The U.S. Federal Bureau of Investigation (FBI) issued a public service announcement regarding TLS-secured websites being actively used by malicious actors in phishing campaigns.
Internet users are accustomed by now to always look at the padlock next to the web browser's address bar to check if the current page is served by a website secured using a TLS certificate.
Users also look for after landing on a website is the "https" protocol designation in front of the hostname which is another hint of a domain being "secure" and the web traffic is encrypted.
However, this exposes them to phishing campaigns designed by threat actors to use TLS-secure landing pages which exploit the users' trust to deceive them into trusting attacker-controlled sites and handing over sensitive personal information.
"They are more frequently incorporating website certificates—third-party verification that a site is secure—when they send potential victims emails that imitate trustworthy companies or email contacts, " as the FBI says in the PSA.
"These phishing schemes are used to acquire sensitive logins or other information by luring them to a malicious website that looks secure."
The FBI recommends following these steps to avoid being tricked by bad actors via HTTPS-secured phishing landing pages:
• Do not simply trust the name on an email: question the intent of the email content.
• If you receive a suspicious email with a link from a known contact, confirm the email is legitimate by calling or emailing the contact; do not reply directly to a suspicious email.
• Check for misspellings or wrong domains within a link (e.g., if an address that should end in “.gov” ends in “.com” instead).
• Do not trust a website just because it has a lock icon or “https” in the browser address bar.