Criminals are using TLS certificates to convince users that fraudulent sites are worthy of their trust.

One of the most common mechanisms used to secure web browser sessions — and to assure consumers that their transactions are secure — is also being used by criminals looking to gain victims' trust in phishing campaigns. The FBI has issued a public service announcement defining the problem and urging individuals to go beyond simply trusting any "https" URL. 

Browser publishers and website owners have waged successful campaigns to convince consumers to look for lock icons and the "https:" prefix as indicators that a website is encrypted and, therefore, secure. The problem, according to the FBI and security experts, is that many individuals incorrectly assume that an encrypted site is secure from every sort of security issue.

Craig Young, computer security researcher for Tripwire’s VERT (vulnerability and exposure research team) recognizes the conflict between wanting consumers to feel secure and guarding against dangerous over-confidence. "Over the years, there has been a battle of words around how to communicate online security. Website security can be discussed at a number of levels with greatly different implications," he says.

"On its own, however, the padlock does not actually confirm that the user is actually connected with a server from the business they expect," Young explains. "Unfortunately, there is still no solid solution for empowering the general public to discern phishing or scam sites with 100% effectiveness."

In the FBI's PSA, the bureau points out that criminals are increasingly incorporating website certificates in phishing email messages impersonating known companies and individuals. The trustworthy-looking URLs take the victims to pages that seek sensitive and personal information.

"This isn’t new; cyber criminals have been orchestrating these kinds of phishing campaigns for several years," says Kevin Bocek, vice president of security strategy and threat intelligence at Venafi. He explains, "In 2017, security researchers uncovered over 15,000 certificates containing the word 'PayPal' that were being used in attacks. Since then it’s become clear that bad actors have an entire supply chain in place on the dark web to get trustworthy TLS certificates to use in all kinds of malicious attacks."

Bocek says that researchers have found definitive evidence of TLS certificates for sale on the dark web, with prices for highly trustworthy certificates reaching more than a thousand dollars. He sees greater visibility and transparency as key assets in fighting the proliferation of these "trustworthy" certificates used in fraudulent ways.

Other technologies may eventually provide additional weapons against the criminals. Young says, "In the long run, the best available solution to this problem is probably the use of newer standards like WebAuthN to prevent naïve users from inadvertently divulging site credentials to a phisher."

The FBI's PSA doesn't recommend new technology, instead suggesting behavioral defenses against the phishing attacks. The Bureau recommends questioning the intent of email messages, confirming the authenticity of messages before divulging sensitive information, looking for mis-spellings or domain inconsistencies, and tempering the overall trust in a site simply because it displays a green lock icon.

Related content:

About the Author(s)

Curtis Franklin, Principal Analyst, Omdia

Curtis Franklin Jr. is Principal Analyst at Omdia, focusing on enterprise security management. Previously, he was senior editor of Dark Reading, editor of Light Reading's Security Now, and executive editor, technology, at InformationWeek, where he was also executive producer of InformationWeek's online radio and podcast episodes

Curtis has been writing about technologies and products in computing and networking since the early 1980s. He has been on staff and contributed to technology-industry publications including BYTE, ComputerWorld, CEO, Enterprise Efficiency, ChannelWeb, Network Computing, InfoWorld, PCWorld, Dark Reading, and ITWorld.com on subjects ranging from mobile enterprise computing to enterprise security and wireless networking.

Curtis is the author of thousands of articles, the co-author of five books, and has been a frequent speaker at computer and networking industry conferences across North America and Europe. His most recent books, Cloud Computing: Technologies and Strategies of the Ubiquitous Data Center, and Securing the Cloud: Security Strategies for the Ubiquitous Data Center, with co-author Brian Chee, are published by Taylor and Francis.

When he's not writing, Curtis is a painter, photographer, cook, and multi-instrumentalist musician. He is active in running, amateur radio (KG4GWA), the MakerFX maker space in Orlando, FL, and is a certified Florida Master Naturalist.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights