February 14th, 2006, 06:01 AM
Phishing Site Using Valid SSL Certificates
writes to tell us the Washington Post SecurityFix blog has an interesting article about a new and rather sophisticated phishing scheme. The email not only used the first few digits of the users card number to look more plausible (even though the first part of the number is the same for all cards), but it also used a valid SSL certificate for its domain name."
Slashdot | Phishing Site Using Valid SSL Certificates
February 14th, 2006, 03:00 PM
Checked real quick and see this wasn't posted here yet - if I missed it however - my apologies. I just thought this might go well with Egaladeist's news about phishing.
This comes from the SANS ISC and goes through a story, a story both comedic and horrific, a story about - you guessed it - phishing.
Title: "Phollow the Phlopping Phish"
At the end of the story - there are lessons learned that should be reviewed as well.
"Igitur qui desiderat pacem, praeparet bellum. " - Vegetius
\"We\'re the middle children of history.... no purpose or place. We have no Great War, no Great Depression. Our great war is a spiritual war. Our great depression is our lives. We\'ve all been raised by television to believe that one day we\'ll all be millionaires and movie gods and rock stars -- but we won\'t. And we\'re learning slowly that fact. And we\'re very, very pissed off.\" - Tyler (Brad Pitt) Fight Club
February 14th, 2006, 07:16 PM
And the crux of this issue....
"Geotrust and other SSL issuers are supposed to do some basic due diligence to ensure that the entity requesting an SSL certificate is indeed authorized to request it on the company's behalf."
GeoTrust is a bass ackwards company and it's not surprising that they issued a cert to a phishing crew.
Like we've been saying for years, a valid cert does not necessarily mean that it represents a valid entity.
Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden
February 14th, 2006, 09:19 PM
Hey, don't you knock GeoTrust! They sell CHEAP certificates! I never did buy into that damned "You get what you pay for" line of bull!
There is a reason the larger CA companies charge what can feel like an arm and a leg for a certificate signing. They are leveraging their trusted position, on the certificate requestors behalf. The company in question SHOULD be paying for the CA to expend the effort to do the job right.
You can certainly go buy one of those pre-fab cardboard cheap-and-easy houses some engineer made to shelter the homeless or folks in 3rd world countries...but if you try to subsist inside one up above the arctic circle, you will get what you paid for.
"Data is not necessarily information. Information does not necessarily lead to knowledge. And knowledge is not always sufficient to discover truth and breed wisdom." --Spaf
Anyone who is capable of getting themselves made president should on no account be allowed to do the job. --Douglas Adams (1952-2001)
"...people find it far easier to forgive others for being wrong than being right." - Albus Percival Wulfric Brian Dumbledore
February 14th, 2006, 10:33 PM
It seems in this case that *even* if you register your domain to a viable trust authority, like CA. There is nothing inherent in the trust system outside of due diligence on the issuing authority to protect you from another less viable company issuing what looks like a valid Cert attached to your name? By that I mean outside of other measure floating around like dual authentication or anti-phishing checks via 3rd party software like Brand Watch etc. And *gasp* customer education that DOES NOT work. Oh and internal fraud checking capabilities that flag use outside of baseline for imediate investigation.
West of House
You are standing in an open field west of a white house, with a boarded front door.
There is a small mailbox here.