Slashdot Mirror

← Back to Stories (view on slashdot.org)

Phishing Site Using Valid SSL Certificates

Posted by ScuttleMonkey on from the new-phace-of-phishing dept.

UnderAttack writes to tell us the Washington Post SecurityFix blog has an interesting article about a new and rather sophisticated phishing scheme. The email not only used the first few digits of the users card number to look more plausible (even though the first part of the number is the same for all cards), but it also used a valid SSL certificate for its domain name."

7 of 368 comments (clear)

  1. better link for this storey by UnderAttack · · Score: 5, Informative

    A better link, with more screenshots:

    Phollow the Phlopping Phish

    --
    ---- join dshield.org Distributed Intrusion Detec
  2. SSL Certs by thomble · · Score: 5, Informative
    Most people don't understand the function of SSL certificates, nor do they understand how EASY and INEXPENSIVE it is to get one from a reputable company.

    1. Register the domain JFBVB.COM
    2. On your own DNS servers create a record for EBAY.JFBVB.COM
    3. Purchase a legit SSL certificate from RapidSSL on that domain for $69
    4. Create your phishing site
    5. (Illegally) profit!

    Many people think that an SSL certificate somehow guarantees a trustful vendor. On the contrary, it simply guarantees that no one will view the information en route. The vendor can do whatever he wants with the information you send.

  3. Re:Revoke SSL cert? by afidel · · Score: 4, Informative

    Actually all you have to do is go into Tools, Internet Options, Advanced, and under Security select Check for server certificate revocation which tells IE to check the OCSP of the publisher before accepting a certificate (Tools, options, advanced, security, verification under Firefox). I'm not sure why other than speed that these options aren't enabled by default but you are right that better controlls on certificate issuance would be nice.

    --
    There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
  4. Re:Sophisticated Phishing by kampit · · Score: 5, Informative

    Easiest thing to do is just not to trust any email you receive that deals with important matters such as a bank account, say you do your online banking with YourBank and receive an email that claims to be from them, if you can't immediately tell it's fake.. just go to your browser and manually type in the url for the bank (or use a bookmark), if there's no notification of whatever problem is described in the email, it's definitely fake.

  5. Re:So, your point is? by rekoil · · Score: 4, Informative

    I say that because this is the first incident ever being reported where an SSL cert was obtained illegitimately.

    Um, no.

  6. Firefox does by Weaselmancer · · Score: 4, Informative

    Check here for settings.

    --
    Weaselmancer
    rediculous.
  7. Re:Clues for phishers from Geotrust by massysett · · Score: 4, Informative

    Good point on the bank. Even worse about Amazon is the way the URL instantly changes anytime you type in www.amazon.com. It appends a bunch of random-looking letters and numbers to the end. "Average user" then concludes that any URL with "amazon" and a bunch of random letters at the end is a legitimate Amazon page.

    --
    Penny - plain text accounting