Whatever your reason for browsing the internet, you have no doubt checked the address bar for the lock icon – 🔒 – and that the website is using HTTPS. It should be a good way to let you know that the website you’re using is safe & secure. You should be safe in the knowledge that your personal details are safe, and your credit card details are secured behind SSL encryption.
Sadly, cyber criminals are able to use verification certificates for well known companies to detail your information, and at worst – your entire identity.
An alert was published Monday by the FBI’s Internet Crime Complaint Center (known as IC3) warning that criminals are now able to use certificates in phishing scams that could easily steal your identity.
“The presence of ‘https’ and the lock icon are supposed to indicate the web traffic is encrypted and that visitors can share data safely,” IC3 wrote – “Unfortunately, cyber criminals are banking on the public’s trust of ‘https’ and the lock icon.”
HTTPS ensures the connection between your device (phone, tablet or laptop for example) and the website is secure. A Secure Socket Layer (SSL) is a means for your data to be sent to the website without fear of man-in-the-middle attacks. When HTTPS/SSL is not present, cyber criminals have methods of intercepting data before it reaches the target website or you.
But what if the certificate itself is not authentic?
This is akin to the stores and pop-up shops in China that purport to be official Apple stores. It looks genuine, but it is far from it. A website may look genuine, with an SSL certificate that matches Paypal or eBay – but the reality is something completely different.
Fake & malicious websites
One of the scams involves criminals sending phishing emails out in huge numbers, which may seem like they are from a friend or from the official websites. The links, however, go direct to the fake website, complete with HTTPS.
Kevin Bocek, vice president of security strategy and threat intelligence at Venafi, said the FBI’s warning has definitely come at the right time, but is not anything we didn’t already know.
“In 2017, security researchers uncovered over 15,000 certificates containing the word ‘PayPal’ that were being used in attacks. Since then it’s become clear that bad actors have an entire supply chain in place on the dark web to get trustworthy TLS certificates to use in all kinds of malicious attacks,” Bocek said.
The trade of these certificates is a high ticket business. TLS certificates have sold for thousands of dollars, according to Bockek, and to put things in perspective, Bocek also said that Social Security numbers often sell for $1.00USD or less.
“Unfortunately, there is still no solid solution for empowering the general public to discern phishing or scam sites with 100% effectiveness,” according to Craig Young, a computer security researcher at Tripwire. “This is compounded by the fact that many organizations will send official email soliciting information on third-party domains thereby making it exceedingly difficult to know in some circumstances whether a site is legitimate.”
The FBI offered these tips to avoid becoming a victim of these scams & criminal activities:
- Do not simply trust the name on an email: question the intent of the email content.
- If you receive a suspicious email with a link from a known contact, confirm the email is legitimate by calling or emailing the contact; do not reply directly to a suspicious email.
- Check for misspellings or wrong domains within a link (e.g., if an address that should end in “.gov” ends in “.com” instead).
- Do not trust a website just because it has a lock icon or “https” in the browser address bar.