Author Topic: FBI Issues Warning on ‘Secure’ Websites Used For Phishing  (Read 334 times)

Online javajolt

  • Administrator
  • Hero Member
  • *****
  • Posts: 35125
  • Gender: Male
  • I Do Windows
    • windows10newsinfo.com
The U.S. Federal Bureau of Investigation (FBI) issued a public service announcement regarding TLS-secured websites being actively used by malicious actors in phishing campaigns.

Internet users are accustomed by now to always look at the padlock next to the web browser's address bar to check if the current page is served by a website secured using a TLS certificate.

Users also look for after landing on a website is the "http" protocol designation in front of the hostname which is another hint of a domain being "secure" and the web traffic is encrypted.

TLS-secured phishing landing pages

However, this exposes them to phishing campaigns designed by threat actors to use TLS-secure landing pages which exploit the users' trust to deceive them into trusting attacker-controlled sites and handing over sensitive personal information.

"They are more frequently incorporating website certificates—third-party verification that a site is secure—when they send potential victims emails that imitate trustworthy companies or email contacts, " as the FBI says in the PSA.

"These phishing schemes are used to acquire sensitive logins or other information by luring them to a malicious website that looks secure."

The FBI recommends following these steps to avoid being tricked by bad actors via http-secured phishing landing pages:

Quote
• Do not simply trust the name on an email: question the intent of the email content.

• If you receive a suspicious email with a link from a known contact, confirm the email is legitimate by calling or emailing the contact; do not reply directly to a suspicious email.

• Check for misspellings or wrong domains within a link (e.g., if an address that should end in “.gov” ends in “.com” instead).

• Do not trust a website just because it has a lock icon or “http” in the browser address bar.

Abusing cloud companies' TLS certificates

While in a lot of cases bad actors will get their own SSL certificates to secure pages used in their campaigns to try and trick their targets, there is also a lot of them who just abuse pages hosted on cloud services which automatically inherit the certificates.

For instance, during the last two months, crooks have been observed while hosting malware and command-and-control servers on Microsoft’s Azure cloud services as well as websites used to deliver tech support scams.

As security researcher MalwareHunterTeam said on Twitter, "the amount of lawyers through gov officials through bank employees through AP accountants/analysts/coordinators through everything getting phished using MS hosted phishing pages is totally out of control."



During February, researchers also found that phishing campaigns used Microsoft's Azure Blob Storage to steal recipient's Microsoft account and Outlook credentials utilizing convincing landing pages secured with the windows.net domain's SSL certificates to appear legitimate.

Two months later, MinervaLabs' malware researcher Omri Segev Moyal shared with BleepingComputer custom Office 365 rules which can be used to block phishing attacks that make use of Microsoft's Azure Blob Storage for hosting their landing pages to take advantage of windows.net subdomains' valid Microsoft SSL certificates.


Phishing landing page secured with CloudFlare TLS certificate

It's not only Microsoft's cloud services being abused by cyber-criminals to make their malicious web pages look legitimate given that a phishing campaign which attempted to steal Google and Facebook credentials has been discovered in Early-February utilizing Google Translate as camouflage.

Also, Cloudflare's IPFS gateway was also abused by crooks to secure their phishing scams using TLS certificates issued by CloudFlare.

source