Phishing attacks, which sucker unsuspecting users into clicking malicious links or giving up their login credentials, often rely on domain names that appear similar to a site they’re trying to imitate. For example, an attacker might register a domain like faceb00k[.]com and use it to steal users’ Facebook credentials. Unless a user is carefully examining the link, they might not notice that the O’s have been replaced with zeros.
Lately, phishing sites have also used TLS certificates, which are used to form an encrypted connection, to lend them a veneer of legitimacy. Browsers will display sites with TLS certificates as secure, and phishing sites take advantage of this to appear safe to users.
It’s a problem that Facebook wants to fight—and so Facebook is launching a new tool today to help developers protect their domains.
“The phishing website can look identical to the real website in an attempt to fool people into giving up their personal information,” members of Facebook’s product security team wrote in a blog post. “To make their malicious domains look more credible, attackers nowadays even obtain valid TLS certificates for them. Due to the presence of a valid security certificate, browsers may display a ‘secure’ indicator—a green padlock and/or word ‘secure’—for a phishing website.”
Facebook is adding an alert system to its Certificate Transparency Monitoring Tool, which will notify developers when certificates are registered for domains that might be used in phishing attacks against them.
“Every time a new certificate appears in any public Certificate Transparency Log, our tool analyzes the domains specified by the certificate for phishing attempts,” the product security team wrote. “If it suspects that the domain is likely associated with phishing, it can notify subscribers of the tool for the legitimate domain by sending email, push, or on-site notifications, depending on their preference.”
Facebook uses the alert tool to monitor its own domains and has caught a number of common attacks. Developers can set up monitoring for their own domains using Facebook’s developer tools.
If developers catch phishing sites trying to impersonate their domains, they can report them to domain registrars, browsers, and ask certificate authorities to revoke the certificates.
“By taking action to shut down bad domains that are created solely to trick people, legitimate website owners can protect their sites and help prevent others from falling for harmful scams,” Facebook’s product security team members wrote.