Slashdot Mirror
Phishing Site Using Valid SSL Certificates
UnderAttack writes to tell us the Washington Post SecurityFix blog has an interesting article about a new and rather sophisticated phishing scheme. The email not only used the first few digits of the users card number to look more plausible (even though the first part of the number is the same for all cards), but it also used a valid SSL certificate for its domain name."
Seriously. I remember in the early 90s, tv ads for banks that ended with "...and remember, our staff will never ask for your credit card number over the phone." I think people *eventually* got the message on that one. How long will it take online? Remember, unsolicited email that links to a website ready to take your credit card number is bullshit, mom.
Did people honestly think that their techniques were going to get worse rather than better?
Ryan - http://www.thecosmotron.com/
If you get scammed on the intarweb, your intarweb license should be revoked.
If they rely on misspellings, they'll only catch the dumb phishers. They're generally the ones that don't catch a lot of people anyway, or at least not anybody who doesn't deserve to be scammed.
Have you read my blog lately?
Proving once again the relative lack of worth of requiring SSL certificates to be signed. All it does is make a few companies rich.
Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion.
...and also why I hate html email and use pine as my mail client. Unfortunately, most people don't know enough to not click html links sent to their email account. As a result, this is especially worrisome because it looks legit.
Couldn't the SSL Certificate issuer just revoke the certificate of anyone using said certificate for malicious or illegal purposes? That would at least give some warning to uses with a bad or unknown certificate message.
A better link, with more screenshots:
Phollow the Phlopping Phish
---- join dshield.org Distributed Intrusion Detec
Soon all the good ideas will be taken and I'll be stuck selling penis pills again. Ugh...
The Internet Storm Center did a write-up on this case inclusing a hypothetical tale of Joe Sixpack trying to verify the phish, doing (almost) everything right -- typing in the address instead of clicking on the link, checking for an SSL certificate, checking who the cert is registered to, etc, and still getting caught.
The fatal flaw in the hypothetical course of action is trusting the non-standard domain name...but you can hardly blame Joe Sixpack for that one when so many financial institutions actually use one-off domains or partner sites. I was working on some phishing rules last year and counted something like 5 domains that Citibank used alone.
These phishers are getting more and more sophisticated, but it's only a matter of time before they're caught. To get more sophisticated requires better services and equipment, which requires the phishers to either:
a) Give out their true information - name, address, etc, making for easier law enforcement tracking
b) Give out flase information - which may buy them some time, but will only cause the bite taken out of their ass by law enforcement to be that much bigger.
Even still, Valid SSL certificates and whatnot don't mean shit against a true savvy user who knows better. Any user who actually reads the warnings by their banks/credit card companies/etc will know that said companies will never send emails asking for credit card information.
Frink: Nice try floyd, but you were designed for scrubbing, and scrubbing is what you shall do.
Beyond the cert saying the business was in Salt Lake City Utah, I don't really see how there was some big confidence broken here. The SSL cert was issued for "www.mountain-america.net". The bank in question is "www.mtnamerica.org". Whoever thinks that a signed SSL certificate is supposed to verify anything other than the person/entity asking for the cert is the same person who owns the domain is assuming waaaay to much.
In essense signed certs are only supposed to protect from a man-in-the-middle attack, not someone being fooled into going to a similarly named website. Why shouldn't I be able to get a signed cert for mountain-america.net if I own it? There's plenty of similarly named legit businesses that all have certs issued to them.
AccountKiller
1. Register the domain JFBVB.COM
2. On your own DNS servers create a record for EBAY.JFBVB.COM
3. Purchase a legit SSL certificate from RapidSSL on that domain for $69
4. Create your phishing site
5. (Illegally) profit!
Many people think that an SSL certificate somehow guarantees a trustful vendor. On the contrary, it simply guarantees that no one will view the information en route. The vendor can do whatever he wants with the information you send.
No, but a lot of people still have the silly idea that phishing is only as sophisticated as it was 2 years ago, back when it was plaintext, full of misspellings, and sent you to an IP or a GeoCities page.
Back then, it was hard to imagine people getting fooled by the crude "Send me yore passwerd" level of "attacks" -- and yet people fell victim to it just the same. These days, they're polished enough that you basically have to assume any email that claims to be from your bank is forged, then examine it and try to prove otherwise.
You have never truly had fun with the support staff at your bank/credit union/credit card/whatever until you have called and asked them to verify the thumbprint/fingerprint of their SSL cert for you.
Unfortunately, it looks like Geotrust lost this round, and it probably would be considered good practice to actually do that from time to time. For the truly paranoid, remove all root certificates, and only after verifying the thumbprint proceed to install that cert into your cache. No more trust hierarchy.
the ssl cert companies don't verify who you are, just who you say you are
they're in it for the buck. why would they go that extra mile when it just cuts into their bottom line?
vodka, straight up, thank you!
You know, if that SSL certificate traces back to a valid human, then you can arrest him/her for phishing and they've provided all your evidence for you.
It's like leaving your digitally signed confession at the scene of the crime. No CSI team needed. Only the crooks know the corresponding private key.
If you can't trace that certificate it back to a valid human, than the CA needs to be beaten with a large stick.
...or maybe not.
It amazes me that people forget that a banks job is to protect your money.
The phisher in the end shouldn't be able to get any money from this.
The banks should have in place a system that secures your money much better than this. It reminds me of the wild west where banks were robbed all the time.
Like, why do the retailers have to protect the banks? Why do they have to ask for ID when you already presented a valid banking card to them? Is this system insecure? Yes, and that's why they ask for ID. WTF?
People should consider this the same as a bank getting robbed over and over. If the banks got enough bad press from this then maybe they would do something about it.
But never forget, this is not money, it's currency backed by nothing of value and could become wortless in a day. People have been trying to tell you this for years, but you people won't read any simple banker history, it's too booring.
http://www.apfn.net/Doc-100_bankruptcy13.htm
http://www.federal-reserve.net/
http://www.converge.org.nz/pirm/fr_paul.htm
http://batr.org/verity/id6.html
You mean people would never give out credit card numbers, when asked over the phone? I think you place too much faith in humanity.
Most people would agree it's stupid, and fewer people will behave stupid after an education campaign (or after being bitten in the ass). Scam artists may not bother anymore with a certain method. But not because it wouldn't work; but because they've moved onto easier methods, methods that (these days) give them more return for their effort.
For the same reason, e-mails with attachments like "Anna Kournikova.jpg.pif" will keep getting clicked on. You may think it's silly, but there's a new sucker born every day.My question is: Did these dogs give equifax enough information for the cops to have some hope of tracking them down? I'm guessing that at least some of this information is faked, but if there's nothing here that the cops can use, then the identity information in SSL certificates is less than worthless.
Free Software: Like love, it grows best when given away.
I say that because this is the first incident ever being reported where an SSL cert was obtained illegitimately.
Um, no.
What if I have a website for mountain climbers to discuss their American tours? Wouldn't mountain-america.net be a valid name? Shouldn't I be allowed to purchase an SSL certificate to secure logins to my fourms?
I fear the day that commercial entities own the namespace of the internet, all for name recognition and protecting users from themselves. Trademark law worked great for localized commerce, but with global environments (like the internet), how can one guarantee and protect unique naming without outlawing much of the english language?
10b||~10b -- aah, what a question!
To add to this craziness, the culprits behind these accomplishments, in this case certificate hacking of all things, are brilliant enough to get ultra-high paying jobs and hire a nude secretary. With this new age of cyber-terrorism threats, I gotta side with the pro-hacker mantras claiming that they help the world by exposing threats with mostly benign things like pbrushing a hitler mustache on Bush before the real bad guys, the ones who have similar high levels of expertise [though in bombs], figure out the holes. High five, 31337-speakers.
Do browsers check revocation lists? I didn't think so. Without reference to a revocation list, there is no way to tell if a cert has been revoked. It is either signed by a recognized authority or it isn't.
-matthew
"THERE IS NO JUSTICE, THERE IS ONLY ME." -Death
Do browsers check revocation lists? I didn't think so
Yes. At least IE does. It slows things down if you're on an isolated network, so it's one of the first things I turn off on those machines.
SSL doesn't prevent phishing. A signed SSL cert from a trusted Certificate Authority only assures the user that the information passing between the user and the domain is encrypted. SSL can't tell you if a site is "real" or not.
you say, eventually an old trick has to stop being used, I say read the following
http://www.historybuff.com/library/refbarnum.html
every day http://en.wikipedia.org/wiki/Special:Random
SSL certs are great for end-to-end encryption. They are not good for authentication, because people don't usually check on the certificate - however, here even a check wouldn't have done any good. I only buy SSL certs because people don't like the extra confirmation dialogue that comes with self-signed ones.
See also this ISC piece.
"It doesn't cost enough, and it makes too much sense."
They have your phone number.
They have your address.
They can send you a letter, they can call your phone. And their phishing rate would drop to almost zero.
you spelled 'intarweb' right both times.
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
But if they do that, then a whole bunch of certs immediately become untrusted, because those certs only have one signature: Equifax.
OpenPGP is better. In a world ruled by OpenPGP instead of X.509, people would go into their databases and set their "how much I trust Equifax" to a lower setting. Then if someone's identity was only certified by Equifax, they'd start to look iffy, but if someone has been certified by many CAs (in addition to Equifax), they'd still look ok.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
Phishing scams have been using SSL in attacks since 2004. Last year Netcraft identified more than 450 phishing attacks that used SSL certificates in one form or another. However, the tactics seen in the Mountain America attack are more sophisticated than previous attempts. In many previous attacks the phishing crews have used an https URL with an SSL cert they know will trigger a browser alert, banking on the likelihood that many users will trust the padlock and ignore the certificate. This one is designed to fool more sophisticated users who actually check the certificate.
RichM
Data Center Knowledge
IE used to have a bug where they would check the revocation list for every domain except microsoft.com. Worked well until someone walked into VeriSign's office one day impersonating Microsoft and walked out with several signed certs for microsoft.com. Hee hee. I don't know when MS fixed this, but as I recall they weren't in a big hurry to issue a patch.
One can at least mitigate the money issue. http://cacert.org/ is an alternate "open" root cert authority. They're working hard to gain the acceptance of the likes of verisign. I've had converstions with a few of them, and its arguable that their verification procedures are _more_ rigorous than those conducted by the the CA's that are charging high prices.
Nevermind the fact that if noone is buying certs, theres no finanical pressure to cause them to make any compromises for those willing to pay the right price.
once you go slack, you never go back
Basicly, the email addresses attatched to these phishing scams are one of 3 things:
1.An address comming from a domain name owned by target (i.e. bank etc)
2.An address comming from a domain name that looks like its owned by the target (e.g. www.paypalsupport.com)
or 3.Something totally unrelated to the bank
If everyone (both the pishing targets and the email providers) implemented GOOD SPF record checking, it should stop point 1
Point 2 can be stopped by enforcing the trademark and forcing the domain name to be handed over to the trademark owner (who can then enforce SPF on it)
It wont stop all phishing scams (i.e. those that come from or something like that) but it will certainly help.
Unfortunatly, even the biggest phishing targets like amazon, ebay, paypal etc dont implement proper SPF records that say "These machines are the only machines to send email for this domain" (they implement a default "permit all" and not a default "deny all" unfortunatly)
Also, banks need to actually implement better security, if banks had decent security, phishing would be useless.
Here is a security model that would be very difficult for a phisher to defeat:
You open the webpage of your bank and go to the login page. The banks computers then calculate a random number and store it along with the IP address that made the request. The login webpage displays a box for the username, a box for the password and another box for a hash. You enter the random number the bank computer generated into a little calculator like device that contains another random number generated by the bank and stored in the banks computers as well as the device. Then, the device uses a hash algorithim (one designed so that there is no value of that will result in an output value of or that if one exists, it is different for each value of ) to combine the login page number and the stored number.
The result is entered into the login page along with the username and password.
The bank then pulls the secret device number from its database and checks that the hash matches. Also, if the IP address of the machine making the requests to the banks webpages doesnt match with the IP stored alongside the session ID, it will assume its fake and terminate.
Now, when you want to transfer money to someone not on your "approved payee" list or add someone to your "approved payee" list, you get another random hash which you have to enter into the little calculator. To prevent the phisher from simply tricking you into typing this second hash in (i.e. transfering all your money to them instead of transfering the amount you wanted to transfer to who you wanted to transfer it to), you would have to enter the amount being transfered into the calculator device too with it being used as part of the hash.
Anyone who is dumb enough to press "Funds Transfer" then then doesnt deserve to be using a computer, much less the internet.
A big education campaign by the banks would help too For example, include a phamphlet with the next bank statement or other junk mail that gives a clear warning about phishing scams and to never ever trust any email pretending to be from the bank no matter what. Also it would tell you to change your password or contact your bank if you think you have been hacked or phished.
If the phamphlet said in big bold letters something like "Warning: Your money could be at risk from hackers, read this to find out how to prevent it" and was sent out to every bank customer (or every bank customer with online banking enabled on their account), people would probobly read it.
I have nothing against Equifax, but I don't know them either. I don't know their policies, I don't know how they protect their signing key, and I don't know how they verify identities. Neither do you (well, ok, you know a little about their stated policies, because you RTFA). Neither does Joe Sixpack.
People are farming trust out to faceless strangers that they have never met. It's pretty insane when you think about it.
Who the hell is Equifax? Who is Verisign? Thawte? They're just names. I don't know anything about them, but somehow when I installed a web browser, it came with a database that says these companies should be trusted introducers. Why the web browser doesn't come with an empty database, I have no idea. Well, I'm lying, of course. I know why. Because people would stop and ask, "Hey should I trust Equifax?" and we don't want most people thinking about that. We just want them to buy stuff.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
- Open the preferences and go to "Advanced".
- Then click on "Security".
- Push the certificates button and then choose the "authorities" tab.
- Find equifax.
- Select all those entries.
- Push "edit", uncheck the checkboxes for each certificate.
Done, you no longer trust these folks.The problem is that they're having a hard time even getting mozilla to trust them. There's a bugzilla entry with about 500 CC's listed all of whom are waiting patiently for the root cert to be installed...
Let's quote what Geotrust says about relying on certificates:
GeoTrust's solution is that the browser should display ...
"The name and logo of the CA who issued the certificate. Consumers will soon learn from news reports which CAs to trust and which CAs use sloppy procedures and should not be trusted."
We should take Geotrust at their word. Now that we're certain that their procedures are sloppy and they can't be trusted, their certs should be pulled from all browers. New releases of Firefox should not contain root certs for Geotrust. They had their chance, and they blew it.
Check here for settings.
Weaselmancer
rediculous.
This is why everyone should install the Netcraft Anti-Phishing Toolbar...unless they really know what they are doing (read IT professional)...
All of your users/customers should have this installed...besides rating the risk of the site based on previous reports, it would also have shown how long the site was registered...which even on this phishing site was probably a matter of days...as a matter of fact, I can see this as a good feature to include within Firefox...whenever you view the SSL certificate, show the domain registration info...
Looking at some of the domain registration info, it's obvious that including the DNS Admin, Organization, and Nameserver Organization, you would have easily identified a fake...
Even better yet, why not have a certification process for banks and such that could opt to have their ISP verify their identity...then when you visit their SSL site, your browser could display the verification info beside the "security lock"...
Of course, if you want to change the way the "Security Lock" works in browsers, in the US you could set something up with the FDIC that would use a DNS lookup similar to the way DNS Block Lists operate...only this one would tell you if the site was a valid banking site...I guess the "Lock" could change to a "$" or something if it was verified as a banking site...web sites could simply request the check in some way (HTTP header or something)...the header value could represent the type of site (US Banking Site...check with FDIC...)
SSL certs are not sold for domain names, just host names. They only work for ONE host. You can't buy a SSL cert for *.JFBVB.COM and setup EBAY.JFBVB.COM latter. You can only buy a cert for one host, say WWW.JFBVB.COM.
We can argue all night about the level of security afforded by an SSL certificate. I think most people don't have a clue about http vs. https and just follow the links where ever they go. If the artwork looks good, the "rap" sounds good and offers something they would want, they just "give it up" without worrying about the little lock icon. If the phisher is good enough, they won't give it a second thought, even after being fished (e.g. "congratulations you have been enrolled in Verfied by Visa").
The solution to the whole phishing thing should be obvious to us in the technology world. Remember mutual authentication. Yes it still works. Bank of America let's you choose a 'picture' that they promise to always show you before you give up your password. The solution is marginal at present because you only know about it if you use their online services to start with. A serious mutual authentication scheme would involve printing every statement with this picture and drilling into peoples minds that - no picture, no password. It requires a serious PR campaign.
Right now I have no sympathy for the banks who get ripped off (mtnamerica.org - give me a break). I do have sympathy for the innocent people who fall victim to this and for the shareholders of banks who have to put up with the slow uptake on solutions to this problem.
OK. I get off soapbox now.
Cheers.
I think part of the problem is the push to pretend the internet is safe and perfect. Since when has anything in our world been safe for the ignorant? The reality of computers and the internet needs to be common knowledge that you can get into trouble, especially if you don't know what you're doing. If I jumped in a car and put the petal to the floor and wrecked would it be pontiac's fault or the department of transportation that a flawless safety net wasn't put in place? I'm not saying its ignorant computer users fault if they get scammed, but the bullshit promises that you can give out your bank account number over the internet without worry. I don't care how computer savvy you are, we've all had a moment where we were momentarily tricked, imagine somebody that has no idea. I mean remember, those AOL security commercials claim they have single handedly foiled hackers, spam, etc. Computer technology is too wild to pretend the good guys are always in control, lets be honest and admit if you connect to the internet you are taking a risk.
There are several issues with this system, however. The biggest one seems to be that it requires the customer to remember still more crap... ^h^h^h^h
Another issue is that several times a year now online shoppers are faced with learning entirely new paradigms and associated rules for how to know if they are being scammed. It's hard to keep up with this stuff when it's your full time job to do so let alone as a casual internet shopper. (That's the same issue you say? One, there is One big issue! I'll just go out and come back in...)
Another recent example is the Verified by Visa program which has recently been levered to provide a new social engineering angle for a phishing scam. I predicted this a few months ago when I was first exposed to the Verified by Visa system, but I just got around to blogging about it only ten days ago. (see: Verfied by Visa (Veriphied Phishing?) for a description of my unsettling first exposer to this major security initiative from Visa.) I wish I had blogged sooner, I need more points to get my "fortune teller" merit badge!
More fodder:
Joris Evers of CNet blog on SiteKey with links to stories and discussions
Slashdot discussion on SiteKey
By the way, have you noticed that the time horizon for "recent" is now minutes and hours. I can remember a time when it used to be at least weeks.
If you mod me down, I shall become more powerful than you could possibly imagine.