Phishing Site Using Valid SSL Certificates

UnderAttack writes to tell us the Washington Post SecurityFix blog has an interesting article about a new and rather sophisticated phishing scheme. The email not only used the first few digits of the users card number to look more plausible (even though the first part of the number is the same for all cards), but it also used a valid SSL certificate for its domain name."

un-possible!

[conJunk (779958)]

What? An electronic system that didn't function properly? Color me SHOCKED!!!

/sarcasm

Seriously. I remember in the early 90s, tv ads for banks that ended with "...and remember, our staff will never ask for your credit card number over the phone." I think people *eventually* got the message on that one. How long will it take online? Remember, unsolicited email that links to a website ready to take your credit card number is bullshit, mom.

It's just a numbers game

[Alwin Henseler (640539)]

Seriously. I remember in the early 90s, tv ads for banks that ended with "...and remember, our staff will never ask for your credit card number over the phone." I think people *eventually* got the message on that one. How long will it take online? Remember, unsolicited email that links to a website ready to take your credit card number is bullshit, mom.

You mean people would never give out credit card numbers, when asked over the phone? I think you place too much faith in humanity.

Most people would agree it's stupid, and fewer people will behave stupid after an education campaign (or after being bitten in the ass). Scam artists may not bother anymore with a certain method. But not because it wouldn't work; but because they've moved onto easier methods, methods that (these days) give them more return for their effort.

For the same reason, e-mails with attachments like "Anna Kournikova.jpg.pif" will keep getting clicked on. You may think it's silly, but there's a new sucker born every day.

Re:un-possible!

[mgh02114 (655185)]

Seriously. I remember in the early 90s, tv ads for banks that ended with "...and remember, our staff will never ask for your credit card number over the phone." I think people *eventually* got the message on that one.


They do this all the time. Just last week, Discover called and left a message on my machine "This is the security department, we have a question about the activity on your account, please call 800-###-#### to ensure continued service." When I called that number, they started off saying "Please tell me your card number, your mother's maiden name, etc." all to "confirm my identity" I of course refused, hung up, and called the 800 number printed on my credit card. They were understanding, but never acknowledged that they were essentially asking me to give all my personal information to a random person who called my home phone number.

Re:un-possible!

[gutnor (872759)]

I got exactly the same here in the uk unless that instead of stopping immediatly I do like any joe user I called back the number, gave my credit card number, birth date but before answering for my mother maiden name, I just realised what I was saying and felt the little tickling in the belly meaning stress ...

I asked the women on the other hand what was that about - why I need to give this info?
She told me she need 'security check - blabla'
I asked why they asked me to call and where I was exactly she just told me the name of the bank (thanks,easy) but she needed the security check to give the reason of the call (best excuse ever)...

I hang up - ( I start to sweat ) - I went straight to the website to find the number I just called in the bank public phonebook but nada ... the number was not even close to any number used by the bank. I googled the number, nothing ... ( arghhhh )

I called the bank, this time I have to give the security ID again ( after the previous experience, even if you pick the number yourself in your monthly statement, you really feel uneasy )
I asked the girl what was this number I just called, and what I'm suppose to do know ... she took less than 2 min ( from my point of view, a very big value of 2 ) to find out that this number is not in the bank private directory either...

Hopefuly the girl ring herself to the mysterious number and found out that it was only a number setup for the billing departement ( yeah I missed a payment :-) ) ...

They had a valid reason to contact me, I had an urgent action to take but why in hell do they use the same trick the spammers use?
They use an unknown number not even known from the bank employees ?
If I did as we are told in the security leaflet given by the very same bank, I should have called the fraud departement of the bank to report the phishing attempt instead of ringing back!

Re:un-possible!

[jacksonj04 (800021)]

Why can't banks use a similar system to the "mother's maiden name" to prove who they are? You tell them three pieces of information, and then when they call you can ask for any one of them (They may need to prompt you first).

has to be retired-- a rebuttal

[way2trivial (601132)]

you say, eventually an old trick has to stop being used, I say read the following

http://www.historybuff.com/library/refbarnum.html [historybuff.com]

Re:Public school system

[sqlrob (173498)]

Do browsers check revocation lists? I didn't think so

Yes. At least IE does. It slows things down if you're on an isolated network, so it's one of the first things I turn off on those machines.

Re:Public school system

[by Anonymous Coward]

IE used to have a bug where they would check the revocation list for every domain except microsoft.com. Worked well until someone walked into VeriSign's office one day impersonating Microsoft and walked out with several signed certs for microsoft.com. Hee hee. I don't know when MS fixed this, but as I recall they weren't in a big hurry to issue a patch.

Firefox does

[Weaselmancer (533834)]

Check here for settings. [mozilla.org]

Re:This bears repeating -

[Craig Davison (37723)]

If the domain name of the website you're visiting is correct, and you didn't get an SSL error, you know for sure that you're connecting to the right server, and your communication to the server won't be modified or eavesdropped in transit.

What's going on with this phishing site is that they have a bogus domain name, which unfortunately is good enough to fool people. If you know know that your bank's website is citibank.com, not secure-citibank-website.com or something like that, you will never fall prey to this. You're wrong that a check would not have done any good.

And a "self-signed" cert is useless because a man-in-the-middle could issue his own "self-signed" cert and just replay traffic between the client and your server.

What?

[cosmotron (900510)]

Did people honestly think that their techniques were going to get worse rather than better?

Sophisticated Phishing

[Kelson (129150)]

No, but a lot of people still have the silly idea that phishing is only as sophisticated as it was 2 years ago, back when it was plaintext, full of misspellings, and sent you to an IP or a GeoCities page.

Back then, it was hard to imagine people getting fooled by the crude "Send me yore passwerd" level of "attacks" -- and yet people fell victim to it just the same. These days, they're polished enough that you basically have to assume any email that claims to be from your bank is forged, then examine it and try to prove otherwise.

Re:Sophisticated Phishing

[kampit (48398)]

Easiest thing to do is just not to trust any email you receive that deals with important matters such as a bank account, say you do your online banking with YourBank and receive an email that claims to be from them, if you can't immediately tell it's fake.. just go to your browser and manually type in the url for the bank (or use a bookmark), if there's no notification of whatever problem is described in the email, it's definitely fake.

Re:Sophisticated Phishing

[glwtta (532858)]

These days, they're polished enough that you basically have to assume any email that claims to be from your bank is forged, then examine it and try to prove otherwise.

Well, yeah, why wouldn't you assume that? In fact, there's no need to examine it to try to prove otherwise, just go to your online banking site (which, it doesn't take a genius to bookmark when you sign up for it), if the bank wanted to tell you something, you'll be notified there too.

What, are you saying I should also assume that the letters I get telling me I won 10 million dollars are not real either?

In other news - Stupid People Still Stupid

[by Anonymous Coward]

If you get scammed on the intarweb, your intarweb license should be revoked.

Nice try, but I can tell you're trolling

[rsilvergun (571051)]

you spelled 'intarweb' right both times.

Clues for phishers from Geotrust

[14erCleaner (745600)]

From TFA: Mp> Geotrust has a rigorous process in place to check for phishy certificate requests that relies on algorithms which check cert requests for certain words, misspellings or phrases that may indicate a phisher is involved. In this case, she said, the technology did not flag the request because there was nothing in the Internet address to indicate the site was at all related to a financial institution.

If they rely on misspellings, they'll only catch the dumb phishers. They're generally the ones that don't catch a lot of people anyway, or at least not anybody who doesn't deserve to be scammed.

Re:Clues for phishers from Geotrust

[AndyBassTbn (789174)]

They're generally the ones that don't catch a lot of people anyway, or at least not anybody who doesn't deserve to be scammed.

You know, I hate hearing that anybody deserves the financial ruin that results from falling for one of these scams.

Remember, the more that geeks put on the "you're stupid so you deserve what you get" attitude, the fewer folks who are less-computer-savvy will buy computers for fear of being taken for a ride (and knowing no one will help them.)

This, in turn, results in less money floating around in the tech sector, which, in turn, results in less money being invested to develop convieniences upon which we have come to rely - such as online banking.

Which, of course, results in less money in the pocket of the geeks that were so callous to begin with. Remember - we NEED the end user just as much as the end user needs us.

Re:Clues for phishers from Geotrust

[The-Bus (138060)]

Take Commerce Bank [commerceonline.com]. They have CommerceOnline.com for their main domain and CommerceOnlineBanking.com for their online banking. But why not CommerceBankHome.com as GoDaddy suggest? Or CommerceBanking.com? Or CommerceBankingOnline.com?

Unfortunately their domain names are a soup of common names and it's impossible to remember. With common names, a small alteration of the site and that's all you need to confuse some folks.

The best phishing URL I've ever seen was one that was www.amazon.com.exec-obidos.com. If anyone remembers, previously Amazon URLs always had an exec-obidos in their path when the link lead to a product. Even I had to blink a few times before I realized it was a phishing scam. (All the links went to a working Amazon section).

Re:Clues for phishers from Geotrust

[massysett (910130)]

Good point on the bank. Even worse about Amazon is the way the URL instantly changes anytime you type in www.amazon.com. It appends a bunch of random-looking letters and numbers to the end. "Average user" then concludes that any URL with "amazon" and a bunch of random letters at the end is a legitimate Amazon page.

Signed SSL certs worthless

[Spazmania (174582)]

Proving once again the relative lack of worth of requiring SSL certificates to be signed. All it does is make a few companies rich.

Re:So, your point is?

[rekoil (168689)]

I say that because this is the first incident ever being reported where an SSL cert was obtained illegitimately.

Um, no. [infoworld.com]

Re:So, your point is?

[clymere (605769)]

One can at least mitigate the money issue. http://cacert.org/ [cacert.org] is an alternate "open" root cert authority. They're working hard to gain the acceptance of the likes of verisign. I've had converstions with a few of them, and its arguable that their verification procedures are _more_ rigorous than those conducted by the the CA's that are charging high prices.

Nevermind the fact that if noone is buying certs, theres no finanical pressure to cause them to make any compromises for those willing to pay the right price.

Re:So, your point is?

[Rich0 (548339)]

The problem is that they're having a hard time even getting mozilla to trust them. There's a bugzilla entry with about 500 CC's listed all of whom are waiting patiently for the root cert to be installed...

Re:Signed SSL certs worthless

[psyclone (187154)]

How does paying "extra" for a DNS server do anything with respect to phishing? The days of cache-poisoning DNS servers are going the way of the open SMTP relay. They are almost non-existant.

That's why I don't click html links...

[the_humeister (922869)]

...and also why I hate html email and use pine as my mail client. Unfortunately, most people don't know enough to not click html links sent to their email account. As a result, this is especially worrisome because it looks legit.

Re:That's why I don't click html links...

[Ctrl+Alt+De1337 (837964)]

I hate html email and use pine as my mail client

I hate to break it to you, but the vast majority of computer users would not be willing to use a terminal-based email system. Most are afraid of using terminals period. I'm glad that you found something that works for you and can score you cool points on Slashdot, but I hope you weren't stating that as a recommendation. Links in email aren't necessarily A Bad Thing so rather than do away with them completely, it's better to fight the phishers instead of the links.

Re:That's why I don't click html links...

[93 Escort Wagon (326346)]

"...users are capable of doing it if they weren't ignorant. 10 years ago when GUI mail readers barely existed... Windows is to blame for dumbing down our computer users to the point of being completely incompetent when it comes to dealing with a non-clicky-clicky interface."

Congratulations! You've earned extra Slashdot Coolness Points for 1) slamming Windows; 2) insulting the average user; and 3) being blissfully unaware that most normal people actually prefer a GUI interface!

Re:That's why I don't click html links...

[value_added (719364)]

...users are capable of doing it if they weren't ignorant. 10 years ago when GUI mail readers barely existed... Windows is to blame for dumbing down our computer users to the point of being completely incompetent when it comes to dealing with a non-clicky-clicky interface."

Congratulations! You've earned extra Slashdot Coolness Points for 1) slamming Windows; 2) insulting the average user; and 3) being blissfully unaware that most normal people actually prefer a GUI interface!

Perhaps, but more importantly, he offered a reminder that 1) the "Ease of Use" design of Windows and many Windows-based apps does encourage stupidity; 2) GUI apps, despite their added features, can often be inferior to terminal-based programs (in this particular case, even dangerous); and 3) terminal-based programs need not be difficult to use as ordinary people were once perfectly happy typing cryptic-looking commands on a bare screen.

I'd say each of those is reminders is valuable, and the distinctions made are important.

This isn't so different than refering to Windows-based viruses as worms as "computer viruses." Put another way, if everyone does indeed want clicky programs and text/html email as another poster suggested, it's perfectly appropriate that they have a clear understanding that any problems they encounter are mostly the result of their preferences. A few comparisons and a little background are always useful.

Revoke SSL cert?

[spicyjeff (6305)]

Couldn't the SSL Certificate issuer just revoke the certificate of anyone using said certificate for malicious or illegal purposes? That would at least give some warning to uses with a bad or unknown certificate message.

Re:Revoke SSL cert?

[EvilMonkeySlayer (826044)]

The problem with that is, in order for the revocation to take effect the user needs to download the root certs update which will be provided by their browser vendor (which in this case will more than likely mean MS) and lets face facts the majority of users never even bother updating, the fickle masses that they are.

A revoked cert isn't the solution, the solution is fixing the process by which people can get SSL certificates in the first place. There need to be more checks and balances. The current process is essentially; give us your money please, ok here's your certificate.. Enjoy!

Re:Revoke SSL cert?

[hackstraw (262471)]

The problem with that is, in order for the revocation to take effect the user needs to download the root certs update which will be provided by their browser vendor (which in this case will more than likely mean MS) and lets face facts the majority of users never even bother updating, the fickle masses that they are.

A revoked cert isn't the solution, the solution is fixing the process by which people can get SSL certificates in the first place. There need to be more checks and balances. The current process

Re:Revoke SSL cert?

[croddy (659025)]

Perhaps the solution is for people not to equate a secured network transport layer with the legitimacy of the business on the other end of said transport.

Sure, you may be speaking with a scumbag using strong encryption, but he's still a scumbag.

Re:Revoke SSL cert?

[afidel (530433)]

Actually all you have to do is go into Tools, Internet Options, Advanced, and under Security select Check for server certificate revocation which tells IE to check the OCSP of the publisher before accepting a certificate (Tools, options, advanced, security, verification under Firefox). I'm not sure why other than speed that these options aren't enabled by default but you are right that better controlls on certificate issuance would be nice.

Re:Revoke SSL cert?

[squidguy (846256)]

The problem with that is, in order for the revocation to take effect the user needs to download the root certs update which will be provided by their browser vendor/

Err...sort of. The user would need a root update if the SSL vendor's root isn't already contained in the user's browser cache. If they didn't have the correct root, then the "valid" SSL cert would appear invalid to the browser because the cert couldn't be traced back down the chain.
To check for certificate revocation, you have to have you

Re:Revoke SSL cert?

[Vellmont (569020)]

the solution is fixing the process by which people can get SSL certificates in the first place. There need to be more checks and balances. The current process is essentially; give us your money please, ok here's your certificate.. Enjoy!


How is any cert provider going to know that a phisher is going to use a cert for a similarly named website? If I go and buy the domain mountain-america.com, setup a website that looks like I'm going to sell vacations to the mountains on that URL, get my signed cert, then turn around the next day and make it look like the mtnamerica.org website, how is the cert issuer going to read my mind and know that?

No, the answer is that banks need to be issueing some kind of security device that does all the verification. I'm fairly certain all of this is technically possible via everyday encryption.

better link for this storey

[UnderAttack (311872)]

A better link, with more screenshots:

Phollow the Phlopping Phish [sans.org]

Nice story and I gotta say it again ...

[khasim (1285)]

Finally, banks and credit unions that send out email with clickable links teach their customers incredibly dangerous habits. Financial institutions that use multiple domain names are setting their customers up for disaster. And, of course, any financial institution that isn't checking their referrer logs for odd and unknown sites is a time bomb waiting to explode.

All any bank would have to do to end phishing is to PUBLICLY state that they will NEVER use email to communicate with ANY of their clients.

They have your phone number.
They have your address.

They can send you a letter, they can call your phone. And their phishing rate would drop to almost zero.

Geez...

[razzamatazm (953915)]

Soon all the good ideas will be taken and I'll be stuck selling penis pills again. Ugh...

Also written up at SANS/ISC

[Kelson (129150)]

The Internet Storm Center did a write-up on this case [sans.org] inclusing a hypothetical tale of Joe Sixpack trying to verify the phish, doing (almost) everything right -- typing in the address instead of clicking on the link, checking for an SSL certificate, checking who the cert is registered to, etc, and still getting caught.

The fatal flaw in the hypothetical course of action is trusting the non-standard domain name...but you can hardly blame Joe Sixpack for that one when so many financial institutions actually use one-off domains or partner sites. I was working on some phishing rules last year and counted something like 5 domains that Citibank used alone.

It's all a matter of time

[Jorkapp (684095)]

These phishers are getting more and more sophisticated, but it's only a matter of time before they're caught. To get more sophisticated requires better services and equipment, which requires the phishers to either:
a) Give out their true information - name, address, etc, making for easier law enforcement tracking
b) Give out flase information - which may buy them some time, but will only cause the bite taken out of their ass by law enforcement to be that much bigger.

Even still, Valid SSL certificates and whatnot don't mean shit against a true savvy user who knows better. Any user who actually reads the warnings by their banks/credit card companies/etc will know that said companies will never send emails asking for credit card information.

Assuming too much for signed SSL certs

[Vellmont (569020)]

Beyond the cert saying the business was in Salt Lake City Utah, I don't really see how there was some big confidence broken here. The SSL cert was issued for "www.mountain-america.net". The bank in question is "www.mtnamerica.org". Whoever thinks that a signed SSL certificate is supposed to verify anything other than the person/entity asking for the cert is the same person who owns the domain is assuming waaaay to much.

In essense signed certs are only supposed to protect from a man-in-the-middle attack, not someone being fooled into going to a similarly named website. Why shouldn't I be able to get a signed cert for mountain-america.net if I own it? There's plenty of similarly named legit businesses that all have certs issued to them.

Re:Assuming too much for signed SSL certs

[iabervon (1971)]

Browsers are designed to make people assume that CA-signed SSL certificates actually mean something they care about. The only thing this stops is somebody who manages to take control of a site's DNS or TCP traffic but somehow fails to use this control to get a certificate issued. But browsers treat self-signed certificates as really suspicious and CA-signed certificates as perfectly secure. The user isn't given any useful information, and has to make the decision based on information which, as you say, is not actually relevant. (Actually, CA-signed certificates are less trustworthy in many cases than self-signed ones, because the browser doesn't report that a CA-signed certificate is unfamiliar, while a self-signed one is saved, so it's obvious when it's not the same.)

What would prevent this sort of scam is if people were told that any certificate your browser doesn't already have saved is suspicious, and shown what can be demonstrated about the certificate. If you have a prior relationship with this site, check that this string: (fingerprint of certificate) appears in the information you received. If not, decide whether you believe one of these organizations (signers of certificate, using PKI, based on certificates which come with the system) to make the operation you are doing today safe. In either case, choose a description of the site, which will be displayed when you return to this site in the future. Ideally, the user would be asked to choose whether they recognize the site before they are told more about the certificate, so they don't just look for a reasonable-looking signer.

That way, people click the link, get the real certificate for something that isn't their bank, and they notice that the window doesn't say "Secure connection to: My Bank" (if they've done this before), or notice that the fingerprint doesn't match the fingerprint on their bank statement, and then they know that, whoever this is, it's nobody they've got an existing business relationship with, and the claim about an existing account is clearly bogus.

(Last detail: the certificate with the fingerprint in question should be a self-generated CA certificate, not the actual SSL certificate in use, so the bank can change domain name while keeping the same saved info. The CA cert should be signed by the FDIC and other banking-related organizations, who wouldn't be tempted to possibly sign a sporting-goods store certificate, but that's only at all relevant to people trying to choose a bank online, because the instructions will clearly state that this is not the user's current bank.)

SSL Certs

[thomble (642879)]

Most people don't understand the function of SSL certificates, nor do they understand how EASY and INEXPENSIVE it is to get one from a reputable company.

1. Register the domain JFBVB.COM
2. On your own DNS servers create a record for EBAY.JFBVB.COM
3. Purchase a legit SSL certificate from RapidSSL [rapidssl.com] on that domain for $69
4. Create your phishing site
5. (Illegally) profit!

Many people think that an SSL certificate somehow guarantees a trustful vendor. On the contrary, it simply guarantees that no one will view the information en route. The vendor can do whatever he wants with the information you send.

Just call up and ask for the (finger|thumb)print!

[Goyuix (698012)]

You have never truly had fun with the support staff at your bank/credit union/credit card/whatever until you have called and asked them to verify the thumbprint/fingerprint of their SSL cert for you.

Unfortunately, it looks like Geotrust lost this round, and it probably would be considered good practice to actually do that from time to time. For the truly paranoid, remove all root certificates, and only after verifying the thumbprint proceed to install that cert into your cache. No more trust hierarchy.

Digitally signed confession...

[ave19 (149657)]

You know, if that SSL certificate traces back to a valid human, then you can arrest him/her for phishing and they've provided all your evidence for you.

It's like leaving your digitally signed confession at the scene of the crime. No CSI team needed. Only the crooks know the corresponding private key.

If you can't trace that certificate it back to a valid human, than the CA needs to be beaten with a large stick.

Banks should protect the money, not us

[by Anonymous Coward]

It amazes me that people forget that a banks job is to protect your money.

The phisher in the end shouldn't be able to get any money from this.

The banks should have in place a system that secures your money much better than this. It reminds me of the wild west where banks were robbed all the time.

Like, why do the retailers have to protect the banks? Why do they have to ask for ID when you already presented a valid banking card to them? Is this system insecure? Yes, and that's why they ask for ID. WTF?

People should consider this the same as a bank getting robbed over and over. If the banks got enough bad press from this then maybe they would do something about it.

But never forget, this is not money, it's currency backed by nothing of value and could become wortless in a day. People have been trying to tell you this for years, but you people won't read any simple banker history, it's too booring.

http://www.apfn.net/Doc-100_bankruptcy13.htm [apfn.net]
http://www.federal-reserve.net/ [federal-reserve.net]
http://www.converge.org.nz/pirm/fr_paul.htm [converge.org.nz]
http://batr.org/verity/id6.html [batr.org]

Tracking these people??

[Stephen Samuel (106962)]

My question is: Did these dogs give equifax enough information for the cops to have some hope of tracking them down? I'm guessing that at least some of this information is faked, but if there's nothing here that the cops can use, then the identity information in SSL certificates is less than worthless.

Phishers have been using SSL since 2004

[miller60 (554835)]

Phishing scams have been using SSL in attacks since 2004. Last year Netcraft identified more than 450 phishing attacks that used SSL certificates [netcraft.com] in one form or another. However, the tactics seen in the Mountain America attack are more sophisticated than previous attempts. In many previous attacks the phishing crews have used an https URL with an SSL cert they know will trigger a browser alert, banking on the likelihood that many users will trust the padlock and ignore the certificate. This one is designed to fool more sophisticated users who actually check the certificate.

Geotrust hasn't revoked the phisher's cert yet

[Animats (122034)]

Check it out. [geotrust.com] Still listed. Doesn't even seem to be in the certification revocation database.

Let's quote what Geotrust says about relying on certificates: [financialc...graphy.com]

GeoTrust's solution is that the browser should display ... "The name and logo of the CA who issued the certificate. Consumers will soon learn from news reports which CAs to trust and which CAs use sloppy procedures and should not be trusted."

We should take Geotrust at their word. Now that we're certain that their procedures are sloppy and they can't be trusted, their certs should be pulled from all browers. New releases of Firefox should not contain root certs for Geotrust. They had their chance, and they blew it.