Phishing Site Using Valid SSL Certificates

UnderAttack writes to tell us the Washington Post SecurityFix blog has an interesting article about a new and rather sophisticated phishing scheme. The email not only used the first few digits of the users card number to look more plausible (even though the first part of the number is the same for all cards), but it also used a valid SSL certificate for its domain name."

better link for this storey

[UnderAttack]

A better link, with more screenshots:

Phollow the Phlopping Phish

SSL Certs

[thomble]

Most people don't understand the function of SSL certificates, nor do they understand how EASY and INEXPENSIVE it is to get one from a reputable company.

1. Register the domain JFBVB.COM
2. On your own DNS servers create a record for EBAY.JFBVB.COM
3. Purchase a legit SSL certificate from RapidSSL on that domain for $69
4. Create your phishing site
5. (Illegally) profit!

Many people think that an SSL certificate somehow guarantees a trustful vendor. On the contrary, it simply guarantees that no one will view the information en route. The vendor can do whatever he wants with the information you send.

Re:SSL Certs

[Kelson]

Many people think that an SSL certificate somehow guarantees a trustful vendor.

This is the result of years of advertising by cert authorities, Verisign in particular.

Admittedly, Verisign used to make a much greater effort to verify their clients than GeoTrust or Thawte. (This may or may not have changed.) I remember having to provide Verisign with business IDs, wait a month for them to verify things, go back and forth with address corrections, etc.

These days you can have an SSL cert up and running in less than an hour. If you give GeoTrust a valid phone number and you can answer it, you're pretty much set.

Re:Revoke SSL cert?

[afidel]

Actually all you have to do is go into Tools, Internet Options, Advanced, and under Security select Check for server certificate revocation which tells IE to check the OCSP of the publisher before accepting a certificate (Tools, options, advanced, security, verification under Firefox). I'm not sure why other than speed that these options aren't enabled by default but you are right that better controlls on certificate issuance would be nice.

Re:Revoke SSL cert?

[squidguy]

The problem with that is, in order for the revocation to take effect the user needs to download the root certs update which will be provided by their browser vendor/

Err...sort of. The user would need a root update if the SSL vendor's root isn't already contained in the user's browser cache. If they didn't have the correct root, then the "valid" SSL cert would appear invalid to the browser because the cert couldn't be traced back down the chain.
To check for certificate revocation, you have to have your browser set to do so. The latest build of IE6 doesn't have this enabled by default for the target server (although it does have publisher revocation checking enabled by default). Not sure about Firefox. Both Firefox and Windows (though not via IE) provide the ability to upload certificate revocation lists locally.

Re:Sophisticated Phishing

[kampit]

Easiest thing to do is just not to trust any email you receive that deals with important matters such as a bank account, say you do your online banking with YourBank and receive an email that claims to be from them, if you can't immediately tell it's fake.. just go to your browser and manually type in the url for the bank (or use a bookmark), if there's no notification of whatever problem is described in the email, it's definitely fake.

Re:So, your point is?

[rekoil]

I say that because this is the first incident ever being reported where an SSL cert was obtained illegitimately.

Um, no.

How does SSL prevent phishing?

[psyclone]

SSL doesn't prevent phishing. A signed SSL cert from a trusted Certificate Authority only assures the user that the information passing between the user and the domain is encrypted. SSL can't tell you if a site is "real" or not.

Re:So, your point is?

[clymere]

One can at least mitigate the money issue. http://cacert.org/ is an alternate "open" root cert authority. They're working hard to gain the acceptance of the likes of verisign. I've had converstions with a few of them, and its arguable that their verification procedures are _more_ rigorous than those conducted by the the CA's that are charging high prices.

Nevermind the fact that if noone is buying certs, theres no finanical pressure to cause them to make any compromises for those willing to pay the right price.

Re:Revoke SSL cert?

[Sloppy]

Couldn't the SSL Certificate issuer just revoke the certificate of anyone using said certificate for malicious or illegal purposes?

Sure, but Equifax would have to have up-to-date contact info for the crooks. If they had that, then they could call the crooks, and say, "Hi, we've revoked your cert. Here's the revocation packet. Please -- pretty please! -- have your web server start transmitting it to your potential victims, so that they'll know that our original certification is no longer valid. Thanks."

Removing the broken CA from Firefox 1.5

[Nicopa]

1. Open the preferences and go to "Advanced".
2. Then click on "Security".
3. Push the certificates button and then choose the "authorities" tab.
4. Find equifax.
5. Select all those entries.
6. Push "edit", uncheck the checkboxes for each certificate.

Done, you no longer trust these folks.

Re:So, your point is?

[Rich0]

The problem is that they're having a hard time even getting mozilla to trust them. There's a bugzilla entry with about 500 CC's listed all of whom are waiting patiently for the root cert to be installed...

Firefox does

[Weaselmancer]

Check here for settings.

Re:Clues for phishers from Geotrust

[massysett]

Good point on the bank. Even worse about Amazon is the way the URL instantly changes anytime you type in www.amazon.com. It appends a bunch of random-looking letters and numbers to the end. "Average user" then concludes that any URL with "amazon" and a bunch of random letters at the end is a legitimate Amazon page.

Netcraft Toolbar

[OneFix]

This is why everyone should install the Netcraft Anti-Phishing Toolbar...unless they really know what they are doing (read IT professional)...

All of your users/customers should have this installed...besides rating the risk of the site based on previous reports, it would also have shown how long the site was registered...which even on this phishing site was probably a matter of days...as a matter of fact, I can see this as a good feature to include within Firefox...whenever you view the SSL certificate, show the domain registration info...

Looking at some of the domain registration info, it's obvious that including the DNS Admin, Organization, and Nameserver Organization, you would have easily identified a fake...

Even better yet, why not have a certification process for banks and such that could opt to have their ISP verify their identity...then when you visit their SSL site, your browser could display the verification info beside the "security lock"...

Of course, if you want to change the way the "Security Lock" works in browsers, in the US you could set something up with the FDIC that would use a DNS lookup similar to the way DNS Block Lists operate...only this one would tell you if the site was a valid banking site...I guess the "Lock" could change to a "$" or something if it was verified as a banking site...web sites could simply request the check in some way (HTTP header or something)...the header value could represent the type of site (US Banking Site...check with FDIC...)

This scheme won't work

[dananderson]

SSL certs are not sold for domain names, just host names. They only work for ONE host. You can't buy a SSL cert for *.JFBVB.COM and setup EBAY.JFBVB.COM latter. You can only buy a cert for one host, say WWW.JFBVB.COM.