Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

FBI Warns of Dangers in 'Safe' Websites

Criminals are using TLS certificates to convince users that fraudulent sites are worthy of their trust.

One of the most common mechanisms used to secure web browser sessions — and to assure consumers that their transactions are secure — is also being used by criminals looking to gain victims' trust in phishing campaigns. The FBI has issued a public service announcement defining the problem and urging individuals to go beyond simply trusting any "https" URL. 

Browser publishers and website owners have waged successful campaigns to convince consumers to look for lock icons and the "https:" prefix as indicators that a website is encrypted and, therefore, secure. The problem, according to the FBI and security experts, is that many individuals incorrectly assume that an encrypted site is secure from every sort of security issue.

Craig Young, computer security researcher for Tripwire’s VERT (vulnerability and exposure research team) recognizes the conflict between wanting consumers to feel secure and guarding against dangerous over-confidence. "Over the years, there has been a battle of words around how to communicate online security. Website security can be discussed at a number of levels with greatly different implications," he says.

"On its own, however, the padlock does not actually confirm that the user is actually connected with a server from the business they expect," Young explains. "Unfortunately, there is still no solid solution for empowering the general public to discern phishing or scam sites with 100% effectiveness."

In the FBI's PSA, the bureau points out that criminals are increasingly incorporating website certificates in phishing email messages impersonating known companies and individuals. The trustworthy-looking URLs take the victims to pages that seek sensitive and personal information.

"This isn’t new; cyber criminals have been orchestrating these kinds of phishing campaigns for several years," says Kevin Bocek, vice president of security strategy and threat intelligence at Venafi. He explains, "In 2017, security researchers uncovered over 15,000 certificates containing the word 'PayPal' that were being used in attacks. Since then it’s become clear that bad actors have an entire supply chain in place on the dark web to get trustworthy TLS certificates to use in all kinds of malicious attacks."

Bocek says that researchers have found definitive evidence of TLS certificates for sale on the dark web, with prices for highly trustworthy certificates reaching more than a thousand dollars. He sees greater visibility and transparency as key assets in fighting the proliferation of these "trustworthy" certificates used in fraudulent ways.

Other technologies may eventually provide additional weapons against the criminals. Young says, "In the long run, the best available solution to this problem is probably the use of newer standards like WebAuthN to prevent naïve users from inadvertently divulging site credentials to a phisher."

The FBI's PSA doesn't recommend new technology, instead suggesting behavioral defenses against the phishing attacks. The Bureau recommends questioning the intent of email messages, confirming the authenticity of messages before divulging sensitive information, looking for mis-spellings or domain inconsistencies, and tempering the overall trust in a site simply because it displays a green lock icon.

Related content:

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
6/11/2019 | 1:54:54 PM
A good policy
This works: If you don't need it, don't read it, delete it.  Simple and easy to remember
timcallan
50%
50%
timcallan,
User Rank: Author
10/23/2019 | 12:18:40 PM
Authentic company information is available
It's important to understand that not all site certificates (known as TLS or SSL certificates) are the same.  The ciminals almost exclusively use "domain validated" certificates, which contain no authenticated information about the identiy of the site.  However, sites have the opportunity to use a different type of certificate called Extended Validation, or EV.

All EV certificates include the authenticated identity information of the company operating the site.  This authentication follows codified methodology that has proven effective in more then ten years of widespread global use.  Browsers have the opportunity to dispay this information so that a user can distinguish between a real site and a crafty criminal fake.

Unfortunately, popular browsers Chrome and Firefox have chosen not to display this information. The good news for users is that they have alternatives that do.  Browsers like Safari and Edge change their interface to indicate that EV authenticated information is available and allow users to view it.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/6/2020
Russian Cyber Gang 'Cosmic Lynx' Focuses on Email Fraud
Kelly Sheridan, Staff Editor, Dark Reading,  7/7/2020
Why Cybersecurity's Silence Matters to Black Lives
Tiffany Ricks, CEO, HacWare,  7/8/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-3931
PUBLISHED: 2020-07-08
Buffer overflow exists in Geovision Door Access Control device family, an unauthenticated remote attacker can execute arbitrary command.
CVE-2020-15600
PUBLISHED: 2020-07-07
An issue was discovered in CMSUno before 1.6.1. uno.php allows CSRF to change the admin password.
CVE-2020-15599
PUBLISHED: 2020-07-07
Victor CMS through 2019-02-28 allows XSS via the register.php user_firstname or user_lastname field.
CVE-2020-8916
PUBLISHED: 2020-07-07
A memory leak in Openthread's wpantund versions up to commit 0e5d1601febb869f583e944785e5685c6c747be7, when used in an environment where wpanctl is directly interfacing with the control driver (eg: debug environments) can allow an attacker to crash the service (DoS). We recommend updating, or to res...
CVE-2020-12821
PUBLISHED: 2020-07-07
Gossipsub 1.0 does not properly resist invalid message spam, such as an eclipse attack or a sybil attack.