Slashdot Mirror

← Back to Stories (view on slashdot.org)

Phishing Site Using Valid SSL Certificates

Posted by ScuttleMonkey on from the new-phace-of-phishing dept.

UnderAttack writes to tell us the Washington Post SecurityFix blog has an interesting article about a new and rather sophisticated phishing scheme. The email not only used the first few digits of the users card number to look more plausible (even though the first part of the number is the same for all cards), but it also used a valid SSL certificate for its domain name."

12 of 368 comments (clear)

  1. What? by cosmotron · · Score: 5, Insightful

    Did people honestly think that their techniques were going to get worse rather than better?

    --
    Ryan - http://www.thecosmotron.com/
  2. better link for this storey by UnderAttack · · Score: 5, Informative

    A better link, with more screenshots:

    Phollow the Phlopping Phish

    --
    ---- join dshield.org Distributed Intrusion Detec
  3. Re:That's why I don't click html links... by Ctrl+Alt+De1337 · · Score: 5, Insightful

    I hate html email and use pine as my mail client

    I hate to break it to you, but the vast majority of computer users would not be willing to use a terminal-based email system. Most are afraid of using terminals period. I'm glad that you found something that works for you and can score you cool points on Slashdot, but I hope you weren't stating that as a recommendation. Links in email aren't necessarily A Bad Thing so rather than do away with them completely, it's better to fight the phishers instead of the links.

  4. Assuming too much for signed SSL certs by Vellmont · · Score: 5, Insightful

    Beyond the cert saying the business was in Salt Lake City Utah, I don't really see how there was some big confidence broken here. The SSL cert was issued for "www.mountain-america.net". The bank in question is "www.mtnamerica.org". Whoever thinks that a signed SSL certificate is supposed to verify anything other than the person/entity asking for the cert is the same person who owns the domain is assuming waaaay to much.

    In essense signed certs are only supposed to protect from a man-in-the-middle attack, not someone being fooled into going to a similarly named website. Why shouldn't I be able to get a signed cert for mountain-america.net if I own it? There's plenty of similarly named legit businesses that all have certs issued to them.

    --
    AccountKiller
  5. SSL Certs by thomble · · Score: 5, Informative
    Most people don't understand the function of SSL certificates, nor do they understand how EASY and INEXPENSIVE it is to get one from a reputable company.

    1. Register the domain JFBVB.COM
    2. On your own DNS servers create a record for EBAY.JFBVB.COM
    3. Purchase a legit SSL certificate from RapidSSL on that domain for $69
    4. Create your phishing site
    5. (Illegally) profit!

    Many people think that an SSL certificate somehow guarantees a trustful vendor. On the contrary, it simply guarantees that no one will view the information en route. The vendor can do whatever he wants with the information you send.

  6. Re:Sophisticated Phishing by kampit · · Score: 5, Informative

    Easiest thing to do is just not to trust any email you receive that deals with important matters such as a bank account, say you do your online banking with YourBank and receive an email that claims to be from them, if you can't immediately tell it's fake.. just go to your browser and manually type in the url for the bank (or use a bookmark), if there's no notification of whatever problem is described in the email, it's definitely fake.

  7. It's just a numbers game by Alwin+Henseler · · Score: 5, Insightful
    Seriously. I remember in the early 90s, tv ads for banks that ended with "...and remember, our staff will never ask for your credit card number over the phone." I think people *eventually* got the message on that one. How long will it take online? Remember, unsolicited email that links to a website ready to take your credit card number is bullshit, mom.

    You mean people would never give out credit card numbers, when asked over the phone? I think you place too much faith in humanity.

    Most people would agree it's stupid, and fewer people will behave stupid after an education campaign (or after being bitten in the ass). Scam artists may not bother anymore with a certain method. But not because it wouldn't work; but because they've moved onto easier methods, methods that (these days) give them more return for their effort.

    For the same reason, e-mails with attachments like "Anna Kournikova.jpg.pif" will keep getting clicked on. You may think it's silly, but there's a new sucker born every day.
  8. Re:un-possible! by mgh02114 · · Score: 5, Interesting

    Seriously. I remember in the early 90s, tv ads for banks that ended with "...and remember, our staff will never ask for your credit card number over the phone." I think people *eventually* got the message on that one.


    They do this all the time. Just last week, Discover called and left a message on my machine "This is the security department, we have a question about the activity on your account, please call 800-###-#### to ensure continued service." When I called that number, they started off saying "Please tell me your card number, your mother's maiden name, etc." all to "confirm my identity" I of course refused, hung up, and called the 800 number printed on my credit card. They were understanding, but never acknowledged that they were essentially asking me to give all my personal information to a random person who called my home phone number.

  9. Re:Clues for phishers from Geotrust by AndyBassTbn · · Score: 5, Insightful

    They're generally the ones that don't catch a lot of people anyway, or at least not anybody who doesn't deserve to be scammed.

    You know, I hate hearing that anybody deserves the financial ruin that results from falling for one of these scams.

    Remember, the more that geeks put on the "you're stupid so you deserve what you get" attitude, the fewer folks who are less-computer-savvy will buy computers for fear of being taken for a ride (and knowing no one will help them.)

    This, in turn, results in less money floating around in the tech sector, which, in turn, results in less money being invested to develop convieniences upon which we have come to rely - such as online banking.

    Which, of course, results in less money in the pocket of the geeks that were so callous to begin with. Remember - we NEED the end user just as much as the end user needs us.

    --
    I hope the land around you yields, a crop like all the other fields, and then your waiting might make sense...
  10. Nice try, but I can tell you're trolling by rsilvergun · · Score: 5, Funny

    you spelled 'intarweb' right both times.

    --
    Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
  11. Re:Public school system by Anonymous Coward · · Score: 5, Insightful

    IE used to have a bug where they would check the revocation list for every domain except microsoft.com. Worked well until someone walked into VeriSign's office one day impersonating Microsoft and walked out with several signed certs for microsoft.com. Hee hee. I don't know when MS fixed this, but as I recall they weren't in a big hurry to issue a patch.

  12. Re:un-possible! by gutnor · · Score: 5, Interesting

    I got exactly the same here in the uk unless that instead of stopping immediatly I do like any joe user I called back the number, gave my credit card number, birth date but before answering for my mother maiden name, I just realised what I was saying and felt the little tickling in the belly meaning stress ...

    I asked the women on the other hand what was that about - why I need to give this info?
    She told me she need 'security check - blabla'
    I asked why they asked me to call and where I was exactly she just told me the name of the bank (thanks,easy) but she needed the security check to give the reason of the call (best excuse ever)...

    I hang up - ( I start to sweat ) - I went straight to the website to find the number I just called in the bank public phonebook but nada ... the number was not even close to any number used by the bank. I googled the number, nothing ... ( arghhhh )

    I called the bank, this time I have to give the security ID again ( after the previous experience, even if you pick the number yourself in your monthly statement, you really feel uneasy )
    I asked the girl what was this number I just called, and what I'm suppose to do know ... she took less than 2 min ( from my point of view, a very big value of 2 ) to find out that this number is not in the bank private directory either...

    Hopefuly the girl ring herself to the mysterious number and found out that it was only a number setup for the billing departement ( yeah I missed a payment :-) ) ...

    They had a valid reason to contact me, I had an urgent action to take but why in hell do they use the same trick the spammers use?
    They use an unknown number not even known from the bank employees ?
    If I did as we are told in the security leaflet given by the very same bank, I should have called the fraud departement of the bank to report the phishing attempt instead of ringing back!