certificates from your approved issuer. In this hypothetical, we’ll say it’s Let’s Encrypt.

(((services.tls.certificate.names=/(.*)acme.(.*)/ or name=/(.*)acme.(.*)/

or dns.names=/(.*)acme.(.*)/ or dns.reverse_dns.names=/(.*)acme.(.*)/) and

(services.tls.certificate.parsed.validity_period.length_seconds=0) and

not (services.tls.certificate.parsed.issuer.organization: encrypt))) 

With just three queries, we’ve now successfully narrowed down 20 terabytes of certificate data into the small handful of relevant certificates.

Staying Ahead of the Threat Landscape with Proactive Search

Censys offers plenty of other ways to query data to help expose potential vulnerabilities and reduce certificate-related security risks.

You can get in-depth insight into the many ways that Censys Search can help you stay ahead of adversaries and protect your organization from cyber threats. Whether you’re tracking malicious infrastructure, identifying vulnerable services, or monitoring third-party risk, our “Unleash the Power of Censys Search: A Hassle-Free Handbook for Cyber Heroes” can be your go-to resource. Download this comprehensive guide now to explore the proactive power of Censys in finding potential risks and strengthening your security posture.

Read the Guide

About the Author

Marianne Chrisos Censys Content Marketing Manager
Marianne Chrisos
Content Marketing Manager
Marianne Chrisos is the Content Marketing Manager at Censys, and brings over a decade of experience in copywriting, research, and content strategy, with a focus on technology and cybersecurity industries. Having worked with leaders like Cisco and Gartner, she combines industry knowledge with strategic storytelling to help organizations navigate the evolving security landscape.

Similar Content

View All Similar Content
Back to Resources Hub
Attack Surface Management Solutions
Learn more