Many phishing sites now feature HTTPS and green padlock, FBI warns
12 June 2019
The FBI has warned Internet users that they should not blindly trust websites with HTTPS certification and the green padlock as cyber criminals are increasingly using HTTPS in new phishing sites to assure users that such sites are safe to visit when they are actually not.
Domain-spoofing is among the most severe cyber threats of our time that affects organisations, governments, and individuals alike. The use of malicious URLs that mimic genuine ones not only helps criminals to obtain login details, personal and financial information of millions of people but also helps them in spreading fake news and disinformation to create panic and alarm.
The trick of domain-spoofing involves cyber criminals registering phishing sites that mimic the domains of popular and legitimate organisations and businesses and then making people enter their personal and financial information into these sites to steal such information.
The regularity with which cyber criminals resort to domain-spoofing can be gauged by the fact that in 2018 alone, HM Revenue and Customs (HMRC) removed as many as 20,750 malicious websites, many of which spoofed government sites, including HMRC itself, to defraud taxpayers into revealing their financial information.
One of the main indicators of a domain-spoofing website or a phishing site is its lack of security certification that indicates that information entered in the website can easily be viewed or stolen by third parties. Most websites that feature HTTP certification or lack the green padlock are said to be insecure or used by hackers to capture details of visitors.
Most phishing sites are now HTTPS certified
However, according to the FBI, this is not always the case. Internet users need to do more than just check the security certificate of a website to accurately determine if a website is legitimate or fake. This is because a large number of domain-spoofing and phishing sites now feature HTTPS certificates and green padlocks to make visitors believe that such sites are legitimate and information therein are securely encrypted.
“The presence of “https” and the lock icon are supposed to indicate the web traffic is encrypted and that visitors can share data safely. Unfortunately, cyber criminals are banking on the public’s trust of “https” and the lock icon.
“They are more frequently incorporating website certificates—third-party verification that a site is secure—when they send potential victims emails that imitate trustworthy companies or email contacts. These phishing schemes are used to acquire sensitive logins or other information by luring them to a malicious website that looks secure,” the FBI said in a public advisory.
It added that in order to spot phishing attacks, Internet users must verify sources of suspicious emails even if the senders are known to them and should also check for misspellings or wrong domains within a link (e.g., if an address that should end in “.gov” ends in “.com” instead). Most importantly, Internet users should not trust a website just because it has a lock icon or “https” in the browser address bar.
Low cost of SSL/TSL certificates helping cyber criminals
“Security professionals know that to any effort to stop cybercriminal operations is matched by an equally determined effort by threat actors to ensure their activities remain profitable and worthwhile. This is the case with https validation, which criminals have learnt to work around,” said Corin Imai, senior security advisor at DomainTools.
“With the prices of an SSL/TSL certificate dropping, a padlock on the address bar of a webpage is no longer an assurance that the user is connected to the server they expect, but rather that the website owner was willing to pay a price to look more legit.
“Thankfully, education is the single security measure against which criminals can’t work around: an aware user, who has been trained to look for misspellings in the URL of a webpage and knows not to trust a padlock icon, is much harder to lure into giving away personal information or clicking on malware-spreading links.
“Organisations should therefore invest in solid training programmes, which cannot be limited to a one-day workshop on what a phishing scam looks like, but need to be continuous, thorough and impactful. As we run war games to prepare soldiers to the scenarios they will encounter on the battlefield, we should start thinking about security drills and mock cyberattacks to prepare the workforce to what is now a form of war in its own right,” she added.