The FBI has been forced to issue an alert warning users that the sight of "HTTPS" and a padlock icon in the address bar may not be enough to prove the authenticity of a website.
The latest Public Service Announcement from the bureau’s public-facing Internet Crime Complaint Center (IC3) revealed that cyber-criminals are increasingly abusing trust in TLS-secured websites to improve the success rate of phishing attacks.
“They are more frequently incorporating website certificates — third-party verification that a site is secure — when they send potential victims emails that imitate trustworthy companies or email contacts,” it warned.
“These phishing schemes are used to acquire sensitive logins or other information by luring them to a malicious website that looks secure.”
Corin Imai, senior security adviser at DomainTools, argued that the falling price of SSL-TSL certificates make it a no-brainer for malicious webmasters.
“Thankfully, education is the single security measure against which criminals can’t work around: an aware user, who has been trained to look for misspellings in the URL of a web page and knows not to trust a padlock icon, is much harder to lure into giving away personal information or clicking on malware-spreading links,” she added.
“Organizations should therefore invest in solid training programs, which cannot be limited to a one-day workshop on what a phishing scam looks like, but need to be continuous, thorough and impactful.”
To that end, the FBI urged users to go back to basics, by not clicking on links in any suspicious-looking emails and to follow-up with the sender directly even if the contact is known.
Hackers are also hosting malware on cloud services such as Azure and benefiting from their HTTPS certificates indirectly this way, experts have revealed.