Slashdot Mirror


Phishing Scams Incorporate SSL Certificates

dettifoss writes "Netcraft reports: `Internet "phishing" scams are incorporating the use of SSL certificates in their efforts to trick users into divulging sensitive login information for financial accounts.' Perhaps more disturbingly: `Scammers can also configure their web server so that deceptive SSL certificates won't trigger an alert in the user's browser. "One of the SSL encoding methods is 'plain text'," Neal Krawetz from Secure Science Corporation noted in the SANS post on the issue. "Most SSL servers have this disabled by default, but most browsers support it. When plain text is used, no central certificate authority is consulted and the user never sees a message asking if a certificate should be accepted.'"

7 of 316 comments (clear)

  1. Re:Do people even see the lock? by mrseigen · · Score: 5, Insightful

    But is the web server itself secure? Most aren't... most are written by ASP + PHP programmers who have no clue about SQL Injection.

    Excellent point, you have to consider the pinheads who are keeping your credit card data on file as well. Somebody comes by, cracks a few passwords and they walk off with all this data. That's a lot less work than busting SSL.

  2. Average Joe by LordK3nn3th · · Score: 5, Insightful

    Average Joe doesn't have any idea what encryption is or why it's important. Average Joe just wants to point, click, and buy. Hell, I rarely pay attention to it.

    Isn't it more likely that people were suckered in not because of the SSL trick but rather simply from "scam" or mimic pages instead?

    --

    ---
    Never criticize religion on Slashdot. You will be modded down for "Troll" no matter how factual it is.
  3. Defeats the purpose of SSL? by chrispyman · · Score: 5, Insightful

    Wasn't the entire point of SSL was to be encrypted? Who's bright idea was it to put plain text in SSL in the first place, much less give browsers support for it?

  4. Best strategy for fighting this by kongjie · · Score: 5, Insightful
    ...is probably a low-tech one.

    If I understand correctly, phishing comes into play when users are sent an e-mail with a bogus link. Probably something like "we've detected fraudulent use of your account, please follow this link to verify your information" etc. etc.

    There is no reason to follow links in e-mail to get to a site that you regularly use. If you doubt the authenticity of an e-mail from, say, American Express, just visit the site as you usually do, through a bookmark. After logging in you should be able to access the necessary info.

  5. Re:Do people even see the lock? by nacturation · · Score: 5, Insightful

    Would there be a way to have the browser display some sort of image transparency on the secure web page?

    Given that the problem can be clearly stated and this is software we're talking about, yes -- such a method could easily be implemented. Alternate solutions could be changing the colors for the titlebar/statusbar, unique secure text/mouse cursor icons, flashing page borders, etc. However, if the trust is misplaced (as this article suggests) then all this notification is kind of pointless. User education on top of security-conscious software is still the best way to deal with security concerns.

    --
    Want to improve your Karma? Instead of "Post Anonymously", try the "Post Humously" option.
  6. Re:Legislation by Anonymous Coward · · Score: 5, Insightful
    Oh, it's illegal. The problem isn't whether or not this sort of thing is legal. It's finding, apprehending, and punishing the offendors that's the hard part.

    Let me give you an example. Suppose you're in the nation of Grand Fenwick, and bank with the National Grand Fenwick Bank. I, who live in Mordor, decide to target customers of the National Grand Fenwick Bank, and set up a fake website at http://123.456.789.0/gf.php[1] that mimics their logon screen. I then send out millions of emails to lure customers of NGFB to my website.

    Within minutes of these emails being sent, the Powers That Be at NGFB know about the fraud that's being committed in their name. They know what host is hosting the scam. They know (or can easily find out) where the host is located physically. BUT:

    1. How do they know whether that host is a willing or unwitting party to the fraud?
    2. How do they prove it, if it's willing?
    3. If it's unwilling, how do they track down the perpetrator?
    4. Assuming they can track down the perpetrator, how do they take said perp into custody?
    It just so happens that the host is my own, and I'm listed as the registrar. Alas, alack, there is no extradition treaty between Mordor and Grand Fenwick, so all they can do is shout threateningly across the ocean at me, whilst I mock their puny and powerless attempts to bring me to justice.

    There are too many levels of proof needed to bring a conviction, and even if they're all satisfied, if the perpetrator is in a country such as Russia, all hope goes out the window. In fact, all it takes is one layer -- me hiring a Russian to obtain these details -- to protect me (as long as I'm careful about how I use those details).

    The police and fraud departments are aware of these issues, and they're trying to resolve them. Unfortunately, political problems get between the problem and the solution. Things aren't helped when it takes me a half hour to alert the bank and/or police of a currently active fraudulent site...

    [1] Yes, I know this is an invalid IP address. You're missing the point.

  7. Re:Do people even see the lock? by rcpitt · · Score: 5, Insightful
    The biggest problem with "seeing the lock" is that the lock icon itself does not intrude enough and the "You're now viewing a secure site" message is too intrusive.

    The auto industry went through this when they put warning bells/buzzers on their cars telling drivers/passengers that their belt was not done up. The warning was persistent and loud - and got disabled (read ignored for the lock symbol and turned off for the message) ASAP.

    They (the auto industry) learned though - they put the buzzer/bell on for only a few seconds at the beginning of the trip - reminding those who cared and not pissing off the rest enough to result in turning off the warning permanently (and thereby removing the warning from others who might drive the car/run the browser)

    The lesson is "If you are going to issue a warning message - do it for a few seconds and then get rid of it so the idiot driving doesn't use wire cutters to remove it altogether"

    Are you listening programmers?

    --
    Been there, done that, paid for the T-shirt
    and didn't get it