FBI warns that hackers are using secure websites to trick users
The U.S. Federal Bureau of Investigation today issued a warning that “cyber actors” are exploiting “secure” websites in phishing campaigns.
The public service announcement warned that those running phishing sites are now using Hypertext Transfer Protocol Secure sites, that is sites that start with https://, complete with a security certificate to trick users into believing the sites are legitimate.
“Cybersecurity training has focused on encouraging people to look for the lock icon that appears in the web browser address bar on these secure sites,” the FBI explained.
It said cybercriminals are banking on the public’s trust of ‘https’ and the lock icon. “They are more frequently incorporating website certificates — third-party verification that a site is secure — when they send potential victims emails that imitate trustworthy companies or email contacts,” the announcement added.
The tactic isn’t new. A study in November found nearly half of all phishing sites now deploy Secure Sockets Layer protection complete with a padlock icon in the browser bar in an attempt to give people a false sense of protection.
Kevin Bocek, vice president of security strategy and threat intelligence at Venafi Inc., told SiliconANGLE that the FBI’s warning is timely. “When attackers abuse TLS keys and certificates to take over these padlocks, they are able to make phishing attacks far more effective,” he said.
Mehul Patel, director of product marketing at Menlo Security Inc., noted that the announcement shows how attackers are continuously improving their techniques.
“The methods users have been leveraging to avoid phishing attacks are proving to be ineffective,” Patel said. “Rather than trying, and failing, to distinguish between safe and malicious email links and websites, enterprises should be isolating their web browsers to completely avoid any chance at exposing sensitive personal information. With internet activity being executed away from the users’ devices and the ability to turn websites to read-only, there’s never a risk of malware through phishing attacks.”
Craig Young, computer security researcher for Tripwire Inc.’s vulnerability and exposure research team, said there’s still no solid solution for helping the general public avoid the problem.
“In the long run, the best available solution to this problem is probably the use of newer standards like WebAuthn to prevent naïve users from inadvertently divulging site credentials to a phisher,” he said.
Image: Santeri Viinamäki/Wikimedia Commons
Since you’re here …
… We’d like to tell you about our mission and how you can help us fulfill it. SiliconANGLE Media Inc.’s business model is based on the intrinsic value of the content, not advertising. Unlike many online publications, we don’t have a paywall or run banner advertising, because we want to keep our journalism open, without influence or the need to chase traffic.The journalism, reporting and commentary on SiliconANGLE — along with live, unscripted video from our Silicon Valley studio and globe-trotting video teams at theCUBE — take a lot of hard work, time and money. Keeping the quality high requires the support of sponsors who are aligned with our vision of ad-free journalism content.
If you like the reporting, video interviews and other ad-free content here, please take a moment to check out a sample of the video content supported by our sponsors, tweet your support, and keep coming back to SiliconANGLE.
Gloss