When browsing the web you have probably noticed that many sites have a padlock next to the browser’s address bar. This indicates that the website has been issued a security certificate. If you click on the padlock, you can verify that the website connection is secure and view the source of the certificate. You might also have noticed the “https” protocol designation in front of the website address. This is another indication of the domain being secure and that the traffic between your browser and the website is encrypted.
These security features are especially important when filling out forms that ask for personal information, such as credit card details when making an online purchase, furnishing access credentials to view healthcare records or an investment account, or filling out an application for a mortgage loan or insurance policy. If the website does not display these security features, you not only risk having sensitive information fall into the wrong hands, but having it used against you in harmful ways.
That Was Then, This Is Now
These essential security features we all have come to trust are now being used against us. The FBI has issued a public service announcement regarding secured websites being used by cyber criminals in phishing campaigns that exploit users’ trust. They deceive users into trusting bogus sites that look legitimate, so they will not give a second thought about handing over sensitive personal information.
“They are more frequently incorporating website certificates – third-party verification that a site is secure – when they send potential victims emails that imitate trustworthy companies or email contacts,” says the FBI’s public service announcement. “These phishing schemes are used to acquire sensitive logins or other information by luring them to a malicious website that looks secure.”
Cyber criminals can get their own certificates to secure pages used in their phishing campaigns. Eventually, the true intent behind their websites will be found out and their certificates will be revoked. A relatively new tactic is for attackers to host phishing pages on cloud services, which will automatically inherit legitimate certificates.
For example, a phishing campaign might use the Microsoft Azure Blob Storage service in an attempt to steal recipients’ Microsoft account and Outlook credentials utilizing convincing landing pages secured with a windows.net domain’s certificate to appear legitimate.
The FBI recommends taking the following steps to avoid being tricked by bad actors via “secured” phishing pages:
- Do not trust a website just because it has a lock icon or “https” in the browser address bar.
- Do not simply trust the name on an email: question the intent of the email content.
- If you receive a suspicious email with a link from a known contact, confirm the email is legitimate by calling or emailing the contact; do not reply directly to a suspicious email.
- Check for misspellings or wrong domains within a link (e.g., if an address that should end in “.gov” ends in “.com” instead).
As you can surmise from the FBI recommendations, your best defense against this type of online fraud boils down to using common sense. It requires that you pay more attention to the websites you visit, to the emails you receive, and to the links you click on. If you have any doubt about the veracity of a website, email or link it is best to move on rather than risk opening the digital version of Pandora’s Box.
Nathan Muller is the author of 29 technical books and over 3,000 articles that have appeared in 75 publications worldwide. He also writes articles, blogs and social media content for tech companies and their executives.