{
	"id": "7b6fc970-bdbf-4fdb-a2e0-79f6f2c08da5",
	"created_at": "2026-04-06T03:36:51.795015Z",
	"updated_at": "2026-04-10T03:24:29.532344Z",
	"deleted_at": null,
	"sha1_hash": "f4d47f556528648c6de5d0a7ce2560dc5b8cd473",
	"title": "Targeted SSL Stripping Attacks Are Real",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 44782,
	"plain_text": "Targeted SSL Stripping Attacks Are Real\r\nBy bferrite\r\nPublished: 2016-03-07 · Archived: 2026-04-06 03:17:25 UTC\r\nHaving access to the Internet is critical for on-the-go professionals. So the convenience of open Wi-Fi hotspots\r\noften outweighs the risk these connections may not be safe. Recently, a senior executive and Mobile Threat\r\nPrevention customer at a large financial company connected her iPad to a local hotspot while traveling for\r\nbusiness. But when she tried to access sensitive company information she was blocked because her device was\r\nunder a targeted SSL stripping attack.\r\nSSL stripping attacks – defeating communication encryption\r\nIn order to understand what an SSL stripping attack is, we first need to understand what SSL really is. SSL\r\n(Secure Socket Layer) is a secure protocol used to communicate sensitive information. This protocol is used when\r\nexchanging sensitive data such as banking information and email correspondence for example. The protocol’s\r\nsecurity is established by creating an encrypted connection between two parties (usually a client application and a\r\nserver).\r\nBrowsers and web servers regularly use this protocol when a secure connection is needed.  In most scenarios the\r\nfollowing events take place when establishing a secure connection:\r\n1. The user sends an unsecured HTTP request.\r\n2. The server answers via HTTP and redirects the user to a secure protocol (HTTPS).\r\n3. The user sends a secure HTTPS request, and the secure session begins.\r\nIn order to “strip” the SSL, an attacker intervenes in the redirection of the HTTP (regular unsecured protocol) to\r\nthe secure HTTPS protocol. The attacker will intercept a request from the user to the server. He will then continue\r\nto establish a HTTPS connection between himself and the server, and an unsecured HTTP connection with the\r\nuser, acting as a “bridge” between them. This means all information transferred over the unsecured HTTP\r\nconnection is exposed to EVERYONE in the network, including the attacker. Among the information at risk, one\r\ncan find the user’s credentials and sensitive business data.\r\nBack to the attack\r\nOne of the ways an attacker can intercept the user’s communications is by using hotspots. Many attackers\r\nestablish fake hotspots with names similar to legitimate hotspot names, for example, “Starbucks Coffee” instead\r\nof “Starbucks”. Unaware, the user connects to the malicious hotspot. Once the user tries to connect to the server,\r\nthe attacker uses his control over the hotspot and attacks the user.\r\nWhat’s interesting in the attack on the executive mentioned earlier is that the attacker targeted a specific user and\r\nnot all the users connected to the same hotspot. Two other company personnel who had the same protections were\r\nhttps://blog.checkpoint.com/research/targeted-ssl-stripping-attacks-are-real/amp/\r\nPage 1 of 2\n\nconnected to the same hotspot, yet they were not attacked. This is not a common course of action for cyber\r\ncriminals and may suggest the attacker had preliminary intelligence regarding his target. An attacker could\r\npossibly acquire such information by scanning a network to obtain connected devices’ details before initiating the\r\nattack.\r\nIn this case, the user was protected by the Check Point Mobile Threat Prevention solution and the attacker did not\r\nachieve his malicious intent. If he had succeeded he could have compromised web-based applications and apps\r\nwhich rely on web widgets when accessing personal and business information.  Our protection prevented valuable\r\nbusiness and personal information from being stolen. This case, like many others before it, emphasizes the reality\r\nof this type of threat and the need for protective security measures against it.\r\n Oren Koriat is a Mobile Information Security Analyst in the Check Point Mobile Threat Prevention Research\r\nGroup. He is a technology enthusiast and a polyglot, whose expertise is in the field of Asian mobile software\r\nmarkets. Koriat holds a degree in linguistics from Bar Ilan University.\r\nSource: https://blog.checkpoint.com/research/targeted-ssl-stripping-attacks-are-real/amp/\r\nhttps://blog.checkpoint.com/research/targeted-ssl-stripping-attacks-are-real/amp/\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://blog.checkpoint.com/research/targeted-ssl-stripping-attacks-are-real/amp/"
	],
	"report_names": [
		"amp"
	],
	"threat_actors": [
		{
			"id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d",
			"created_at": "2022-10-25T16:07:24.139848Z",
			"updated_at": "2026-04-10T02:00:04.878798Z",
			"deleted_at": null,
			"main_name": "Safe",
			"aliases": [],
			"source_name": "ETDA:Safe",
			"tools": [
				"DebugView",
				"LZ77",
				"OpenDoc",
				"SafeDisk",
				"TypeConfig",
				"UPXShell",
				"UsbDoc",
				"UsbExe"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775446611,
	"ts_updated_at": 1775791469,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f4d47f556528648c6de5d0a7ce2560dc5b8cd473.pdf",
		"text": "https://archive.orkl.eu/f4d47f556528648c6de5d0a7ce2560dc5b8cd473.txt",
		"img": "https://archive.orkl.eu/f4d47f556528648c6de5d0a7ce2560dc5b8cd473.jpg"
	}
}