FBI warns users to be wary of phishing sites abusing HTTPS

Would you trust a website simply because the connection to it is secured using HTTPS backed by the green padlock symbol?

Not if you’re informed enough to understand what HTTPS signifies (an encrypted, secure connection with a server) and doesn’t signify (that the server is therefore legitimate).

This week the FBI issued a warning that too many web users view the padlock symbol and the ‘S’ on the end of HTTP as a tacit guarantee that a site is trustworthy.

Given how easy it is to get hold of a valid TLS certificate for nothing, as well as the possibility that a legitimate site has been hijacked, this assumption has become increasingly dangerous.

Unfortunately, cybercriminals have spotted the confusion about HTTPS, which accounts for the growing number of phishing attacks deploying it to catch people off guard. The FBI alert confirms:

They [phishing attackers] are more frequently incorporating website certificates – third-party verification that a site is secure – when they send potential victims emails that imitate trustworthy companies or email contacts.

How we got here

Today, all competently managed websites use HTTPS, a big change from even a handful of years ago when its use was limited overwhelmingly to sites either allowing password login or conducting transactions as required by the industry PCI-DSS card standard.

What supercharged the use of SSL/TLS certificates and HTTPS was Google’s insistence from 2015 that its presence would become a positive signal for its search engine algorithms.

Suddenly, not having an HTTPS site became a negative. In 2018, Google’s Chrome and many other big-name browsers including Firefox and Edge started dropping even more forthright hints by marking non-HTTPS sites as ‘not secure’ in the address bar.

Website owners got the message and so, in a mangled way, did web users – HTTPS was henceforth good and the lack of it at best lazy and perhaps even downright bad.

Predictably, criminals took the hint, which explains the surge of phishing sites that started using HTTPS in their domains around 2017.

That’s the frustrating thing about the FBI’s latest warning – criminals laundering their sites using the cover of HTTPS is nothing new. Two years on from those early red flags and the problem has simply got worse.

One could argue that the confusion is a problem of the industry’s making because it spent years pushing the idea of the security benefits of HTTPS without properly explaining its limits.

The worry now is that attackers are moving beyond this crude ruse and are on to abusing domains backed by legitimate certificates.

Only days ago, security company AppRiver documented how attackers have started abusing Microsoft Azure’s Custom Domain Name registrations to host what are, in effect, fully credentialled phishing sites.

It’s important to make clear that HTTPS remains a good thing because it secures traffic from prying eyes. It’s simply that, as with the related problem of rogue VPNs, the presence of an encrypted connection should not be understood as a security guarantee on its own.

Beating the phishers

Beyond not blindly trusting HTTPS domains, the FBI recommends checking for misspellings in domain names.

We’d add that users should be wary of any link that arrives in an email and defend themselves from losing credentials by turning on multi-factor authentication (2FA) everywhere it’s offered.

It’s also a good idea to use a desktop password manager which checks the validity of domains before offering to autofill credentials. If it doesn’t present credentials, that could be a giveaway that something isn’t right about a site.