Watch Out for HTTPS-Protected Phishing Sites, Warns FBI

Threat Alert
David Bisson | Tue, 06/18/2019 - 13:32
opened padlocks on keyboard

The Federal Bureau of Investigation (FBI) is warning web users to watch out for phishing sites that leverage HTTPS protection for malicious ends.

On 10 June, the FBI鈥檚 Internet Crime Complaint Center (IC3) published I-061019-PSA. This public service announcement explains that digital criminals are increasingly using sites protected with Hypertext Transfer Protocol Secure (HTTPS) to prey upon users. These bad actors are gravitating more and more to this technique because of the advantage it lends them.

As the FBI explains in its听:

"The presence of 鈥渉ttps鈥 and the lock icon are supposed to indicate the web traffic is encrypted and that visitors can share data safely. Unfortunately, cyber criminals are banking on the public鈥檚 trust of 鈥渉ttps鈥 and the lock icon. They are more frequently incorporating website certificates鈥攖hird-party verification that a site is secure鈥攚hen they send potential victims鈥 emails that imitate trustworthy companies or email contacts."

A Growing Tactic and How to Defend Against It

This isn鈥檛 a new tactic, either. Back in 2017,听听discovered that malefactors were obtaining digital certificates for the purpose of protecting their phishing sites with HTTPS in a quarter of attacks it documented.听, the digital security provider observed that this percentage jumped up to just under half of phishing attacks (49 percent).

The FBI points out in its PSA that users can protect themselves by not automatically trusting emails, even those sent by trusted contacts. They should also verify the legitimacy of a suspicious email by calling the sender, not by replying directly to the email. Finally, they should always inspect incoming emails for misspellings and wrong domains as well as exercise caution around unfamiliar messages that ask for personal information, including those using HTTPS.

Part of a Larger Problem鈥.

Unfortunately, those sound recommendations aren鈥檛 enough to keep users and organizations safe when viewed in the larger context of phishing attacks鈥 ongoing evolution. That鈥檚 because HTTPS phishing isn鈥檛 the only sophisticated techniques which social attackers are increasingly incorporating into their campaigns. There are several that are now making their way into attacks.

In its听, AppRiver found reason to believe that fraudsters will specifically resort to launching attacks that leverage 鈥渓iving off the land鈥 techniques. These tactics commonly involve the use of legitimate applications such as utilities employed specifically by the targeted organizations or administrative tools widely deployed by organizations across various sectors.

As an example, the听听malware leveraged NcFTP, a legitimate FTP software provider, to upload victims鈥 stolen credentials to freehostia.com, a widely used hosting service. It also relied on three benign executables鈥攛copy.exe, attrib.exe and sleep.exe鈥攖o set the stage for its malicious activities. Research shows that digital attackers are also听听as a means of creating more credibility and a legitimate appearance for their phishing attacks.

The Need for Stronger Email Security Defenses

Employee awareness training isn鈥檛 sufficient on its own to defend against the sophisticated techniques discussed above. Organizations need to balance these security education programs with robust solutions that can detect advanced attack techniques. Specifically, they should look for a multi-layered solution like 秋葵视频色Protect that evaluates suspicious emails based on their IP addresses, URLs, phrases, campaign matters and malware signatures. This solution should provide such intelligence in real-time while allowing legitimate correspondence to come through.

.