Malicious actors are abusing users’ trust in the HTTPS protocol to launch phishing campaigns.  Modern browsers mark websites that use the protocol with a lock icon to indicate that browser traffic is encrypted and that attackers can’t access the data in transit. More recently, they also started displaying warnings when a non-secure website is accessed.   Adapting to these changes, phishers are adopting the HTTPS protocol in their campaigns as well, as it allows them to more successfully trick victims into believing that malicious emails or links they receive in their inboxes come from legitimate sources.  Cyber criminals are banking on the public’s trust of “https” and the lock icon

Abusing users’ trust, these phishing schemes are attempting to acquire sensitive logins or other information by luring victims into accessing malicious websites that look secure. However, only the connection to these sites is secure, and the HTTPS protocol is in no way related to the content of the site too

This isn’t new; cyber criminals have been orchestrating these kinds of phishing campaigns for several years. In 2017, security researchers uncovered over 15,000 certificates containing the word ‘PayPal’ that were being used in attacks. Since then it’s become clear that bad actors have an entire supply chain in place on the Dark Web to get trustworthy TLS certificates to use in all kinds of malicious attacks.

Unfortunately, there is still no solid solution for empowering the general public to discern phishing or scam sites with 100% effectiveness. This is compounded by the fact that many organizations will send official email soliciting information on third-party domains thereby making it exceedingly difficult to know in some circumstances whether a site is legitimate

What to do?

Never simply trust the name on an email, but also question the intent of the email content.

Confirm the legitimacy of any received message whenever they receive an email with a link from a known contact, and should never reply directly to a suspicious email.

Misspellings or wrong domains within a link should also be indicative of malicious intent.

Do not trust a website just because it has a lock icon or “https” in the browser address bar.

What can you do to when this happens to you?

Victims are advised to report information regarding suspicious or criminal activity to their local FBI field office, and to file a complaint on Complaints related to such phishing schemes should include “HTTPS phishing” in the body of the complaint


FBI Warns of HTTPS Abuse in Phishing Campaigns | SecurityWeek.Com