Skip to content
Naked Security Naked Security

FBI warns users to be wary of phishing sites abusing HTTPS

Why you shouldn't trust a website simply because it's secured using HTTPS and backed by the green padlock symbol.

Would you trust a website simply because the connection to it is secured using HTTPS backed by the green padlock symbol?

Not if you’re informed enough to understand what HTTPS signifies (an encrypted, secure connection with a server) and doesn’t signify (that the server is therefore legitimate).

This week the FBI issued a warning that too many web users view the padlock symbol and the ‘S’ on the end of HTTP as a tacit guarantee that a site is trustworthy.

Given how easy it is to get hold of a valid TLS certificate for nothing, as well as the possibility that a legitimate site has been hijacked, this assumption has become increasingly dangerous.

Unfortunately, cybercriminals have spotted the confusion about HTTPS, which accounts for the growing number of phishing attacks deploying it to catch people off guard. The FBI alert confirms:

They [phishing attackers] are more frequently incorporating website certificates – third-party verification that a site is secure – when they send potential victims emails that imitate trustworthy companies or email contacts.

How we got here

Today, all competently managed websites use HTTPS, a big change from even a handful of years ago when its use was limited overwhelmingly to sites either allowing password login or conducting transactions as required by the industry PCI-DSS card standard.

What supercharged the use of SSL/TLS certificates and HTTPS was Google’s insistence from 2015 that its presence would become a positive signal for its search engine algorithms.

Suddenly, not having an HTTPS site became a negative. In 2018, Google’s Chrome and many other big-name browsers including Firefox and Edge started dropping even more forthright hints by marking non-HTTPS sites as ‘not secure’ in the address bar.

Website owners got the message and so, in a mangled way, did web users – HTTPS was henceforth good and the lack of it at best lazy and perhaps even downright bad.

Predictably, criminals took the hint, which explains the surge of phishing sites that started using HTTPS in their domains around 2017.

That’s the frustrating thing about the FBI’s latest warning – criminals laundering their sites using the cover of HTTPS is nothing new. Two years on from those early red flags and the problem has simply got worse.

One could argue that the confusion is a problem of the industry’s making because it spent years pushing the idea of the security benefits of HTTPS without properly explaining its limits.

The worry now is that attackers are moving beyond this crude ruse and are on to abusing domains backed by legitimate certificates.

Only days ago, security company AppRiver documented how attackers have started abusing Microsoft Azure’s Custom Domain Name registrations to host what are, in effect, fully credentialled phishing sites.

It’s important to make clear that HTTPS remains a good thing because it secures traffic from prying eyes. It’s simply that, as with the related problem of rogue VPNs, the presence of an encrypted connection should not be understood as a security guarantee on its own.

Beating the phishers

Beyond not blindly trusting HTTPS domains, the FBI recommends checking for misspellings in domain names.

We’d add that users should be wary of any link that arrives in an email and defend themselves from losing credentials by turning on multi-factor authentication (2FA) everywhere it’s offered.

It’s also a good idea to use a desktop password manager which checks the validity of domains before offering to autofill credentials. If it doesn’t present credentials, that could be a giveaway that something isn’t right about a site.

7 Comments

It would have been very helpful to have a link for those who wished to follow up on “It’s also a good idea to use a desktop password manager which checks the validity of domains…”

Popular password managers include 1Password, LastPass, Dashlane and KeePass. They all do the job although personally I’d recommend the extra security that comes with a paid subscription.

Keepass for desktop. And Keepass2Andriod for mobiles are good password managers. Free and open source

The same goes for a commercial in the Netherlands stating that a website ending on .shop would be safe. Nothing could be further from the truth

Correct me If i’m wrong–> not sure if just having a password manager might help in this situation. Not every netizen knows how to use a password manager effectively. If a naive user reigsters/logs into into a malicious HTTPs websites, It should be the browsers responsibility to perfume some kind of live reputation lookup against the URL (or) forming a basic inspection of the downloaded page within a use and throw sandbox.

Most browsers do perform some kind of reputation lookup on the URL, but like any blocklist, it’s reactive. Somebody or something has to spot the malice and report it.

The web being what it is, it’s very easy for attackers to produce exact replicas of the sites they’re masquerading as, so an inspection of the page would probably result in so many false positives (the browser saying phishing sites don’t look like phishing sites) that such a system would quickly fall out of trust.

The advantage of doing it via a password manager is it knows *which* genuine domains you have in your database. This seems much simpler than asking browsers to decide what is and isn’t a genuine website, a nigh on impossible task if you consider how many of those there are and how often they change.

Comments are closed.

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?