The Hacker Certificate: How Fake Sites are Taking Over Financial Services

Hackers are targeting financial institutions with fake sites.

We assume that if a website has a security certificate—indicated by an address that begins with “https” and (typically) that little padlock icon next to it—then the website is safe. It isn’t potentially malicious or trying to install malware or steal personal information. Until recently, if a site didn’t have a security certificate it was a red flag. But now hackers are using that very security certificate to trick users into thinking a malicious website is safe—and they’re specifically targeting the finance industry.

Here’s how it works: Hackers mock up websites to look like the official website of a financial institution. They then pick a domain name that looks virtually identical to the actual institution’s domain, say by substituting visually similar letters like a lowercase L for a capital I in the URL. Because they own those domains, they’re able to purchase security certificates for said sites. This trick works because the security certificates show proof of ownership over the site and encrypt any information you send over the site—but that doesn’t mean the person on the receiving end is trustworthy. Bottom line: these security certificates don’t prove that a website claiming to be a bank is actually a bank. 

Hackers know this and they’re taking advantage of it. A recent study found that the percentage of malicious websites using security certificates doubled from 8.5% to 15% in 2018 to 2019. The scary thing? Combine this with hackers’ use of personalized emails to drive people to these sites (more on that here) and even the most security conscious individual could struggle to recognize these sites as fake. 

One way financial institutions can address the increasingly sophisticated hacker is to use tools that hackers can’t access to carry out their schemes. For instance, if a financial institution let their employees and clients know that they would never share a link to their site over email, then it would reduce the likelihood of employees and clients getting tricked by these sites. Instead, all sensitive and financial transactions would occur over more secure tools, such as a secure communication tool. Clients would receive the information from a source they knew was reliable and be able to recognize the scam. Imagine if, when the recent fake Equifax settlementsites cropped up, Equifax had been able to quickly notify all employees and customers without compromising their security. 

That’s why we’ve built a solution that protects financial institutions and their employees and clients from falling victim these fake sites and other scam. Our communication solution works over an alternative network and allows financial institutions to decide who can communicate with whom, ensuring that any messages sent and information shared between the institution, employees, and clients are always authentic. Financial institutions can rapidly send out mass messages and notifications, keeping people in the loop about any malicious sites or scams. See what our solution looks like in action here.

Contributor: The Vaporstream Team


*** This is a Security Bloggers Network syndicated blog from Vaporstream authored by The Vaporstream Team. Read the original post at: https://www.vaporstream.com/blog/fake-sites-and-financial-institutions/