Phishing Scams Incorporate SSL Certificates

dettifoss writes "Netcraft reports: `Internet "phishing" scams are incorporating the use of SSL certificates in their efforts to trick users into divulging sensitive login information for financial accounts.' Perhaps more disturbingly: `Scammers can also configure their web server so that deceptive SSL certificates won't trigger an alert in the user's browser. "One of the SSL encoding methods is 'plain text'," Neal Krawetz from Secure Science Corporation noted in the SANS post on the issue. "Most SSL servers have this disabled by default, but most browsers support it. When plain text is used, no central certificate authority is consulted and the user never sees a message asking if a certificate should be accepted.'"

Do people even see the lock?

[valence]

Based on my experiences helping neophytes do web work, my guess is that 90% of the web-using public doesn't even notice the little key icon, and don't know what a security certificate is even when the dialog to accept one appears. All they usually look at is the web page itself... especially on a browser like Safari where the lock is a small icon in the title bar that escaped me the first time I went looking for it. It might be interesting to have some usability folks do an eye movement analysis to see if the average user's eye ever tracks to the lock icon during normal browsing.

Of course, this does make it more likely for people who hit that nasty stage of knowing just enough about online security to be dangerous to get caught...

Re:Do people even see the lock?

[mrseigen]

But is the web server itself secure? Most aren't... most are written by ASP + PHP programmers who have no clue about SQL Injection.

Excellent point, you have to consider the pinheads who are keeping your credit card data on file as well. Somebody comes by, cracks a few passwords and they walk off with all this data. That's a lot less work than busting SSL.

Re:Do people even see the lock?

[nacturation]

Would there be a way to have the browser display some sort of image transparency on the secure web page?

Given that the problem can be clearly stated and this is software we're talking about, yes -- such a method could easily be implemented. Alternate solutions could be changing the colors for the titlebar/statusbar, unique secure text/mouse cursor icons, flashing page borders, etc. However, if the trust is misplaced (as this article suggests) then all this notification is kind of pointless. User education on top of security-conscious software is still the best way to deal with security concerns.

Re:Do people even see the lock?

[Anaxagor]

What are some good resources for a web developer to read so that they know how to design secure sites that use RDBMS as a backend?

OWASP is a good start.

Re:Do people even see the lock?

[rcpitt]

The biggest problem with "seeing the lock" is that the lock icon itself does not intrude enough and the "You're now viewing a secure site" message is too intrusive.

The auto industry went through this when they put warning bells/buzzers on their cars telling drivers/passengers that their belt was not done up. The warning was persistent and loud - and got disabled (read ignored for the lock symbol and turned off for the message) ASAP.

They (the auto industry) learned though - they put the buzzer/bell on for only a few seconds at the beginning of the trip - reminding those who cared and not pissing off the rest enough to result in turning off the warning permanently (and thereby removing the warning from others who might drive the car/run the browser)

The lesson is "If you are going to issue a warning message - do it for a few seconds and then get rid of it so the idiot driving doesn't use wire cutters to remove it altogether"

Are you listening programmers?

SSL certificates in 2004

[ddent]

(Disclaimer: I am probably biased, since we issue
SSL certificates
on our website.)

This article is a good example of yet another reason why the old advice of
"make sure the site you are dealing with has an ssl certificate, and you
should be fine" is no longer entirely true.

To be more confident you are dealing with a reputable/accountable merchant/site, you
should not only make sure that they have an SSL certificate, but you
should also actually click on the lock (or however it is done in the browser
you use) and look at the certificate.

The reason the advice used to be valid, is that traditionally, to get an SSL
certificate, you had to provide documents to prove you are who you say you
are, i.e. DUNS #, articles of incorporation, business license, DBA, bank statement,
passport, driver's license, whatever. That is still true for most of the
certificate authorities, but it isn't always true. Some of the new certificate
authorities don't actually ask to see documents before issuing the
certificate, instead, they merely make sure that you have control of the
domain by sending an email to the listed contacts. In some cases, they also
place a phone call to a number you provide them (I fail to see how this does
anything, but..). Certificate authorities that do this will issue the
certificate to "Domain control validated, organization not validated" as the
organization (or similar text to that effect) rather than to the actual name
of the company the certificate is for. These certificates are
perfectly fine for making sure things
are encrypted, however, they make the certificate useless for getting an idea
about the legitimacy of who you are dealing with. They also don't tend to
carry the warranties that other ones do (and for good reason, who would
underwrite that procedure?).

Average Joe

[LordK3nn3th]

Average Joe doesn't have any idea what encryption is or why it's important. Average Joe just wants to point, click, and buy. Hell, I rarely pay attention to it.

Isn't it more likely that people were suckered in not because of the SSL trick but rather simply from "scam" or mimic pages instead?

Defeats the purpose of SSL?

[chrispyman]

Wasn't the entire point of SSL was to be encrypted? Who's bright idea was it to put plain text in SSL in the first place, much less give browsers support for it?

Best strategy for fighting this

[kongjie]

...is probably a low-tech one.

If I understand correctly, phishing comes into play when users are sent an e-mail with a bogus link. Probably something like "we've detected fraudulent use of your account, please follow this link to verify your information" etc. etc.

There is no reason to follow links in e-mail to get to a site that you regularly use. If you doubt the authenticity of an e-mail from, say, American Express, just visit the site as you usually do, through a bookmark. After logging in you should be able to access the necessary info.

Re:Best strategy for fighting this

If you doubt the authenticity of an e-mail from, say, American Express, just visit the site as you usually do, through a bookmark.

This applies to real life too. The other day, two guys wearing official-looking "police" uniforms came to arrest me. I didn't open the door, I called 911 and told them that some jokers wearing police costumes were trying to arrest me. I turns out they were the real police, but it's always best to double check.

Microsoft Has Got You Covered

[FiberOpPraise]

Don't worry, I make sure to type all of my URL's now including onces such as:
http://slashdot.org/comments.pl?sid=99888&threshol d=0&mode=thread&commentsort=0&op=Reply
Sometimes they take a while but it pays off!

an old timer i know

[Spetiam]

solves all this by never entering any financial data anywhere on the internet. he's not a knowledgeable computer user, and he knows it. in his case, and in the case of many non technically-minded individuals, it seems much easier to simply avoid all online financial transactions.

i think his simple approach to avoiding online financial risks makes a lot of sense. many of my non-tech friends/family members might be taken in by a scam like this, and given how painful it is to explain computer things to them, from now on i'll just tell them never, under any circumstances, to enter financial data on the web.

Re:Legislation

Oh, it's illegal. The problem isn't whether or not this sort of thing is legal. It's finding, apprehending, and punishing the offendors that's the hard part.

Let me give you an example. Suppose you're in the nation of Grand Fenwick, and bank with the National Grand Fenwick Bank. I, who live in Mordor, decide to target customers of the National Grand Fenwick Bank, and set up a fake website at http://123.456.789.0/gf.php[1] that mimics their logon screen. I then send out millions of emails to lure customers of NGFB to my website.

Within minutes of these emails being sent, the Powers That Be at NGFB know about the fraud that's being committed in their name. They know what host is hosting the scam. They know (or can easily find out) where the host is located physically. BUT:

1. How do they know whether that host is a willing or unwitting party to the fraud?
2. How do they prove it, if it's willing?
3. If it's unwilling, how do they track down the perpetrator?
4. Assuming they can track down the perpetrator, how do they take said perp into custody?

It just so happens that the host is my own, and I'm listed as the registrar. Alas, alack, there is no extradition treaty between Mordor and Grand Fenwick, so all they can do is shout threateningly across the ocean at me, whilst I mock their puny and powerless attempts to bring me to justice.

There are too many levels of proof needed to bring a conviction, and even if they're all satisfied, if the perpetrator is in a country such as Russia, all hope goes out the window. In fact, all it takes is one layer -- me hiring a Russian to obtain these details -- to protect me (as long as I'm careful about how I use those details).

The police and fraud departments are aware of these issues, and they're trying to resolve them. Unfortunately, political problems get between the problem and the solution. Things aren't helped when it takes me a half hour to alert the bank and/or police of a currently active fraudulent site...

[1] Yes, I know this is an invalid IP address. You're missing the point.