Slashdot Mirror

← Back to Stories (view on slashdot.org)

Phishing Site Using Valid SSL Certificates

Posted by ScuttleMonkey on from the new-phace-of-phishing dept.

UnderAttack writes to tell us the Washington Post SecurityFix blog has an interesting article about a new and rather sophisticated phishing scheme. The email not only used the first few digits of the users card number to look more plausible (even though the first part of the number is the same for all cards), but it also used a valid SSL certificate for its domain name."

15 of 368 comments (clear)

  1. un-possible! by conJunk · · Score: 4, Insightful
    What? An electronic system that didn't function properly? Color me SHOCKED!!!

    /sarcasm

    Seriously. I remember in the early 90s, tv ads for banks that ended with "...and remember, our staff will never ask for your credit card number over the phone." I think people *eventually* got the message on that one. How long will it take online? Remember, unsolicited email that links to a website ready to take your credit card number is bullshit, mom.

  2. What? by cosmotron · · Score: 5, Insightful

    Did people honestly think that their techniques were going to get worse rather than better?

    --
    Ryan - http://www.thecosmotron.com/
  3. Signed SSL certs worthless by Spazmania · · Score: 4, Insightful

    Proving once again the relative lack of worth of requiring SSL certificates to be signed. All it does is make a few companies rich.

    --
    Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion.
  4. That's why I don't click html links... by the_humeister · · Score: 4, Insightful

    ...and also why I hate html email and use pine as my mail client. Unfortunately, most people don't know enough to not click html links sent to their email account. As a result, this is especially worrisome because it looks legit.

    1. Re:That's why I don't click html links... by Ctrl+Alt+De1337 · · Score: 5, Insightful

      I hate html email and use pine as my mail client

      I hate to break it to you, but the vast majority of computer users would not be willing to use a terminal-based email system. Most are afraid of using terminals period. I'm glad that you found something that works for you and can score you cool points on Slashdot, but I hope you weren't stating that as a recommendation. Links in email aren't necessarily A Bad Thing so rather than do away with them completely, it's better to fight the phishers instead of the links.

  5. Assuming too much for signed SSL certs by Vellmont · · Score: 5, Insightful

    Beyond the cert saying the business was in Salt Lake City Utah, I don't really see how there was some big confidence broken here. The SSL cert was issued for "www.mountain-america.net". The bank in question is "www.mtnamerica.org". Whoever thinks that a signed SSL certificate is supposed to verify anything other than the person/entity asking for the cert is the same person who owns the domain is assuming waaaay to much.

    In essense signed certs are only supposed to protect from a man-in-the-middle attack, not someone being fooled into going to a similarly named website. Why shouldn't I be able to get a signed cert for mountain-america.net if I own it? There's plenty of similarly named legit businesses that all have certs issued to them.

    --
    AccountKiller
    1. Re:Assuming too much for signed SSL certs by iabervon · · Score: 4, Insightful

      Browsers are designed to make people assume that CA-signed SSL certificates actually mean something they care about. The only thing this stops is somebody who manages to take control of a site's DNS or TCP traffic but somehow fails to use this control to get a certificate issued. But browsers treat self-signed certificates as really suspicious and CA-signed certificates as perfectly secure. The user isn't given any useful information, and has to make the decision based on information which, as you say, is not actually relevant. (Actually, CA-signed certificates are less trustworthy in many cases than self-signed ones, because the browser doesn't report that a CA-signed certificate is unfamiliar, while a self-signed one is saved, so it's obvious when it's not the same.)

      What would prevent this sort of scam is if people were told that any certificate your browser doesn't already have saved is suspicious, and shown what can be demonstrated about the certificate. If you have a prior relationship with this site, check that this string: (fingerprint of certificate) appears in the information you received. If not, decide whether you believe one of these organizations (signers of certificate, using PKI, based on certificates which come with the system) to make the operation you are doing today safe. In either case, choose a description of the site, which will be displayed when you return to this site in the future. Ideally, the user would be asked to choose whether they recognize the site before they are told more about the certificate, so they don't just look for a reasonable-looking signer.

      That way, people click the link, get the real certificate for something that isn't their bank, and they notice that the window doesn't say "Secure connection to: My Bank" (if they've done this before), or notice that the fingerprint doesn't match the fingerprint on their bank statement, and then they know that, whoever this is, it's nobody they've got an existing business relationship with, and the claim about an existing account is clearly bogus.

      (Last detail: the certificate with the fingerprint in question should be a self-generated CA certificate, not the actual SSL certificate in use, so the bank can change domain name while keeping the same saved info. The CA cert should be signed by the FDIC and other banking-related organizations, who wouldn't be tempted to possibly sign a sporting-goods store certificate, but that's only at all relevant to people trying to choose a bank online, because the instructions will clearly state that this is not the user's current bank.)

  6. Digitally signed confession... by ave19 · · Score: 4, Insightful

    You know, if that SSL certificate traces back to a valid human, then you can arrest him/her for phishing and they've provided all your evidence for you.

    It's like leaving your digitally signed confession at the scene of the crime. No CSI team needed. Only the crooks know the corresponding private key.

    If you can't trace that certificate it back to a valid human, than the CA needs to be beaten with a large stick.

    --
    ...or maybe not.
  7. It's just a numbers game by Alwin+Henseler · · Score: 5, Insightful
    Seriously. I remember in the early 90s, tv ads for banks that ended with "...and remember, our staff will never ask for your credit card number over the phone." I think people *eventually* got the message on that one. How long will it take online? Remember, unsolicited email that links to a website ready to take your credit card number is bullshit, mom.

    You mean people would never give out credit card numbers, when asked over the phone? I think you place too much faith in humanity.

    Most people would agree it's stupid, and fewer people will behave stupid after an education campaign (or after being bitten in the ass). Scam artists may not bother anymore with a certain method. But not because it wouldn't work; but because they've moved onto easier methods, methods that (these days) give them more return for their effort.

    For the same reason, e-mails with attachments like "Anna Kournikova.jpg.pif" will keep getting clicked on. You may think it's silly, but there's a new sucker born every day.
  8. Tracking these people?? by Stephen+Samuel · · Score: 4, Insightful

    My question is: Did these dogs give equifax enough information for the cops to have some hope of tracking them down? I'm guessing that at least some of this information is faked, but if there's nothing here that the cops can use, then the identity information in SSL certificates is less than worthless.

    --
    Free Software: Like love, it grows best when given away.
  9. Re:Clues for phishers from Geotrust by AndyBassTbn · · Score: 5, Insightful

    They're generally the ones that don't catch a lot of people anyway, or at least not anybody who doesn't deserve to be scammed.

    You know, I hate hearing that anybody deserves the financial ruin that results from falling for one of these scams.

    Remember, the more that geeks put on the "you're stupid so you deserve what you get" attitude, the fewer folks who are less-computer-savvy will buy computers for fear of being taken for a ride (and knowing no one will help them.)

    This, in turn, results in less money floating around in the tech sector, which, in turn, results in less money being invested to develop convieniences upon which we have come to rely - such as online banking.

    Which, of course, results in less money in the pocket of the geeks that were so callous to begin with. Remember - we NEED the end user just as much as the end user needs us.

    --
    I hope the land around you yields, a crop like all the other fields, and then your waiting might make sense...
  10. Re:Clues for phishers from Geotrust by The-Bus · · Score: 4, Insightful

    Take Commerce Bank. They have CommerceOnline.com for their main domain and CommerceOnlineBanking.com for their online banking. But why not CommerceBankHome.com as GoDaddy suggest? Or CommerceBanking.com? Or CommerceBankingOnline.com?

    Unfortunately their domain names are a soup of common names and it's impossible to remember. With common names, a small alteration of the site and that's all you need to confuse some folks.

    The best phishing URL I've ever seen was one that was www.amazon.com.exec-obidos.com. If anyone remembers, previously Amazon URLs always had an exec-obidos in their path when the link lead to a product. Even I had to blink a few times before I realized it was a phishing scam. (All the links went to a working Amazon section).

    --

    Small potatoes make the steak look bigger.

  11. Re:Public school system by Anonymous Coward · · Score: 5, Insightful

    IE used to have a bug where they would check the revocation list for every domain except microsoft.com. Worked well until someone walked into VeriSign's office one day impersonating Microsoft and walked out with several signed certs for microsoft.com. Hee hee. I don't know when MS fixed this, but as I recall they weren't in a big hurry to issue a patch.

  12. Re:This bears repeating - by Craig+Davison · · Score: 4, Insightful

    If the domain name of the website you're visiting is correct, and you didn't get an SSL error, you know for sure that you're connecting to the right server, and your communication to the server won't be modified or eavesdropped in transit.

    What's going on with this phishing site is that they have a bogus domain name, which unfortunately is good enough to fool people. If you know know that your bank's website is citibank.com, not secure-citibank-website.com or something like that, you will never fall prey to this. You're wrong that a check would not have done any good.

    And a "self-signed" cert is useless because a man-in-the-middle could issue his own "self-signed" cert and just replay traffic between the client and your server.

    --
    Hands in my pocket
  13. Geotrust hasn't revoked the phisher's cert yet by Animats · · Score: 4, Insightful
    Check it out. Still listed. Doesn't even seem to be in the certification revocation database.

    Let's quote what Geotrust says about relying on certificates:

    GeoTrust's solution is that the browser should display ... "The name and logo of the CA who issued the certificate. Consumers will soon learn from news reports which CAs to trust and which CAs use sloppy procedures and should not be trusted."

    We should take Geotrust at their word. Now that we're certain that their procedures are sloppy and they can't be trusted, their certs should be pulled from all browers. New releases of Firefox should not contain root certs for Geotrust. They had their chance, and they blew it.