CyberNews Briefs

FBI Issues Warning on ‘Secure’ Websites Used For Phishing

The FBI has issued a warning about the use of TLS-secured websites in phishing campaigns. In the context of phishing awareness training, users are usually told to avoid websites that do not use HTTPS and/or lack a valid TLS certificate, which means that there is no “padlock” next to the browser’s address bar. While it is good practice not to trust sites without a valid certificate, the presence of a padlock in no way guarantees that a certain domain is used for legitimate purposes.

Based on the knowledge that users nevertheless tend to trust websites with a padlock, threat actors are “more frequently incorporating website certificates—third-party verification that a site is secure—when they send potential victims emails that imitate trustworthy companies or email contacts, ” the PSA by the FBI reads. “These phishing schemes are used to acquire sensitive logins or other information by luring them to a malicious website that looks secure.”

The FBI urges users to follow these recommendations:

  • “Do not simply trust the name on an email: question the intent of the email content.
  • If you receive a suspicious email with a link from a known contact, confirm the email is legitimate by calling or emailing the contact; do not reply directly to a suspicious email.
  • Check for misspellings or wrong domains within a link (e.g., if an address that should end in “.gov” ends in “.com” instead).
  • Do not trust a website just because it has a lock icon or ‘https’ in the browser address bar.”

Read more: FBI Issues Warning on ‘Secure’ Websites Used For Phishing

OODA Analyst

OODA Analyst

OODA is comprised of a unique team of international experts capable of providing advanced intelligence and analysis, strategy and planning support, risk and threat management, training, decision support, crisis response, and security services to global corporations and governments.