Slashdot Mirror

← Back to Stories (view on slashdot.org)

Phishing Site Using Valid SSL Certificates

Posted by ScuttleMonkey on from the new-phace-of-phishing dept.

UnderAttack writes to tell us the Washington Post SecurityFix blog has an interesting article about a new and rather sophisticated phishing scheme. The email not only used the first few digits of the users card number to look more plausible (even though the first part of the number is the same for all cards), but it also used a valid SSL certificate for its domain name."

3 of 368 comments (clear)

  1. better link for this storey by UnderAttack · · Score: 5, Informative

    A better link, with more screenshots:

    Phollow the Phlopping Phish

    --
    ---- join dshield.org Distributed Intrusion Detec
  2. SSL Certs by thomble · · Score: 5, Informative
    Most people don't understand the function of SSL certificates, nor do they understand how EASY and INEXPENSIVE it is to get one from a reputable company.

    1. Register the domain JFBVB.COM
    2. On your own DNS servers create a record for EBAY.JFBVB.COM
    3. Purchase a legit SSL certificate from RapidSSL on that domain for $69
    4. Create your phishing site
    5. (Illegally) profit!

    Many people think that an SSL certificate somehow guarantees a trustful vendor. On the contrary, it simply guarantees that no one will view the information en route. The vendor can do whatever he wants with the information you send.

  3. Re:Sophisticated Phishing by kampit · · Score: 5, Informative

    Easiest thing to do is just not to trust any email you receive that deals with important matters such as a bank account, say you do your online banking with YourBank and receive an email that claims to be from them, if you can't immediately tell it's fake.. just go to your browser and manually type in the url for the bank (or use a bookmark), if there's no notification of whatever problem is described in the email, it's definitely fake.