There is no surprise when it comes to hackers power of adaptability. Because of their constant evolution nowadays hackers are using TLS certificates to convince users that fraudulent sites are legit.
One of the most common ways used in the world to secure web browser sessions is also being used by hackers to gain victims’ trust in phishing campaigns.
The FBI has publicly announced to not simply trust any “https” URL.
It all started in the past when browser publishers and website owners have conducted huge and successful campaigns to convince consumers to look for lock icons and the “https:” prefix as indicators that a website is encrypted and secure.
FBI and cybersecurity experts are telling us that this is the big problem now because too many people incorrectly assume that an encrypted site is secure from every sort of security issue.
Keep in mind that the padlock does not actually confirm that the user is actually connected with a server from the business they expect.
Remember everything can be hacked. In order to stay away from any threats related to the cyber world, we recommend the install of antivirus for Windows or antivirus for Mac on every device that you own, depending on which OS your device is running. If you are a company, it is also recommended to hire every year a specialized cybersecurity company that will run annual tests on your company’s network. These tests include penetration testing and ethical hacking tests;
In a recent report, the FBI’s points out very well how hackers are increasingly incorporating website certificates in phishing email messages impersonating known companies and individuals. The legit-looking URLs then take the victims to pages that steal sensitive and personal information.
Don’t think for a second that this is something new, it’s just an old trick in some new clothes; down the way, hackers have been orchestrating these kinds of phishing campaigns for several years.
But now the problem is becoming more and more dangerous, for example just in 2017, security researchers uncovered over 15,000 certificates containing the word PayPal that were being used in cyber attacks. They also discovered an entire supply chain on the dark web from where anyone could get legit TLS certificates to use in all kinds of malicious cyber attacks.
There is hope! It seems that other technologies may eventually provide additional weapons against the new hackers. For now, the best available solution to this problem is probably the use of newer standards like WebAuthN to prevent naïve users from inadvertently divulging site credentials to a phisher, cybersecurity experts say, although the FBI’s doesn’t recommend this new technology.
Instead, they are suggesting behavioral defenses against the phishing attacks. The Bureau recommends questioning every email message, confirming the authenticity of messages before divulging sensitive information, looking for mis-spellings or domain inconsistencies, and not trusting a site simply because it displays a green lock icon.
We would continue to monitor this cybersecurity problem. Meanwhile, users should keep a keen eye out for any cyber attacks. Remember to use an antivirus for Windows or antivirus for Mac in every device that you own, depending on which OS your machine is running, If you are a company we recommend to hire every year a specialized cybersecurity company that will run annual tests on your company’s network, tests like this include: penetration testing and ethical hacking.