Slashdot Mirror
Phishing Site Using Valid SSL Certificates
UnderAttack writes to tell us the Washington Post SecurityFix blog has an interesting article about a new and rather sophisticated phishing scheme. The email not only used the first few digits of the users card number to look more plausible (even though the first part of the number is the same for all cards), but it also used a valid SSL certificate for its domain name."
The problem with that is, in order for the revocation to take effect the user needs to download the root certs update which will be provided by their browser vendor (which in this case will more than likely mean MS) and lets face facts the majority of users never even bother updating, the fickle masses that they are.
A revoked cert isn't the solution, the solution is fixing the process by which people can get SSL certificates in the first place. There need to be more checks and balances. The current process is essentially; give us your money please, ok here's your certificate.. Enjoy!
The Internet Storm Center did a write-up on this case inclusing a hypothetical tale of Joe Sixpack trying to verify the phish, doing (almost) everything right -- typing in the address instead of clicking on the link, checking for an SSL certificate, checking who the cert is registered to, etc, and still getting caught.
The fatal flaw in the hypothetical course of action is trusting the non-standard domain name...but you can hardly blame Joe Sixpack for that one when so many financial institutions actually use one-off domains or partner sites. I was working on some phishing rules last year and counted something like 5 domains that Citibank used alone.
The problem with that is, in order for the revocation to take effect the user needs to download the root certs update which will be provided by their browser vendor (which in this case will more than likely mean MS) and lets face facts the majority of users never even bother updating, the fickle masses that they are.
A revoked cert isn't the solution, the solution is fixing the process by which people can get SSL certificates in the first place. There need to be more checks and balances. The current process is essentially; give us your money please, ok here's your certificate.. Enjoy!
So true. Revoking certs basically requires realtime lookup of every cert requested to make sure its not revoked. So, can there be a secure and efficient way to validate every cert on connect? Either way, something needs to be checked on connect, I don't know the solutions.
No, but a lot of people still have the silly idea that phishing is only as sophisticated as it was 2 years ago, back when it was plaintext, full of misspellings, and sent you to an IP or a GeoCities page.
Back then, it was hard to imagine people getting fooled by the crude "Send me yore passwerd" level of "attacks" -- and yet people fell victim to it just the same. These days, they're polished enough that you basically have to assume any email that claims to be from your bank is forged, then examine it and try to prove otherwise.
Sure, you may be speaking with a scumbag using strong encryption, but he's still a scumbag.
It amazes me that people forget that a banks job is to protect your money.
The phisher in the end shouldn't be able to get any money from this.
The banks should have in place a system that secures your money much better than this. It reminds me of the wild west where banks were robbed all the time.
Like, why do the retailers have to protect the banks? Why do they have to ask for ID when you already presented a valid banking card to them? Is this system insecure? Yes, and that's why they ask for ID. WTF?
People should consider this the same as a bank getting robbed over and over. If the banks got enough bad press from this then maybe they would do something about it.
But never forget, this is not money, it's currency backed by nothing of value and could become wortless in a day. People have been trying to tell you this for years, but you people won't read any simple banker history, it's too booring.
http://www.apfn.net/Doc-100_bankruptcy13.htm
http://www.federal-reserve.net/
http://www.converge.org.nz/pirm/fr_paul.htm
http://batr.org/verity/id6.html
the solution is fixing the process by which people can get SSL certificates in the first place. There need to be more checks and balances. The current process is essentially; give us your money please, ok here's your certificate.. Enjoy!
How is any cert provider going to know that a phisher is going to use a cert for a similarly named website? If I go and buy the domain mountain-america.com, setup a website that looks like I'm going to sell vacations to the mountains on that URL, get my signed cert, then turn around the next day and make it look like the mtnamerica.org website, how is the cert issuer going to read my mind and know that?
No, the answer is that banks need to be issueing some kind of security device that does all the verification. I'm fairly certain all of this is technically possible via everyday encryption.
AccountKiller
What if I have a website for mountain climbers to discuss their American tours? Wouldn't mountain-america.net be a valid name? Shouldn't I be allowed to purchase an SSL certificate to secure logins to my fourms?
I fear the day that commercial entities own the namespace of the internet, all for name recognition and protecting users from themselves. Trademark law worked great for localized commerce, but with global environments (like the internet), how can one guarantee and protect unique naming without outlawing much of the english language?
10b||~10b -- aah, what a question!
Seriously. I remember in the early 90s, tv ads for banks that ended with "...and remember, our staff will never ask for your credit card number over the phone." I think people *eventually* got the message on that one.
They do this all the time. Just last week, Discover called and left a message on my machine "This is the security department, we have a question about the activity on your account, please call 800-###-#### to ensure continued service." When I called that number, they started off saying "Please tell me your card number, your mother's maiden name, etc." all to "confirm my identity" I of course refused, hung up, and called the 800 number printed on my credit card. They were understanding, but never acknowledged that they were essentially asking me to give all my personal information to a random person who called my home phone number.
Do browsers check revocation lists? I didn't think so. Without reference to a revocation list, there is no way to tell if a cert has been revoked. It is either signed by a recognized authority or it isn't.
-matthew
"THERE IS NO JUSTICE, THERE IS ONLY ME." -Death
Doesnt this have antiphishing with the addressbar going red or blue or something to alert you to phishing? Has anyone tried to access this site with ie7?
I am just curious as to how ie7, which is supposed to be more effective at preventing phishing attacks with its "Check this site for phishing activity" would still work as effectively with the SSL cert being genuine.
Do browsers check revocation lists? I didn't think so
Yes. At least IE does. It slows things down if you're on an isolated network, so it's one of the first things I turn off on those machines.
you say, eventually an old trick has to stop being used, I say read the following
http://www.historybuff.com/library/refbarnum.html
every day http://en.wikipedia.org/wiki/Special:Random
I think when it says "misspellings", it doesn't mean the "I trenslated this miself" kind of misspelling in the email body, but rather the "this looks almost like a legitimate URL, unless you notice that it's not spelled correctly" kind of mispelling, which is usually spelled correctly in the link text. Like, for instance, www.citibank.com (as a hypothetical example).
This is why TFA goes on to say "[...] the technology did not flag the request because there was nothing in the Internet address to indicate the site was at all related to a financial institution." -- because they try to catch URLs that are similar to, but not quite the same as, legitimate URLs of financial institutions.
Phishing scams have been using SSL in attacks since 2004. Last year Netcraft identified more than 450 phishing attacks that used SSL certificates in one form or another. However, the tactics seen in the Mountain America attack are more sophisticated than previous attempts. In many previous attacks the phishing crews have used an https URL with an SSL cert they know will trigger a browser alert, banking on the likelihood that many users will trust the padlock and ignore the certificate. This one is designed to fool more sophisticated users who actually check the certificate.
RichM
Data Center Knowledge
I got exactly the same here in the uk unless that instead of stopping immediatly I do like any joe user I called back the number, gave my credit card number, birth date but before answering for my mother maiden name, I just realised what I was saying and felt the little tickling in the belly meaning stress ...
... the number was not even close to any number used by the bank. I googled the number, nothing ... ( arghhhh )
... she took less than 2 min ( from my point of view, a very big value of 2 ) to find out that this number is not in the bank private directory either...
:-) ) ...
I asked the women on the other hand what was that about - why I need to give this info?
She told me she need 'security check - blabla'
I asked why they asked me to call and where I was exactly she just told me the name of the bank (thanks,easy) but she needed the security check to give the reason of the call (best excuse ever)...
I hang up - ( I start to sweat ) - I went straight to the website to find the number I just called in the bank public phonebook but nada
I called the bank, this time I have to give the security ID again ( after the previous experience, even if you pick the number yourself in your monthly statement, you really feel uneasy )
I asked the girl what was this number I just called, and what I'm suppose to do know
Hopefuly the girl ring herself to the mysterious number and found out that it was only a number setup for the billing departement ( yeah I missed a payment
They had a valid reason to contact me, I had an urgent action to take but why in hell do they use the same trick the spammers use?
They use an unknown number not even known from the bank employees ?
If I did as we are told in the security leaflet given by the very same bank, I should have called the fraud departement of the bank to report the phishing attempt instead of ringing back!
I have nothing against Equifax, but I don't know them either. I don't know their policies, I don't know how they protect their signing key, and I don't know how they verify identities. Neither do you (well, ok, you know a little about their stated policies, because you RTFA). Neither does Joe Sixpack.
People are farming trust out to faceless strangers that they have never met. It's pretty insane when you think about it.
Who the hell is Equifax? Who is Verisign? Thawte? They're just names. I don't know anything about them, but somehow when I installed a web browser, it came with a database that says these companies should be trusted introducers. Why the web browser doesn't come with an empty database, I have no idea. Well, I'm lying, of course. I know why. Because people would stop and ask, "Hey should I trust Equifax?" and we don't want most people thinking about that. We just want them to buy stuff.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
Er...uh...well...maybe, because we're not, and the OP never said we should be. The OP was only listing his own preferred newsclient, and not insisting that anybody else in the world use it. Just because you think GUI mail clients that parse html, automatically open attachments and run executables are the greatest thing since punched cards doesn't mean everybody else has to use them.
Good, inexpensive web hosting
...users are capable of doing it if they weren't ignorant. 10 years ago when GUI mail readers barely existed... Windows is to blame for dumbing down our computer users to the point of being completely incompetent when it comes to dealing with a non-clicky-clicky interface."
Congratulations! You've earned extra Slashdot Coolness Points for 1) slamming Windows; 2) insulting the average user; and 3) being blissfully unaware that most normal people actually prefer a GUI interface!
Perhaps, but more importantly, he offered a reminder that 1) the "Ease of Use" design of Windows and many Windows-based apps does encourage stupidity; 2) GUI apps, despite their added features, can often be inferior to terminal-based programs (in this particular case, even dangerous); and 3) terminal-based programs need not be difficult to use as ordinary people were once perfectly happy typing cryptic-looking commands on a bare screen.
I'd say each of those is reminders is valuable, and the distinctions made are important.
This isn't so different than refering to Windows-based viruses as worms as "computer viruses." Put another way, if everyone does indeed want clicky programs and text/html email as another poster suggested, it's perfectly appropriate that they have a clear understanding that any problems they encounter are mostly the result of their preferences. A few comparisons and a little background are always useful.
Why can't banks use a similar system to the "mother's maiden name" to prove who they are? You tell them three pieces of information, and then when they call you can ask for any one of them (They may need to prompt you first).
How many people can read hex if only you and dead people can read hex?
Actually if you use First Direct then this is exactly what they do. Sometimes they will call me and ask me for details and I simply say sorry but I refuse to give these out over the phone when you rang me. The answer I get is ok sir thats fine. Please wait 5 minutes before calling the banks number and a note will be on your file for the operator to direct you back to me. Now thats what I call banking. None of the staff at the bank mind if you tell them that. Also when you ring them they access you for random letters from your password or a memorable place or a combination of things that you should know.
Ten years ago I was using Eudora on a Mac IIci. Best mail client ever. Why oh why can't anyone write a mail client today? KMail is annoying, Evolution is buggy as hell, Sylpheed keeps locking up the UI (heard of threading?), etc.
What the hell?
At least browsers have gotten better.
There are several issues with this system, however. The biggest one seems to be that it requires the customer to remember still more crap... ^h^h^h^h
Another issue is that several times a year now online shoppers are faced with learning entirely new paradigms and associated rules for how to know if they are being scammed. It's hard to keep up with this stuff when it's your full time job to do so let alone as a casual internet shopper. (That's the same issue you say? One, there is One big issue! I'll just go out and come back in...)
Another recent example is the Verified by Visa program which has recently been levered to provide a new social engineering angle for a phishing scam. I predicted this a few months ago when I was first exposed to the Verified by Visa system, but I just got around to blogging about it only ten days ago. (see: Verfied by Visa (Veriphied Phishing?) for a description of my unsettling first exposer to this major security initiative from Visa.) I wish I had blogged sooner, I need more points to get my "fortune teller" merit badge!
More fodder:
Joris Evers of CNet blog on SiteKey with links to stories and discussions
Slashdot discussion on SiteKey
By the way, have you noticed that the time horizon for "recent" is now minutes and hours. I can remember a time when it used to be at least weeks.
If you mod me down, I shall become more powerful than you could possibly imagine.