Slashdot Mirror
Phishing Site Using Valid SSL Certificates
UnderAttack writes to tell us the Washington Post SecurityFix blog has an interesting article about a new and rather sophisticated phishing scheme. The email not only used the first few digits of the users card number to look more plausible (even though the first part of the number is the same for all cards), but it also used a valid SSL certificate for its domain name."
Seriously. I remember in the early 90s, tv ads for banks that ended with "...and remember, our staff will never ask for your credit card number over the phone." I think people *eventually* got the message on that one. How long will it take online? Remember, unsolicited email that links to a website ready to take your credit card number is bullshit, mom.
Did people honestly think that their techniques were going to get worse rather than better?
Ryan - http://www.thecosmotron.com/
Proving once again the relative lack of worth of requiring SSL certificates to be signed. All it does is make a few companies rich.
Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion.
...and also why I hate html email and use pine as my mail client. Unfortunately, most people don't know enough to not click html links sent to their email account. As a result, this is especially worrisome because it looks legit.
These phishers are getting more and more sophisticated, but it's only a matter of time before they're caught. To get more sophisticated requires better services and equipment, which requires the phishers to either:
a) Give out their true information - name, address, etc, making for easier law enforcement tracking
b) Give out flase information - which may buy them some time, but will only cause the bite taken out of their ass by law enforcement to be that much bigger.
Even still, Valid SSL certificates and whatnot don't mean shit against a true savvy user who knows better. Any user who actually reads the warnings by their banks/credit card companies/etc will know that said companies will never send emails asking for credit card information.
Frink: Nice try floyd, but you were designed for scrubbing, and scrubbing is what you shall do.
Beyond the cert saying the business was in Salt Lake City Utah, I don't really see how there was some big confidence broken here. The SSL cert was issued for "www.mountain-america.net". The bank in question is "www.mtnamerica.org". Whoever thinks that a signed SSL certificate is supposed to verify anything other than the person/entity asking for the cert is the same person who owns the domain is assuming waaaay to much.
In essense signed certs are only supposed to protect from a man-in-the-middle attack, not someone being fooled into going to a similarly named website. Why shouldn't I be able to get a signed cert for mountain-america.net if I own it? There's plenty of similarly named legit businesses that all have certs issued to them.
AccountKiller
the ssl cert companies don't verify who you are, just who you say you are
they're in it for the buck. why would they go that extra mile when it just cuts into their bottom line?
vodka, straight up, thank you!
You know, if that SSL certificate traces back to a valid human, then you can arrest him/her for phishing and they've provided all your evidence for you.
It's like leaving your digitally signed confession at the scene of the crime. No CSI team needed. Only the crooks know the corresponding private key.
If you can't trace that certificate it back to a valid human, than the CA needs to be beaten with a large stick.
...or maybe not.
A revoked cert isn't the solution, the solution is fixing the process by which people can get SSL certificates in the first place. There need to be more checks and balances. The current process is essentially; give us your money please, ok here's your certificate.. Enjoy!
For some of the bargain basement certificate authorities this may be true however for the better known companies (Thawte and Verisign for instance) the opposite is sometimes true.
I work for an ecommerce company and the number of hoops we have to jump through to get some SSL certificate issued is ridiculous. Sometimes in a CA's quest to ensure the legitimacy of an order they go overboard.
Case in point: we enrolled for an SSL certificate using an organization name of xxx DBA yyy. That order (and several others like it) were accepted without problem. A few orders later the same certificate authority was telling us we can't enroll with a DBA in the organization name.
I've can give you lots of other examples but suffice it to say more policies are not always the answer.
A better solution to this problem may be web browsers that support OCSP (online certificate status protocol) - which checks the certificate status in real time.
You mean people would never give out credit card numbers, when asked over the phone? I think you place too much faith in humanity.
Most people would agree it's stupid, and fewer people will behave stupid after an education campaign (or after being bitten in the ass). Scam artists may not bother anymore with a certain method. But not because it wouldn't work; but because they've moved onto easier methods, methods that (these days) give them more return for their effort.
For the same reason, e-mails with attachments like "Anna Kournikova.jpg.pif" will keep getting clicked on. You may think it's silly, but there's a new sucker born every day.My question is: Did these dogs give equifax enough information for the cops to have some hope of tracking them down? I'm guessing that at least some of this information is faked, but if there's nothing here that the cops can use, then the identity information in SSL certificates is less than worthless.
Free Software: Like love, it grows best when given away.
They're generally the ones that don't catch a lot of people anyway, or at least not anybody who doesn't deserve to be scammed.
You know, I hate hearing that anybody deserves the financial ruin that results from falling for one of these scams.
Remember, the more that geeks put on the "you're stupid so you deserve what you get" attitude, the fewer folks who are less-computer-savvy will buy computers for fear of being taken for a ride (and knowing no one will help them.)
This, in turn, results in less money floating around in the tech sector, which, in turn, results in less money being invested to develop convieniences upon which we have come to rely - such as online banking.
Which, of course, results in less money in the pocket of the geeks that were so callous to begin with. Remember - we NEED the end user just as much as the end user needs us.
I hope the land around you yields, a crop like all the other fields, and then your waiting might make sense...
Take Commerce Bank. They have CommerceOnline.com for their main domain and CommerceOnlineBanking.com for their online banking. But why not CommerceBankHome.com as GoDaddy suggest? Or CommerceBanking.com? Or CommerceBankingOnline.com?
Unfortunately their domain names are a soup of common names and it's impossible to remember. With common names, a small alteration of the site and that's all you need to confuse some folks.
The best phishing URL I've ever seen was one that was www.amazon.com.exec-obidos.com. If anyone remembers, previously Amazon URLs always had an exec-obidos in their path when the link lead to a product. Even I had to blink a few times before I realized it was a phishing scam. (All the links went to a working Amazon section).
Small potatoes make the steak look bigger.
SSL certs are great for end-to-end encryption. They are not good for authentication, because people don't usually check on the certificate - however, here even a check wouldn't have done any good. I only buy SSL certs because people don't like the extra confirmation dialogue that comes with self-signed ones.
See also this ISC piece.
"It doesn't cost enough, and it makes too much sense."
They have your phone number.
They have your address.
They can send you a letter, they can call your phone. And their phishing rate would drop to almost zero.
But if they do that, then a whole bunch of certs immediately become untrusted, because those certs only have one signature: Equifax.
OpenPGP is better. In a world ruled by OpenPGP instead of X.509, people would go into their databases and set their "how much I trust Equifax" to a lower setting. Then if someone's identity was only certified by Equifax, they'd start to look iffy, but if someone has been certified by many CAs (in addition to Equifax), they'd still look ok.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
IE used to have a bug where they would check the revocation list for every domain except microsoft.com. Worked well until someone walked into VeriSign's office one day impersonating Microsoft and walked out with several signed certs for microsoft.com. Hee hee. I don't know when MS fixed this, but as I recall they weren't in a big hurry to issue a patch.
Basicly, the email addresses attatched to these phishing scams are one of 3 things:
1.An address comming from a domain name owned by target (i.e. bank etc)
2.An address comming from a domain name that looks like its owned by the target (e.g. www.paypalsupport.com)
or 3.Something totally unrelated to the bank
If everyone (both the pishing targets and the email providers) implemented GOOD SPF record checking, it should stop point 1
Point 2 can be stopped by enforcing the trademark and forcing the domain name to be handed over to the trademark owner (who can then enforce SPF on it)
It wont stop all phishing scams (i.e. those that come from or something like that) but it will certainly help.
Unfortunatly, even the biggest phishing targets like amazon, ebay, paypal etc dont implement proper SPF records that say "These machines are the only machines to send email for this domain" (they implement a default "permit all" and not a default "deny all" unfortunatly)
Also, banks need to actually implement better security, if banks had decent security, phishing would be useless.
Here is a security model that would be very difficult for a phisher to defeat:
You open the webpage of your bank and go to the login page. The banks computers then calculate a random number and store it along with the IP address that made the request. The login webpage displays a box for the username, a box for the password and another box for a hash. You enter the random number the bank computer generated into a little calculator like device that contains another random number generated by the bank and stored in the banks computers as well as the device. Then, the device uses a hash algorithim (one designed so that there is no value of that will result in an output value of or that if one exists, it is different for each value of ) to combine the login page number and the stored number.
The result is entered into the login page along with the username and password.
The bank then pulls the secret device number from its database and checks that the hash matches. Also, if the IP address of the machine making the requests to the banks webpages doesnt match with the IP stored alongside the session ID, it will assume its fake and terminate.
Now, when you want to transfer money to someone not on your "approved payee" list or add someone to your "approved payee" list, you get another random hash which you have to enter into the little calculator. To prevent the phisher from simply tricking you into typing this second hash in (i.e. transfering all your money to them instead of transfering the amount you wanted to transfer to who you wanted to transfer it to), you would have to enter the amount being transfered into the calculator device too with it being used as part of the hash.
Anyone who is dumb enough to press "Funds Transfer" then then doesnt deserve to be using a computer, much less the internet.
A big education campaign by the banks would help too For example, include a phamphlet with the next bank statement or other junk mail that gives a clear warning about phishing scams and to never ever trust any email pretending to be from the bank no matter what. Also it would tell you to change your password or contact your bank if you think you have been hacked or phished.
If the phamphlet said in big bold letters something like "Warning: Your money could be at risk from hackers, read this to find out how to prevent it" and was sent out to every bank customer (or every bank customer with online banking enabled on their account), people would probobly read it.
Let's quote what Geotrust says about relying on certificates:
GeoTrust's solution is that the browser should display ...
"The name and logo of the CA who issued the certificate. Consumers will soon learn from news reports which CAs to trust and which CAs use sloppy procedures and should not be trusted."
We should take Geotrust at their word. Now that we're certain that their procedures are sloppy and they can't be trusted, their certs should be pulled from all browers. New releases of Firefox should not contain root certs for Geotrust. They had their chance, and they blew it.
Well, yeah, why wouldn't you assume that? In fact, there's no need to examine it to try to prove otherwise, just go to your online banking site (which, it doesn't take a genius to bookmark when you sign up for it), if the bank wanted to tell you something, you'll be notified there too.
What, are you saying I should also assume that the letters I get telling me I won 10 million dollars are not real either?
sic transit gloria mundi
We can argue all night about the level of security afforded by an SSL certificate. I think most people don't have a clue about http vs. https and just follow the links where ever they go. If the artwork looks good, the "rap" sounds good and offers something they would want, they just "give it up" without worrying about the little lock icon. If the phisher is good enough, they won't give it a second thought, even after being fished (e.g. "congratulations you have been enrolled in Verfied by Visa").
The solution to the whole phishing thing should be obvious to us in the technology world. Remember mutual authentication. Yes it still works. Bank of America let's you choose a 'picture' that they promise to always show you before you give up your password. The solution is marginal at present because you only know about it if you use their online services to start with. A serious mutual authentication scheme would involve printing every statement with this picture and drilling into peoples minds that - no picture, no password. It requires a serious PR campaign.
Right now I have no sympathy for the banks who get ripped off (mtnamerica.org - give me a break). I do have sympathy for the innocent people who fall victim to this and for the shareholders of banks who have to put up with the slow uptake on solutions to this problem.
OK. I get off soapbox now.
Cheers.
I think part of the problem is the push to pretend the internet is safe and perfect. Since when has anything in our world been safe for the ignorant? The reality of computers and the internet needs to be common knowledge that you can get into trouble, especially if you don't know what you're doing. If I jumped in a car and put the petal to the floor and wrecked would it be pontiac's fault or the department of transportation that a flawless safety net wasn't put in place? I'm not saying its ignorant computer users fault if they get scammed, but the bullshit promises that you can give out your bank account number over the internet without worry. I don't care how computer savvy you are, we've all had a moment where we were momentarily tricked, imagine somebody that has no idea. I mean remember, those AOL security commercials claim they have single handedly foiled hackers, spam, etc. Computer technology is too wild to pretend the good guys are always in control, lets be honest and admit if you connect to the internet you are taking a risk.