We need to move beyond the S. Specifically, the “S” at the end of HTTPS in our browser bar. It’s 2018, and most of us, myself included, still often validate a website’s authenticity based on whether or not a website begins with “https” versus “http.” The thought is that if a website has the “s” at the end, then we are completely safe, and any concern we might have should be void – because there is an “https” up there.

Image courtesy of microsoft.com

For too long we were taught to look for the word “secure” in the browser bar, or the lock image on the lower right. While this does ensure that information we type into the webpage is safe from eavesdropping, it does not guarantee that we are looking at the real, authentic copy of the site. Looking for the symbols is a good practice, BUT ONLY in the proper context.

About HTTPS

There are no problems with https. Https is an excellent encryption mechanism. The https means that the traffic is encrypted when you type something on the website. This encryption is what keeps our information, which we enter on the website, safe from eavesdroppers.

Think of your credit card number. when you enter it, encryption encapsulates the data from your device to the website server. Encryption can be described as a PVC pipe – it carries your data from you to the online web server.

On its own, https will definitely prevent someone from getting your credit card number when entering it on a website. However, https will not help you if you’ve entered your information on the wrong website. Https does not mean a website is the real, authentic one. It just means that data entered into it is secure and encrypted. So, if you enter your data into a criminal’s copycat version of a website, you just gave them your information – securely.

The problem

Cybercriminals have realized our reliance on https to determine whether a website is authentic or not. They are now exploiting this reliance in phishing emails. Specifically, criminals are now using https in phishing email links to make a site appear as authentic and legitimate. This makes us feel it’s OK to enter our information, but we’re giving it to the criminals.

Comodo’s security blog recently uncovered an elaborate phishing scam where cyber criminals have used this technique. In that example, victims received an email detailing that there was a problem shipping a product, and that they need to download the label, at the link provided, to retrieve their item. Comodo did a great job showing what this email actually looks like.

Image courtesy of blog.comodo.com

Here we see the criminals do a couple of things to target you. One, they use a widely known cloud provider – in this case, Google Drive. Two, they also use https. At this point, most of us would not question a Google Drive email using https.

After clicking on the link, victims are asked to download what appears to be a PDF. However, this PDF is actually an executable file (.exe) that runs a malware application to compromise the victim’s information with a keylogger, ransomware, or other malicious software. Notice that the crooks actually used a legitimate PDF icon.

Image courtesy of blog.comodo.com

Solution

You can prevent this. Start by doing the following:

  • Ask yourself some questions about the email you just received. All phishing emails usually urge you to quickly act on something; this is the sharp hook that gets us.
  • Download this guide to recognize phishing emails.
  • Do not reply on https to decide whether or not a website is legitimate.
  • If you have clicked on the link from an email, and you are asked to enter information, slow down and ask yourself:
    • What are you being asked to do?
    • Is there another way to accomplish the end goal?
  • Know that cybercriminals are getting clever by playing on our emotions. Do not let them get your information.
  • Share this article with your friends, coworkers and family members.

Have another thought, tip or suggestion? Leave it in the comments below. I would love to hear from you!

Posted by Elvis Huff

Elvis Huff worked as an officer and network administrator for 12 years with the Lebanon Police Department and has also served as an adjunct professor in information systems at Cumberland University. Read More »

2 Comments

  1. Dear Mr. Huff. In reading your example I notice it says Dear Customer. Aren’t legitimate emails usually addressed to a person’s name. Also the language isn’t typical of any corporate emails, such as the last line, “We apologize for any inconvenience this might cost and we hope to see you at our outlet to pick up your parcel” That doesn’t sound legitimate. Also they frequently use language that a foreigner would use. Just stuff I notice.

    Reply

    1. Thanks Dolly! You are on tracking for noticing the general reference to the customer and other vague references of non-companies. Those are indeed suspicious things to look out for. Also, notice that the return email address is dpsp.com.br – not even a real fedex email address and the .br references Brazil.

      Reply

Leave a reply

Your email address will not be published. Required fields are marked *