Slashdot Mirror

← Back to Stories (view on slashdot.org)

Phishing Site Using Valid SSL Certificates

Posted by ScuttleMonkey on from the new-phace-of-phishing dept.

UnderAttack writes to tell us the Washington Post SecurityFix blog has an interesting article about a new and rather sophisticated phishing scheme. The email not only used the first few digits of the users card number to look more plausible (even though the first part of the number is the same for all cards), but it also used a valid SSL certificate for its domain name."

10 of 368 comments (clear)

  1. better link for this storey by UnderAttack · · Score: 5, Informative

    A better link, with more screenshots:

    Phollow the Phlopping Phish

    --
    ---- join dshield.org Distributed Intrusion Detec
  2. SSL Certs by thomble · · Score: 5, Informative
    Most people don't understand the function of SSL certificates, nor do they understand how EASY and INEXPENSIVE it is to get one from a reputable company.

    1. Register the domain JFBVB.COM
    2. On your own DNS servers create a record for EBAY.JFBVB.COM
    3. Purchase a legit SSL certificate from RapidSSL on that domain for $69
    4. Create your phishing site
    5. (Illegally) profit!

    Many people think that an SSL certificate somehow guarantees a trustful vendor. On the contrary, it simply guarantees that no one will view the information en route. The vendor can do whatever he wants with the information you send.

  3. Re:Revoke SSL cert? by afidel · · Score: 4, Informative

    Actually all you have to do is go into Tools, Internet Options, Advanced, and under Security select Check for server certificate revocation which tells IE to check the OCSP of the publisher before accepting a certificate (Tools, options, advanced, security, verification under Firefox). I'm not sure why other than speed that these options aren't enabled by default but you are right that better controlls on certificate issuance would be nice.

    --
    There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
  4. Re:Revoke SSL cert? by squidguy · · Score: 3, Informative

    The problem with that is, in order for the revocation to take effect the user needs to download the root certs update which will be provided by their browser vendor/

    Err...sort of. The user would need a root update if the SSL vendor's root isn't already contained in the user's browser cache. If they didn't have the correct root, then the "valid" SSL cert would appear invalid to the browser because the cert couldn't be traced back down the chain.
    To check for certificate revocation, you have to have your browser set to do so. The latest build of IE6 doesn't have this enabled by default for the target server (although it does have publisher revocation checking enabled by default). Not sure about Firefox. Both Firefox and Windows (though not via IE) provide the ability to upload certificate revocation lists locally.

  5. Re:Sophisticated Phishing by kampit · · Score: 5, Informative

    Easiest thing to do is just not to trust any email you receive that deals with important matters such as a bank account, say you do your online banking with YourBank and receive an email that claims to be from them, if you can't immediately tell it's fake.. just go to your browser and manually type in the url for the bank (or use a bookmark), if there's no notification of whatever problem is described in the email, it's definitely fake.

  6. Re:So, your point is? by rekoil · · Score: 4, Informative

    I say that because this is the first incident ever being reported where an SSL cert was obtained illegitimately.

    Um, no.

  7. Re:So, your point is? by clymere · · Score: 3, Informative

    One can at least mitigate the money issue. http://cacert.org/ is an alternate "open" root cert authority. They're working hard to gain the acceptance of the likes of verisign. I've had converstions with a few of them, and its arguable that their verification procedures are _more_ rigorous than those conducted by the the CA's that are charging high prices.

    Nevermind the fact that if noone is buying certs, theres no finanical pressure to cause them to make any compromises for those willing to pay the right price.

    --
    once you go slack, you never go back
  8. Re:So, your point is? by Rich0 · · Score: 3, Informative

    The problem is that they're having a hard time even getting mozilla to trust them. There's a bugzilla entry with about 500 CC's listed all of whom are waiting patiently for the root cert to be installed...

  9. Firefox does by Weaselmancer · · Score: 4, Informative

    Check here for settings.

    --
    Weaselmancer
    rediculous.
  10. Re:Clues for phishers from Geotrust by massysett · · Score: 4, Informative

    Good point on the bank. Even worse about Amazon is the way the URL instantly changes anytime you type in www.amazon.com. It appends a bunch of random-looking letters and numbers to the end. "Average user" then concludes that any URL with "amazon" and a bunch of random letters at the end is a legitimate Amazon page.

    --
    Penny - plain text accounting