Results 1 to 5 of 5

Thread: Phishing Site Using Valid SSL Certificates

  1. #1
    Senior Member
    Join Date
    Dec 2004
    Posts
    3,171

    Phishing Site Using Valid SSL Certificates

    writes to tell us the Washington Post SecurityFix blog has an interesting article about a new and rather sophisticated phishing scheme. The email not only used the first few digits of the users card number to look more plausible (even though the first part of the number is the same for all cards), but it also used a valid SSL certificate for its domain name."

    http://it.slashdot.org/article.pl?si...43251&from=rss
    Slashdot | Phishing Site Using Valid SSL Certificates

  2. #2
    Senior Member genXer's Avatar
    Join Date
    Jun 2005
    Posts
    252
    Checked real quick and see this wasn't posted here yet - if I missed it however - my apologies. I just thought this might go well with Egaladeist's news about phishing.

    This comes from the SANS ISC and goes through a story, a story both comedic and horrific, a story about - you guessed it - phishing.

    Title: "Phollow the Phlopping Phish"

    Link: http://isc.sans.org/diary.php?storyid=1118

    At the end of the story - there are lessons learned that should be reviewed as well.

    "Igitur qui desiderat pacem, praeparet bellum. " - Vegetius
    \"We\'re the middle children of history.... no purpose or place. We have no Great War, no Great Depression. Our great war is a spiritual war. Our great depression is our lives. We\'ve all been raised by television to believe that one day we\'ll all be millionaires and movie gods and rock stars -- but we won\'t. And we\'re learning slowly that fact. And we\'re very, very pissed off.\" - Tyler (Brad Pitt) Fight Club.

  3. #3
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,885
    And the crux of this issue....
    "Geotrust and other SSL issuers are supposed to do some basic due diligence to ensure that the entity requesting an SSL certificate is indeed authorized to request it on the company's behalf."

    GeoTrust is a bass ackwards company and it's not surprising that they issued a cert to a phishing crew.

    Like we've been saying for years, a valid cert does not necessarily mean that it represents a valid entity.
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  4. #4
    AO Senior Cow-beller
    Moderator
    zencoder's Avatar
    Join Date
    Dec 2004
    Location
    Mountain standard tribe.
    Posts
    1,177
    Hey, don't you knock GeoTrust! They sell CHEAP certificates! I never did buy into that damned "You get what you pay for" line of bull!

    </sarcasm>

    There is a reason the larger CA companies charge what can feel like an arm and a leg for a certificate signing. They are leveraging their trusted position, on the certificate requestors behalf. The company in question SHOULD be paying for the CA to expend the effort to do the job right.

    You can certainly go buy one of those pre-fab cardboard cheap-and-easy houses some engineer made to shelter the homeless or folks in 3rd world countries...but if you try to subsist inside one up above the arctic circle, you will get what you paid for.
    "Data is not necessarily information. Information does not necessarily lead to knowledge. And knowledge is not always sufficient to discover truth and breed wisdom." --Spaf
    Anyone who is capable of getting themselves made president should on no account be allowed to do the job. --Douglas Adams (1952-2001)
    "...people find it far easier to forgive others for being wrong than being right." - Albus Percival Wulfric Brian Dumbledore

  5. #5
    Senior Member RoadClosed's Avatar
    Join Date
    Jun 2003
    Posts
    3,834
    It seems in this case that *even* if you register your domain to a viable trust authority, like CA. There is nothing inherent in the trust system outside of due diligence on the issuing authority to protect you from another less viable company issuing what looks like a valid Cert attached to your name? By that I mean outside of other measure floating around like dual authentication or anti-phishing checks via 3rd party software like Brand Watch etc. And *gasp* customer education that DOES NOT work. Oh and internal fraud checking capabilities that flag use outside of baseline for imediate investigation.
    West of House
    You are standing in an open field west of a white house, with a boarded front door.
    There is a small mailbox here.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •