Slashdot Mirror

← Back to Stories (view on slashdot.org)

Phishing Site Using Valid SSL Certificates

Posted by ScuttleMonkey on from the new-phace-of-phishing dept.

UnderAttack writes to tell us the Washington Post SecurityFix blog has an interesting article about a new and rather sophisticated phishing scheme. The email not only used the first few digits of the users card number to look more plausible (even though the first part of the number is the same for all cards), but it also used a valid SSL certificate for its domain name."

6 of 368 comments (clear)

  1. In other news - Stupid People Still Stupid by Anonymous Coward · · Score: 4, Funny

    If you get scammed on the intarweb, your intarweb license should be revoked.

  2. Clues for phishers from Geotrust by 14erCleaner · · Score: 3, Funny
    From TFA: Mp> Geotrust has a rigorous process in place to check for phishy certificate requests that relies on algorithms which check cert requests for certain words, misspellings or phrases that may indicate a phisher is involved. In this case, she said, the technology did not flag the request because there was nothing in the Internet address to indicate the site was at all related to a financial institution.

    If they rely on misspellings, they'll only catch the dumb phishers. They're generally the ones that don't catch a lot of people anyway, or at least not anybody who doesn't deserve to be scammed.

    --
    Have you read my blog lately?
  3. Geez... by razzamatazm · · Score: 4, Funny

    Soon all the good ideas will be taken and I'll be stuck selling penis pills again. Ugh...

  4. Just call up and ask for the (finger|thumb)print! by Goyuix · · Score: 3, Funny

    You have never truly had fun with the support staff at your bank/credit union/credit card/whatever until you have called and asked them to verify the thumbprint/fingerprint of their SSL cert for you.

    Unfortunately, it looks like Geotrust lost this round, and it probably would be considered good practice to actually do that from time to time. For the truly paranoid, remove all root certificates, and only after verifying the thumbprint proceed to install that cert into your cache. No more trust hierarchy.

  5. Nice try, but I can tell you're trolling by rsilvergun · · Score: 5, Funny

    you spelled 'intarweb' right both times.

    --
    Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
  6. Re:That's why I don't click html links... by 93+Escort+Wagon · · Score: 3, Funny

    "...users are capable of doing it if they weren't ignorant. 10 years ago when GUI mail readers barely existed... Windows is to blame for dumbing down our computer users to the point of being completely incompetent when it comes to dealing with a non-clicky-clicky interface."

    Congratulations! You've earned extra Slashdot Coolness Points for 1) slamming Windows; 2) insulting the average user; and 3) being blissfully unaware that most normal people actually prefer a GUI interface!

    --
    #DeleteChrome