FBI issued a warning that threat actors use secure HTTPS websites to trick the users and to acquire sensitive login credentials, banking information and other personal details.
Internet users tend to believe that if the padlock is present “look for the lock,” then the Website is legitimate and safe.
“Unfortunately, cybercriminals are banking on the public’s trust of “https” and the lock icon.
According to PhishLabs alarming report in the third quarter of 2018, around 49% of all phishing sites use SSL/TLS certificates. That’s an increase from 25% in 2017 and 35% in the second quarter of 2018.
With SSL certificates, there are of different types.
Extended Validation (EV):
[…] The EV certificates are the one displays the company name in the browser address bar.
Organization Validated (OV):
[…] it is also difficult for cyber attackers to acquire to the certificate.
Domain validation (DV):
Easy to acquire, you only need to prove the ownership of the domain and the authorities like Let’s Encrypt providing the certificate for free.
Hackers mainly exploit DV type of certificates.