Here in thethreatreport.com, we always emphasize to our readers to always check the address bar of your browser for the “closed padlock” icon before logging-in to your web service accounts, whatever it maybe. The encryption protocol used is practically speaking still unbreakable even with today’s binary supercomputers. However, the age-old yet pretty effective security advice may have reached its end, as the FBI (Federal Bureau of Investigation) has disclosed that cybercriminals are for the longest time are also using encrypted websites for their operations. This means seeing a closed padlock icon on the address bar is not enough proof that the website’s operations are legitimate.
This is a major shake-up with the long-established understanding that only legitimate businesses and the public sector can acquire a genuine digital certificate. TLS certificates anchor its legitimacy through the reputation of the issuing Certificate Authority, the entity that guarantees that websiteX is operated by a legal personality named X. In fact, the encryption standard for the whole world wide web is anchored with the public’s trust on the reputation of the Certificate Authority that issued the digital certificate. One example of a Certificate Authority that totally lost the public’s trust was Symantec CA. Its infrastructure was bought out by Digicert since Symantec can no longer operate as the latter lost the public’s trust with its certificates, with major browsers from Mozilla, Google, Microsoft, and Apple removing the Symantec CA as a trusted Certificate authority.
“The presence of ‘https’ and the lock icon are supposed to indicate the web traffic is encrypted and that visitors can share data safely. Unfortunately, cybercriminals are banking on the public’s trust of “https” and the lock icon. They are more frequently incorporating website certificates—third-party verification that a site is secure—when they send potential victims emails that imitate trustworthy companies or email contacts,” explained FBI in their official Press Statement.
Phishing websites cannot operate with just http today, as major browser vendors flag sites that contain forms if the page is http only. Such behavior is across the board, as it is not safe to enter information inside form pages if there is no encryption. With that change of browser behavior, phishers themselves buy digital certificates using made-up information. As Certificate Authorities are also businesses, some of them do not perform enough background check before selling a digital certificate to an entity.
“These phishing schemes are used to acquire sensitive logins or other information by luring them to a malicious website that looks secure. Check for misspellings or wrong domains within a link (e.g., if an address that should end in “.gov” ends in “.com” instead). Do not trust a website just because it has a lock icon or “https” in the browser address bar,” concluded FBI.
Phishing schemes using websites are one of the most successful ways to infiltrate a network. When used in combination with social engineering, a phishing site link can be placed inside a very persuasive, authentic-looking email. Just clicking the link is enough to take over a machine if security vulnerabilities exist in the browser which opened the malicious link.