Monday, June 16, 2025
HomeComputer SecurityFBI Warns that Hackers use Secure HTTPS Websites to Trick Users and...

FBI Warns that Hackers use Secure HTTPS Websites to Trick Users and to Steal Sensitive Logins

Published on

SIEM as a Service

Follow Us on Google News

FBI issued a warning that threat actors use secure HTTPS websites to trick the users and to acquire sensitive login credentials, banking information and other personal details.

Internet users tend to believe that if the padlock is present “look for the lock,” then the Website is legitimate and safe. However, in reality, the SSL certificates don’t tell you anything about site legitimacy, the SSL/TLS certificates are to encrypt the connection between the browser and the server, which avoids intrusion from hackers.

“Unfortunately, cybercriminals are banking on the public’s trust of “https” and the lock icon. They are more frequently incorporating website certificates—third-party verification that a site is secure—when they send potential victims emails that imitate trustworthy companies or email contacts,” states FBI.

- Advertisement - Google News

According to PhishLabs alarming report in the third quarter of 2018, around 49% of all phishing sites use SSL/TLS certificates. That’s an increase from 25% in 2017 and 35% in the second quarter of 2018.

With SSL certificates, there are of different types.

Extended Validation(EV): Which is quite expensive and requires some, and the company behind the TLS certificate should be verified. The EV certificates are the one displays the company name in the browser address bar.

Organization Validated (OV): This type of certificate verify the ownership of the domain and also the organization’s information, it is also difficult for cyber attackers to acquire to the certificate.

Domain validation (DV): Easy to acquire, you only need to prove the ownership of the domain and the authorities like Let’s Encrypt providing the certificate for free. Hackers mainly exploit DV type of certificates.

Threat actors using abused Code-signing certificate from reputable companies as a layer of obfuscation in distributing malicious payloads.

Certificate Transparency aims to remedy these certificate-based threats; it helps in Earlier detection, Faster mitigation, and better oversight.

There are several ways to analyze the Website is legitimate or not; the first and the most recommended method is to check online page scanners.

Cybercriminals are using various sophisticated techniques to fool online users to drop malware and other cyber threats to cause unbearable damages. So beware of the malicious Website, don’t blindly open the Website and check the website safety before opening it.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity updates also you can take the Best Cybersecurity courses online to keep your self-updated.

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Kali Linux 2025.2 Released: New Tools, Smartwatch and Car Hacking Added

Kali Linux, the preferred distribution for security professionals, has launched its second major release...

Arsen Launches AI-Powered Vishing Simulation to Help Organizations Combat Voice Phishing at Scale

Arsen, the cybersecurity startup known for defending organizations against social engineering threats, has announced...

NIST Releases New Guide – 19 Strategies for Building Zero Trust Architectures

The National Institute of Standards and Technology (NIST) has released groundbreaking guidance to help...

Spring Framework Flaw Enables Remote File Disclosure via “Content‑Disposition” Header

A medium-severity reflected file download (RFD) vulnerability (CVE-2025-41234) in VMware's Spring Framework has been...

Credential Abuse: 15-Min Attack Simulation

Credential Abuse Unmasked

Credential abuse is #1 attack vector in web and API breaches today (Verizon DBIR 2025). Join our live, 15-min attack simulation with Karthik Krishnamoorthy (CTO - Indusface) and Phani Deepak Akella (VP of Marketing - Indusface) to see hackers move from first probe to full account takeover.

Discussion points


Username & email enumeration – how a stray status-code reveals valid accounts.
Password spraying – low-and-slow guesses that evade basic lockouts.
Credential stuffing – lightning-fast reuse of breach combos at scale.
MFA / session-token bypass – sliding past second factors with stolen cookies.

More like this

Kali Linux 2025.2 Released: New Tools, Smartwatch and Car Hacking Added

Kali Linux, the preferred distribution for security professionals, has launched its second major release...

NIST Releases New Guide – 19 Strategies for Building Zero Trust Architectures

The National Institute of Standards and Technology (NIST) has released groundbreaking guidance to help...

Spring Framework Flaw Enables Remote File Disclosure via “Content‑Disposition” Header

A medium-severity reflected file download (RFD) vulnerability (CVE-2025-41234) in VMware's Spring Framework has been...