Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Phishing

FBI Warns of HTTPS Abuse in Phishing Campaigns

Malicious actors are abusing users’ trust in the HTTPS protocol to launch phishing campaigns, the Federal Bureau of Investigation (FBI) warns in a recent alert. 

Malicious actors are abusing users’ trust in the HTTPS protocol to launch phishing campaigns, the Federal Bureau of Investigation (FBI) warns in a recent alert. 

For years, tech companies have been pushing toward the wide adoption of the HTTPS protocol, or Hypertext Transfer Protocol Secure, on the web, as it ensures that the communication between a website and the user’s browser is performed over a secure connection.  

Modern browsers mark websites that use the protocol with a lock icon to indicate that browser traffic is encrypted and that attackers can’t access the data in transit. More recently, they also started displaying warnings when a non-secure website is accessed. 

Adapting to these changes, phishers are adopting the HTTPS protocol in their campaigns as well, as it allows them to more successfully trick victims into believing that malicious emails or links they receive in their inboxes come from legitimate sources. 

“Unfortunately, cyber criminals are banking on the public’s trust of “https” and the lock icon. They are more frequently incorporating website certificates—third-party verification that a site is secure—when they send potential victims emails that imitate trustworthy companies or email contacts,” the FBI warns. 

Abusing users’ trust, these phishing schemes are attempting to acquire sensitive logins or other information by luring victims into accessing malicious websites that look secure. However, only the connection to these sites is secure, and the HTTPS protocol is in no way related to the content of the site too. 

To ensure they don’t fall to such phishing schemes, users should never simply trust the name on an email, but also question the intent of the email content, the FBI recommends. 

Moreover, users are advised to confirm the legitimacy of any received message whenever they receive an email with a link from a known contact, and should never reply directly to a suspicious email. Misspellings or wrong domains within a link should also be indicative of malicious intent. 

Advertisement. Scroll to continue reading.

“Do not trust a website just because it has a lock icon or “https” in the browser address bar,” the FBI underlines. 

Victims are advised to report information regarding suspicious or criminal activity to their local FBI field office, and to file a complaint on www.ic3.gov. Complaints related to such phishing schemes should include “HTTPS phishing” in the body of the complaint.

“This isn’t new; cyber criminals have been orchestrating these kinds of phishing campaigns for several years. In 2017, security researchers uncovered over 15,000 certificates containing the word ‘PayPal’ that were being used in attacks. Since then it’s become clear that bad actors have an entire supply chain in place on the Dark Web to get trustworthy TLS certificates to use in all kinds of malicious attacks,” Kevin Bocek, Vice President at identity protection provider Venafi, told SecurityWeek in an emailed comment. 

“Unfortunately, there is still no solid solution for empowering the general public to discern phishing or scam sites with 100% effectiveness. This is compounded by the fact that many organizations will send official email soliciting information on third-party domains thereby making it exceedingly difficult to know in some circumstances whether a site is legitimate,” Craig Young, security researcher for Tripwire, commented for SecurityWeek

Related: Number of Phishing Sites Using HTTPS Soars

Related: Cybercriminals Using GitHub to Host Phishing Kits

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Phishing

The easiest way for a cyber-attacker to gain access to sensitive data is by compromising an end user’s identity and credentials. Things get even...

Fraud & Identity Theft

Famed hacker Kevin Mitnick has died after a battle with pancreatic cancer.  At the time of his death, he was Chief Hacking Officer at...

Cybercrime

Enterprise users have been warned that cybercriminals may be trying to phish their credentials by luring them with fake emails that appear to be...

Phishing

The Single Most Important Part of Dealing with a Phishing Attack is Preparing for the Attack Before it Actually Happens.

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...

Cybercrime

A threat actor tracked as ‘Scattered Spider’ is targeting telecommunications and business process outsourcing (BPO) companies in an effort to gain access to mobile...

Nation-State

The North Korean APT tracked as TA444 is either moonlighting from its previous primary purpose, expanding its attack repertoire, or is being impersonated by...