Slashdot Mirror

← Back to Stories (view on slashdot.org)

Phishing Site Using Valid SSL Certificates

Posted by ScuttleMonkey on from the new-phace-of-phishing dept.

UnderAttack writes to tell us the Washington Post SecurityFix blog has an interesting article about a new and rather sophisticated phishing scheme. The email not only used the first few digits of the users card number to look more plausible (even though the first part of the number is the same for all cards), but it also used a valid SSL certificate for its domain name."

11 of 368 comments (clear)

  1. In other news - Stupid People Still Stupid by Anonymous Coward · · Score: 4, Funny

    If you get scammed on the intarweb, your intarweb license should be revoked.

  2. Clues for phishers from Geotrust by 14erCleaner · · Score: 3, Funny
    From TFA: Mp> Geotrust has a rigorous process in place to check for phishy certificate requests that relies on algorithms which check cert requests for certain words, misspellings or phrases that may indicate a phisher is involved. In this case, she said, the technology did not flag the request because there was nothing in the Internet address to indicate the site was at all related to a financial institution.

    If they rely on misspellings, they'll only catch the dumb phishers. They're generally the ones that don't catch a lot of people anyway, or at least not anybody who doesn't deserve to be scammed.

    --
    Have you read my blog lately?
  3. Geez... by razzamatazm · · Score: 4, Funny

    Soon all the good ideas will be taken and I'll be stuck selling penis pills again. Ugh...

  4. Re:That's why I don't click html links... by Anonymous Coward · · Score: 1, Funny

    ...and also why I hate html email and use pine as my mail client.

    A fellow pine user! I think that makes 25 of us!

  5. Just call up and ask for the (finger|thumb)print! by Goyuix · · Score: 3, Funny

    You have never truly had fun with the support staff at your bank/credit union/credit card/whatever until you have called and asked them to verify the thumbprint/fingerprint of their SSL cert for you.

    Unfortunately, it looks like Geotrust lost this round, and it probably would be considered good practice to actually do that from time to time. For the truly paranoid, remove all root certificates, and only after verifying the thumbprint proceed to install that cert into your cache. No more trust hierarchy.

  6. Gotta hand it to these guys by Douglas+Simmons · · Score: 2, Funny
    I am very impressed that in spite of all the money there is to be made and all the money that gets lost as a result of loose security, and all the time that has passed for people to cash in on this huge demand for iron clad software, that the AOHellers out there keep coming up with ways to steal cards by getting around new deterrents. I mean, great security is something credit card companies and online services have been marketing themselves upon, spending lots of cash-money for these campaigns... they might as well come through with security a la openbsd.

    To add to this craziness, the culprits behind these accomplishments, in this case certificate hacking of all things, are brilliant enough to get ultra-high paying jobs and hire a nude secretary. With this new age of cyber-terrorism threats, I gotta side with the pro-hacker mantras claiming that they help the world by exposing threats with mostly benign things like pbrushing a hitler mustache on Bush before the real bad guys, the ones who have similar high levels of expertise [though in bombs], figure out the holes. High five, 31337-speakers.

  7. Re:That's why I don't click html links... by Anonymous Coward · · Score: 1, Funny

    Ah, for the days when you could finger someone when she wasn't even in the same room with you! And if you didn't ask first, that was okay -- she wouldn't mind.

    These days, it's all about safe hex. You start talking about fingering, and everyone tells you SSH!

  8. Re:un-possible! by Anonymous Coward · · Score: 0, Funny
    public JavaRulesRubySucksLargeNiggerCocks {
        public static main(String[] args) {
            while (true) {
                System.out.println("Ruby users suck dirty nigger-cocks.\n");
            }
        }
    }
  9. Nice try, but I can tell you're trolling by rsilvergun · · Score: 5, Funny

    you spelled 'intarweb' right both times.

    --
    Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
  10. Re:That's why I don't click html links... by 93+Escort+Wagon · · Score: 3, Funny

    "...users are capable of doing it if they weren't ignorant. 10 years ago when GUI mail readers barely existed... Windows is to blame for dumbing down our computer users to the point of being completely incompetent when it comes to dealing with a non-clicky-clicky interface."

    Congratulations! You've earned extra Slashdot Coolness Points for 1) slamming Windows; 2) insulting the average user; and 3) being blissfully unaware that most normal people actually prefer a GUI interface!

    --
    #DeleteChrome
  11. Re:That's why I don't click html links... by heinousjay · · Score: 2, Funny

    Yeah, I don't know where people get off not doing things your way. I can't imagine why people would prefer to use a GUI. The more natural interaction, superior information organization, and overall higher visual appeal can't have anything to do with it. It must be ignorance.

    (in keeping with a prior story, can anyone guess the intended tone of my post?)

    --
    Slashdot - where whining about luck is the new way to make the world you want.