Phishing websites look more legit with SSL certs from major companies
The Web is full of deception, and it's sometimes still hard
for people to figure out if the website they're viewing really is what it says
it is.
This type of cyberattack, known as phishing, is designed to
elicit sensitive details from victims by creating websites that look nearly
identical to services like PayPal or Bank of America.
Despite improvements in quickly detecting and taking such
sites offline, it's still a huge problem.
A U.K.-based network monitoring company, Netcraft, says
fraudsters are exploiting weaknesses in technology companies in order to make
more convincing looking phishing sites.
Many websites use SSL/TLS (Secure Sockets Layer/Transport
Layer Security) Turnkey websites that
make money certificates to verify
their domain name and encrypt communications with users.
Use of such a certificate is indicated by a green padlock in
most browsers, which Web users have been advised to look for when, for example,
they're logging onto an online banking service.
The digital certificates are issued by Certificate
Authorities. Netcraft said fraudsters are obtaining digital certificates from
several major CAs -- including Symantec, GoDaddy, Comodo and CloudFlare -- for
their bogus sites, making them appear more legitimate.
"In just one month, certificate authorities have issued
hundreds of SSL certificates for deceptive domain names used in phishing
attacks," wrote Graham Edgecombe, Internet services developer with
Netcraft, in a blog post.
The cheapest kind of digital certificate is called domain
validated, or DV. The CAs selling that type of certificate only check that the
applicant controls the domain name it is intended for. For more expensive
certificates, CAs do a more thorough ID check of the applicant.
It's these DV certificates that fraudsters are obtaining. DV
certificates are often free or cost less than US$10, Edgecombe wrote.
They're also often issued through automated systems, which makes it easier for
fraudsters to get them for phishing domains, he wrote.
According to industry rules, CAs are supposed to do
further verification on potentially high-risk domain names before issuing DV
certificates, Edgecombe wrote.
Many CAs only send an email to the domain administrator on
record before issuing a DV certificate, said Trell Rohovit, CEO of HydrantID,
a startup that sells digital certs on a subscription basis.
"So essentially a Established
turnkey website for sale bad guy only has to beat one process/person/or
email, and -- puff -- your brand just flew out proverbial Internet
window," Rohovit said.
Symantec, CloudFlare and GoDaddy did not have an immediate
comment.
Comodo said it has "the largest share of the
problem" due to it being the largest CA, according to an email statement
from CEO Melih Abdulhayoglu.
Rogue DV certificates are revoked by Comodo when the company
is made aware of them, Abdulhayoglu wrote.
But certificate issuance is a complex process, and the
problem with automated systems (like DV certificates) is that there are no
human validation operators vetting the issued certificates," he wrote.
A spokesman for Abdulhayoglu said Comodo would not
comment further on Netcraft's allegations.
Some CAs won't issue DV certificates at all because of
security concerns. DigiCert, based in Lehi, Utah, believes DV certificates
provide "little value" and that phishing risks could be mitigated by
not issuing them, according to its website.
Did you know that you can make cash by locking selected pages of your blog / website?
ReplyDeleteAll you need to do is to open an account with AdWorkMedia and use their Content Locking tool.