FBI PSA – Exploiting Secure Websites in Phishing Campaigns

Traditional cyber security best-practices have encouraged users to look for both HTTPS and the lock icon in a browser bar to gauge the legitimacy of a website. The “s” in HTTPS stands for “secure”, and it indicates than an SSL (Secure Sockets Layer) certificate is in use on a web page. As we covered in a previous blog article, an SSL certificate serves to encrypt the transmission of data from a person’s computer to the web server where a website is hosted, enabling website visitors to safely share personally identifiable information (PII) on that site.

In this PSA, the FBI warns of cyber criminals’ recent increased reliance on the public’s trust of HTTPS and the lock icon as the sole indicators of a secure website. According to the PSA:

They [cyber criminals] are more frequently incorporating website certificates – third-party validation that a site is secure – when they send potential victims emails that imitate trustworthy companies or email contacts.

Thus, these malicious websites, which are introduced to users as clickable links in phishing emails, only appear to be secure. These types of cyber-attacks are most-often used to steal sensitive information, such as bank account information, usernames and passwords, and/or social security numbers. Hackers can also use a phishing email as the initiation point for a more long-term, sophisticated attack, also known as an advanced persistent threat (APT). In an APT, a hacker will send a phishing email to gain initial access to a network, later leveraging the employee who clicked on the nefarious link to bypass security perimeters and potentially distribute malware or access secure data.

How to Reduce the Likelihood of Becoming a Victim

With cyber criminals taking advantage of third-party validation to make malicious websites appear secure, the best way to reduce the risk of falling victim is to recognize the attack at its source – the phishing email containing the link to the site. The first safety precaution we recommend is to always double-check the sender address an email is originating from. Never reply directly to the suspicious email itself – instead, confirm with the sender via phone or by drafting a brand-new email to them. Additionally, be on the lookout for misspellings in the sender’s email address, as well as within the actual text of the email. Phishing emails will often have a variety of spelling and grammar issues, or strange, clunky-sounding language. Finally, review the domain of the sender’s email address. A domain error could be as obvious as a random string of special characters and numbers, or it could be as subtle as a shift to “.com” instead of “.gov.”

Looking Beyond the Browser Bar

This PSA teaches a good lesson about good cyber posture – an effective cybersecurity strategy should be well-rounded. As evidenced by this PSA, just looking for those two security identifiers within a website’s address bar is NOT enough to protect yourself from a malicious end-user. In fact, in a savvy move by cyber criminals, this overreliance is now being exploited to the detriment of unassuming users all over the world. With hackers continually evolving their techniques and advancing the sophistication of their attacks, it’s easy to feel overwhelmed about the state of your company’s security. Fortunately, we’re here to help.

Better Cyber Posture Starts with Your People

An effective cybersecurity strategy is a team effort, and it starts by making sure all your employees are on the same page. After all, your employees are the last line of defense when it comes to security. To keep your company secure, your team must understand the mechanisms of spam, phishing, malware, and social engineering and be able to apply this knowledge in their day-to-day jobs.