The Federal Bureau of Investigation (FBI) is warning users to be on the lookout for phishing campaigns that leverage websites protected by HTTPS.
On 10 June, the FBI’s Internet Crime Complaint Center (IC3) issued a public service announcement about what it calls “HTTPS phishing.” These attacks largely function like other phishing operations in that they redirect users to unfamiliar URLs in an attempt to steal individuals’ login credentials, payment card details, personal data and other information. But these campaigns differ in that they use “HTTPS” and a lock icon in the address bar. Doing so helps lull users into a false sense of security so that they’ll feel safe enough to share their data.
The FBI’s announcement might make HTTPS phishing sound like a new attack technique. But it’s not. Venafi senior threat intelligence researcher Jing Xie explains:
“We know that bad actors are actively using TLS certificates to persuade Internet users to willingly click on malicious websites. For example, Venafi research recently discovered an explosion in the number of potentially fraudulent retail domains. All these malicious pages used a trusted TLS certificate in order to be compliant with browser standards to appear safe and trustworthy. This tactic effectively encourages online shoppers who could unknowingly provide sensitive account information and payment data.”
Even worse, recent research from PhishLabs suggests that digital attackers are increasingly using TLS certificates to incorporate HTTPS into their attacks. The digital security services provider found that fraudsters hosted 25 percent of phishing attacks on HTTPS domains near the end of 2017. Within a year, that percentage jumped up to 49 percent.
Attackers get these TLS certificates from a variety of sources. Some obtain original TLS certificates for lookalike or typo-squatting domains designed to impersonate legitimate web services. But others have relied on stolen and abused SSL/TLS certificates.
This latter tactic makes sense to Kevin Bocek, vice president of security strategy and threat intelligence at Venafi, given a recent scan of underground Internet marketplaces:
“We found definitive evidence of TLS certificates for sale on the dark web. While personal data like Social Security numbers can sell for as little as $1 on the dark web, SSL/TLS certificates that deliver high levels of trust routinely sell over a thousand dollars. These certificates allow attackers to disguise all kinds of malicious activities and remain undetected by most security controls.”
In response to these growing attacks, the FBI recommends in its announcement that users protect themselves by carefully scrutinizing suspicious emails based upon their content, calling a sender to confirm that a suspicious email received from them is legitimate, analyzing emails for misspellings or wrong domains and exercising caution around unfamiliar websites, even if they include “HTTPS” and the lock icon in the address bar. If users come across anything suspicious, the FBI encourages them to submit a complaint with its IC3 at www.ic3.gov.
Beyond these measures, organizations can help stem the tide of HTTPS phishing by making sure their encryption keys and certificates are safe from attackers. The only way they can do this is by using a centralized machine identity protection solution to gain visibility over all of their certificates. This solution should, in turn, help monitor these encryption assets for signs of abuse.