The U.S. Federal Bureau of Investigation today issued a warning that “cyber actors” are exploiting “secure” websites in phishing campaigns.

The public service announcement warned that those running phishing sites are now using Hypertext Transfer Protocol Secure sites, that is sites that start with https://, complete with a security certificate to trick users into believing the sites are legitimate.

“Cybersecurity training has focused on encouraging people to look for the lock icon that appears in the web browser address bar on these secure sites,” the FBI explained.

It said cybercriminals are banking on the public’s trust of ‘https’ and the lock icon. “They are more frequently incorporating website certificates — third-party verification that a site is secure — when they send potential victims emails that imitate trustworthy companies or email contacts,” the announcement added.

The tactic isn’t new. A study in November found nearly half of all phishing sites now deploy Secure Sockets Layer protection complete with a padlock icon in the browser bar in an attempt to give people a false sense of protection.

Kevin Bocek, vice president of security strategy and threat intelligence at Venafi Inc., told SiliconANGLE that the FBI’s warning is timely. “When attackers abuse TLS keys and certificates to take over these padlocks, they are able to make phishing attacks far more effective,” he said.

Mehul Patel, director of product marketing at Menlo Security Inc., noted that the announcement shows how attackers are continuously improving their techniques.

“The methods users have been leveraging to avoid phishing attacks are proving to be ineffective,” Patel said. “Rather than trying, and failing, to distinguish between safe and malicious email links and websites, enterprises should be isolating their web browsers to completely avoid any chance at exposing sensitive personal information. With internet activity being executed away from the users’ devices and the ability to turn websites to read-only, there’s never a risk of malware through phishing attacks.”

Craig Young, computer security researcher for Tripwire Inc.’s vulnerability and exposure research team, said there’s still no solid solution for helping the general public avoid the problem.

“In the long run, the best available solution to this problem is probably the use of newer standards like WebAuthn to prevent naïve users from inadvertently divulging site credentials to a phisher,” he said.

Image: Santeri Viinamäki/Wikimedia Commons