Watch Out for HTTPS-Protected Phishing Sites, Warns FBI

Threat Alert
David Bisson | Tue, 06/18/2019 - 13:32
opened padlocks on keyboard

The Federal Bureau of Investigation (FBI) is warning web users to watch out for phishing sites that leverage HTTPS protection for malicious ends.

On 10 June, the FBI’s Internet Crime Complaint Center (IC3) published I-061019-PSA. This public service announcement explains that digital criminals are increasingly using sites protected with Hypertext Transfer Protocol Secure (HTTPS) to prey upon users. These bad actors are gravitating more and more to this technique because of the advantage it lends them.

As the FBI explains in its PSA:

"The presence of “https” and the lock icon are supposed to indicate the web traffic is encrypted and that visitors can share data safely. Unfortunately, cyber criminals are banking on the public’s trust of “https” and the lock icon. They are more frequently incorporating website certificates—third-party verification that a site is secure—when they send potential victims’ emails that imitate trustworthy companies or email contacts."

A Growing Tactic and How to Defend Against It

This isn’t a new tactic, either. Back in 2017, PhishLabs discovered that malefactors were obtaining digital certificates for the purpose of protecting their phishing sites with HTTPS in a quarter of attacks it documented. Within a year, the digital security provider observed that this percentage jumped up to just under half of phishing attacks (49 percent).

The FBI points out in its PSA that users can protect themselves by not automatically trusting emails, even those sent by trusted contacts. They should also verify the legitimacy of a suspicious email by calling the sender, not by replying directly to the email. Finally, they should always inspect incoming emails for misspellings and wrong domains as well as exercise caution around unfamiliar messages that ask for personal information, including those using HTTPS.

Part of a Larger Problem….

Unfortunately, those sound recommendations aren’t enough to keep users and organizations safe when viewed in the larger context of phishing attacks’ ongoing evolution. That’s because HTTPS phishing isn’t the only sophisticated techniques which social attackers are increasingly incorporating into their campaigns. There are several that are now making their way into attacks.

In its Global Security Report – End of Year 2018, AppRiver found reason to believe that fraudsters will specifically resort to launching attacks that leverage “living off the land” techniques. These tactics commonly involve the use of legitimate applications such as utilities employed specifically by the targeted organizations or administrative tools widely deployed by organizations across various sectors.

As an example, the Separ malware leveraged NcFTP, a legitimate FTP software provider, to upload victims’ stolen credentials to freehostia.com, a widely used hosting service. It also relied on three benign executables—xcopy.exe, attrib.exe and sleep.exe—to set the stage for its malicious activities. Research shows that digital attackers are also abusing the custom domain name feature of Microsoft Azure storage as a means of creating more credibility and a legitimate appearance for their phishing attacks.

The Need for Stronger Email Security Defenses

Employee awareness training isn’t sufficient on its own to defend against the sophisticated techniques discussed above. Organizations need to balance these security education programs with robust solutions that can detect advanced attack techniques. Specifically, they should look for a multi-layered solution like ZixProtect that evaluates suspicious emails based on their IP addresses, URLs, phrases, campaign matters and malware signatures. This solution should provide such intelligence in real-time while allowing legitimate correspondence to come through.

Strengthen your organization’s email security defenses today.