Slashdot Mirror


Phishing Scams Incorporate SSL Certificates

dettifoss writes "Netcraft reports: `Internet "phishing" scams are incorporating the use of SSL certificates in their efforts to trick users into divulging sensitive login information for financial accounts.' Perhaps more disturbingly: `Scammers can also configure their web server so that deceptive SSL certificates won't trigger an alert in the user's browser. "One of the SSL encoding methods is 'plain text'," Neal Krawetz from Secure Science Corporation noted in the SANS post on the issue. "Most SSL servers have this disabled by default, but most browsers support it. When plain text is used, no central certificate authority is consulted and the user never sees a message asking if a certificate should be accepted.'"

5 of 316 comments (clear)

  1. Microsoft Has Got You Covered by FiberOpPraise · · Score: 5, Funny

    Don't worry, I make sure to type all of my URL's now including onces such as:
    http://slashdot.org/comments.pl?sid=99888&threshol d=0&mode=thread&commentsort=0&op=Reply
    Sometimes they take a while but it pays off!

  2. Re:Do people even see the lock? by gilrain · · Score: 4, Funny

    Or, worse yet, the guy who has the credit card in his wallet goes out and buys something! Oh wait, I guess that was a step too far.

  3. thanks scammers! by BinaryJono · · Score: 4, Funny

    finally an affordable way to use SSL certificates on our sites without "unsigned certificate" warnings or having to pay Verisign $895/year for each certificate!

  4. Re:Best strategy for fighting this by Anonymous Coward · · Score: 5, Funny

    If you doubt the authenticity of an e-mail from, say, American Express, just visit the site as you usually do, through a bookmark.

    This applies to real life too. The other day, two guys wearing official-looking "police" uniforms came to arrest me. I didn't open the door, I called 911 and told them that some jokers wearing police costumes were trying to arrest me. I turns out they were the real police, but it's always best to double check.

  5. They just want to jam. by Jasn · · Score: 4, Funny

    I for one object to blaming all this on Phish. I'm sure that Mr. Anastasio et al. have no connection to this illegal and extremely harmful activity.