FBI Warning: The Lock Icon Doesn’t Mean That Website Is Safe

People surfing the web have come to rely on HTTPS and the lock icon in the address bar to feel secure as they browse the internet. But criminals have caught up, according to the FBI, and are including verification certificates for website designed to steal your information.

In an alert published Monday, the bureau’s Internet Crime Complaint Center, or IC3, warned that scammers are using the public’s trust in website certificates as part of phishing campaigns.

“The presence of ‘https’ and the lock icon are supposed to indicate the web traffic is encrypted and that visitors can share data safely,” the bureau wrote in the alert. “Unfortunately, cyber criminals are banking on the public’s trust of ‘https’ and the lock icon.”

The HTTPS protocol ensures the connection to a given website is secure, preventing man-in-the-middle and other attacks from diverting or spying on information going to and from the site. However, the protocol does nothing to ensure the site itself is benign.

In current ongoing scams, criminals are sending phishing emails pretending to be from an acquaintance or official website. But links in the emails actually go to malicious sites, masquerading as legitimate services using HTTPS as cover.

Kevin Bocek, vice president of security strategy and threat intelligence at Venafi, said the FBI’s warning is timely but the problem is not new.

“In 2017, security researchers uncovered over 15,000 certificates containing the word ‘PayPal’ that were being used in attacks. Since then it’s become clear that bad actors have an entire supply chain in place on the dark web to get trustworthy TLS certificates to use in all kinds of malicious attacks,” he said.

Bocek said his teams have found transport layer security, or TLS, certificates for sale online for thousands of dollars apiece. For perspective, he said Social Security numbers and other personal information often sell for $1 or less.

“Unfortunately, there is still no solid solution for empowering the general public to discern phishing or scam sites with 100% effectiveness,” according to Craig Young, a computer security researcher at Tripwire. “This is compounded by the fact that many organizations will send official email soliciting information on third-party domains thereby making it exceedingly difficult to know in some circumstances whether a site is legitimate.”

The FBI offered four tips to avoid becoming a victim:

• Do not simply trust the name on an email: question the intent of the email content.
• If you receive a suspicious email with a link from a known contact, confirm the email is legitimate by calling or emailing the contact; do not reply directly to a suspicious email.
• Check for misspellings or wrong domains within a link (e.g., if an address that should end in “.gov” ends in “.com” instead).
• Do not trust a website just because it has a lock icon or “https” in the browser address bar.