FBI warns users to be wary of phishing sites abusing HTTPS

July 17, 2019
phishing sites


HTTPS green padlock symbol may no longer indicate secured connection.


Analysis on phishing sites

  • There has been a steady increase in threat actors’ use of SSL certificates to add an air of legitimacy to malicious websites. Since 2017 almost a third of phishing sites had SSL certificates, meaning their URLs began with HTTPS:// and (most) browsers displayed the all-important padlock symbol.
  • These phishing schemes are used to acquire sensitive logins or other information by luring them to a malicious website that looks secure.
  • Known vulnerability break the encryption and read or steal sensitive communications, including passwords, credit card, trade secrets, or financial data.
  • At the time of public disclosure on March 2016, our measurements indicated 33% of all HTTPS servers were vulnerable to the attack. Fortunately, the vulnerability is much less prevalent now. As of 2019, SSL Labs estimates that 1.2% of HTTPS servers are vulnerable.
  • Possbile target are websites, mail servers, and other TLS-dependent services.
  • Server vulnerability employing SSLv2 connections is common for misconfiguration and inappropriate default setting, other private key in used on other server that allows SSLv2 connection, even for another protocol and organization reuse the same certificate and key on their web and email servers.


Conclusion and Recommendation

  • People can carry out additional checks for trustworthiness, beyond looking for a padlock, such as checking for poor grammar, punctuation and spelling, or odd requests for information.
  • Phishing attackers are more frequently incorporating website certificates – third-party verification that a site is secure – when they send potential victims emails that imitate trustworthy companies or email contacts.
  • Do not simply trust the name on an email: question the intent of the email content.
  • If you receive a suspicious email with a link from a known contact, confirm the email is legitimate by calling or emailing the contact; do not reply directly to a suspicious email.
  • Check for misspellings or wrong domains within a link.
  • Do not trust a website just because it has a lock icon or “https” in the browser address bar.
  • We’d add that users should be wary of any link that arrives in an email and defend themselves from losing credentials by turning on multi-factor authentication (2FA) everywhere it’s offered.
  • It’s also a good idea to use a desktop password manager which checks the validity of domains before offering to autofill credentials. If it doesn’t present credentials, that could be a giveaway that something isn’t right about a site.
About the author

Leave a Reply