Quote
CYBER ACTORS EXPLOIT 'SECURE' WEBSITES IN PHISHING CAMPAIGNS
Websites with addresses that start with “https” are supposed to provide privacy and security to visitors. After all, the “s” stands for “secure” in HTTPS: Hypertext Transfer Protocol Secure. In fact, cyber security training has focused on encouraging people to look for the lock icon that appears in the web browser address bar on these secure sites. The presence of “https” and the lock icon are supposed to indicate the web traffic is encrypted and that visitors can share data safely. Unfortunately, cyber criminals are banking on the public’s trust of “https” and the lock icon. They are more frequently incorporating website certificates—third-party verification that a site is secure—when they send potential victims emails that imitate trustworthy companies or email contacts. These phishing schemes are used to acquire sensitive logins or other information by luring them to a malicious website that looks secure.
RECOMMENDATIONS:
The following steps can help reduce the likelihood of falling victim to HTTPS phishing:
Do not simply trust the name on an email: question the intent of the email content.
If you receive a suspicious email with a link from a known contact, confirm the email is legitimate by calling or emailing the contact; do not reply directly to a suspicious email.
Check for misspellings or wrong domains within a link (e.g., if an address that should end in “.gov” ends in “.com” instead).
Do not trust a website just because it has a lock icon or “https” in the browser address bar.
VICTIM REPORTING
The FBI encourages victims to report information concerning suspicious or criminal activity to their local FBI field office, and file a complaint with the IC3 at www.ic3.gov. If your complaint pertains to this particular scheme, please note “HTTPS phishing” in the body of the complaint.
Websites with addresses that start with “https” are supposed to provide privacy and security to visitors. After all, the “s” stands for “secure” in HTTPS: Hypertext Transfer Protocol Secure. In fact, cyber security training has focused on encouraging people to look for the lock icon that appears in the web browser address bar on these secure sites. The presence of “https” and the lock icon are supposed to indicate the web traffic is encrypted and that visitors can share data safely. Unfortunately, cyber criminals are banking on the public’s trust of “https” and the lock icon. They are more frequently incorporating website certificates—third-party verification that a site is secure—when they send potential victims emails that imitate trustworthy companies or email contacts. These phishing schemes are used to acquire sensitive logins or other information by luring them to a malicious website that looks secure.
RECOMMENDATIONS:
The following steps can help reduce the likelihood of falling victim to HTTPS phishing:
Do not simply trust the name on an email: question the intent of the email content.
If you receive a suspicious email with a link from a known contact, confirm the email is legitimate by calling or emailing the contact; do not reply directly to a suspicious email.
Check for misspellings or wrong domains within a link (e.g., if an address that should end in “.gov” ends in “.com” instead).
Do not trust a website just because it has a lock icon or “https” in the browser address bar.
VICTIM REPORTING
The FBI encourages victims to report information concerning suspicious or criminal activity to their local FBI field office, and file a complaint with the IC3 at www.ic3.gov. If your complaint pertains to this particular scheme, please note “HTTPS phishing” in the body of the complaint.
Last month, FBI posted this warning on their website about this kind of phishing attack that is really hard to detect. We have been calling to check for the SSL if we are going around the web specially visiting crypto related websites and we are all under the impression that HTTPS is synonymous with security specially with the padlock symbol.
WRONG.
Cyber criminals is also taking advantage of this supposedly form of security.
So again, education is one of the best weapon to combat against this kind of attacks. I'm reiterating 2FA and a good password manager as well.