FBI Warns of Dangers in 'Safe' Websites

[steven36]

Criminals are using TLS certificates to convince users that fraudulent sites are worthy of their trust.

 

 

One of the most common mechanisms used to secure web browser sessions — and to assure consumers that their transactions are secure — is also being used by criminals looking to gain victims' trust in phishing campaigns. The FBI has issued a public service announcement defining the problem and urging individuals to go beyond simply trusting any "https" URL. 

 

Browser publishers and website owners have waged successful campaigns to convince consumers to look for lock icons and the "https:" prefix as indicators that a website is encrypted and, therefore, secure. The problem, according to the FBI and security experts, is that many individuals incorrectly assume that an encrypted site is secure from every sort of security issue.

 

Craig Young, computer security researcher for Tripwire’s VERT (vulnerability and exposure research team) recognizes the conflict between wanting consumers to feel secure and guarding against dangerous over-confidence. "Over the years, there has been a battle of words around how to communicate online security. Website security can be discussed at a number of levels with greatly different implications," he says.

 

"On its own, however, the padlock does not actually confirm that the user is actually connected with a server from the business they expect," Young explains. "Unfortunately, there is still no solid solution for empowering the general public to discern phishing or scam sites with 100% effectiveness."

 

In the FBI's PSA, the bureau points out that criminals are increasingly incorporating website certificates in phishing email messages impersonating known companies and individuals. The trustworthy-looking URLs take the victims to pages that seek sensitive and personal information.

 

"This isn’t new; cyber criminals have been orchestrating these kinds of phishing campaigns for several years," says Kevin Bocek, vice president of security strategy and threat intelligence at Venafi. He explains, "In 2017, security researchers uncovered over 15,000 certificates containing the word 'PayPal' that were being used in attacks. Since then it’s become clear that bad actors have an entire supply chain in place on the dark web to get trustworthy TLS certificates to use in all kinds of malicious attacks."

 

Bocek says that researchers have found definitive evidence of TLS certificates for sale on the dark web, with prices for highly trustworthy certificates reaching more than a thousand dollars. He sees greater visibility and transparency as key assets in fighting the proliferation of these "trustworthy" certificates used in fraudulent ways.

 

Other technologies may eventually provide additional weapons against the criminals. Young says, "In the long run, the best available solution to this problem is probably the use of newer standards like WebAuthN to prevent naïve users from inadvertently divulging site credentials to a phisher."

 

The FBI's PSA doesn't recommend new technology, instead suggesting behavioral defenses against the phishing attacks. The Bureau recommends questioning the intent of email messages, confirming the authenticity of messages before divulging sensitive information, looking for mis-spellings or domain inconsistencies, and tempering the overall trust in a site simply because it displays a green lock icon.

 

Source

 

 

[mp68terr]

Thoughts after reading this article:

 

Where are these "trustworthy" certificates used in fraudulent ways coming from?

 

8 minutes ago, steven36 said:

The FBI's PSA doesn't recommend new technology, instead suggesting behavioral defenses...

Why not a word about 'certificate authorities'?
If the "trustworthy" certificates are coming from the CA, then the FBI or similar agencies have to check what is going on there.

If the "trustworthy" certificates are NOT coming from the CA (=forged/falsely) then an alternative to the CA is more than necessary.

[steven36]

FBI Warns of HTTPS Abuse in Phishing Campaigns

 

Malicious actors are abusing users’ trust in the HTTPS protocol to launch phishing campaigns, the Federal Bureau of Investigation (FBI) warns in a recent alert. 

 

For years, tech companies have been pushing toward the wide adoption of the HTTPS protocol, or Hypertext Transfer Protocol Secure, on the web, as it ensures that the communication between a website and the user’s browser is performed over a secure connection.  

 

Modern browsers mark websites that use the protocol with a lock icon to indicate that browser traffic is encrypted and that attackers can’t access the data in transit. More recently, they also started displaying warnings when a non-secure website is accessed. 

 

Adapting to these changes, phishers are adopting the HTTPS protocol in their campaigns as well, as it allows them to more successfully trick victims into believing that malicious emails or links they receive in their inboxes come from legitimate sources. 

 

“Unfortunately, cyber criminals are banking on the public’s trust of “https” and the lock icon. They are more frequently incorporating website certificates—third-party verification that a site is secure—when they send potential victims emails that imitate trustworthy companies or email contacts,” the FBI warns. 

 

Abusing users’ trust, these phishing schemes are attempting to acquire sensitive logins or other information by luring victims into accessing malicious websites that look secure. However, only the connection to these sites is secure, and the HTTPS protocol is in no way related to the content of the site too. 

 

To ensure they don’t fall to such phishing schemes, users should never simply trust the name on an email, but also question the intent of the email content, the FBI recommends. 

 

Moreover, users are advised to confirm the legitimacy of any received message whenever they receive an email with a link from a known contact, and should never reply directly to a suspicious email. Misspellings or wrong domains within a link should also be indicative of malicious intent. 

 

“Do not trust a website just because it has a lock icon or “https” in the browser address bar,” the FBI underlines. 

 

Victims are advised to report information regarding suspicious or criminal activity to their local FBI field office, and to file a complaint on www.ic3.gov. Complaints related to such phishing schemes should include “HTTPS phishing” in the body of the complaint.

 

“This isn’t new; cyber criminals have been orchestrating these kinds of phishing campaigns for several years. In 2017, security researchers uncovered over 15,000 certificates containing the word ‘PayPal’ that were being used in attacks. Since then it’s become clear that bad actors have an entire supply chain in place on the Dark Web to get trustworthy TLS certificates to use in all kinds of malicious attacks,” Kevin Bocek, Vice President at identity protection provider Venafi, told SecurityWeek in an emailed comment. 

 

“Unfortunately, there is still no solid solution for empowering the general public to discern phishing or scam sites with 100% effectiveness. This is compounded by the fact that many

organizations will send official email soliciting information on third-party domains thereby making it exceedingly difficult to know in some circumstances whether a site is legitimate,” Craig Young, security researcher for Tripwire, commented for SecurityWeek.

 

Source