Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Phishing websites look more legit with SSL certs from major companies

Jeremy Kirk | Oct. 15, 2015
Netcraft alleges certification authorities aren't properly vetting applicants for SSL/TLS digital certificates.

SSL padlock icon
A padlock icon in the browser's address bar indicates that a secure HTTPS connection has been established with a server by means of an SSL certificate from an acceptable certification authority (CA). Credit: Peter Sayer

The Web is full of deception, and it's sometimes still hard for people to figure out if the website they're viewing really is what it says it is.

This type of cyberattack, known as phishing, is designed to elicit sensitive details from victims by creating websites that look nearly identical to services like PayPal or Bank of America.

Despite improvements in quickly detecting and taking such sites offline, it's still a huge problem.

A U.K.-based network monitoring company, Netcraft, says fraudsters are exploiting weaknesses in technology companies in order to make more convincing looking phishing sites.

Many websites use SSL/TLS (Secure Sockets Layer/Transport Layer Security) certificates to verify their domain name and encrypt communications with users.

Use of such a certificate is indicated by a green padlock in most browsers, which Web users have been advised to look for when, for example, they're logging onto an online banking service.

The digital certificates are issued by Certificate Authorities. Netcraft said fraudsters are obtaining digital certificates from several major CAs -- including Symantec, GoDaddy, Comodo and CloudFlare -- for their bogus sites, making them appear more legitimate.

phishing 1 
Some phishing sites, like this one spoofing NatWest Bank in the U.K., appear more legitimate by using SSL/TLS certificates improperly issued by digital certificate vendors, Netcraft alleges. Credit: Netcraft 

Netcraft alleges that it's the fault of the companies for not more closely vetting applicants for domain names that clearly have a scammy feel, such as banskfamerica[.]com and emergencypaypal[.]net. Throughout August, the company studied certificates issued to suspicious domains.

"In just one month, certificate authorities have issued hundreds of SSL certificates for deceptive domain names used in phishing attacks," wrote Graham Edgecombe, Internet services developer with Netcraft, in a blog post.

The cheapest kind of digital certificate is called domain validated, or DV. The CAs selling that type of certificate only check that the applicant controls the domain name it is intended for. For more expensive certificates, CAs do a more thorough ID check of the applicant.

It's these DV certificates that fraudsters are obtaining. DV certificates are often free or cost less than US$10, Edgecombe wrote. They're also often issued through automated systems, which makes it easier for fraudsters to get them for phishing domains, he wrote.

According to industry rules, CAs are supposed to do further verification on potentially high-risk domain names before issuing DV certificates, Edgecombe wrote.

 

1  2  Next Page 

Sign up for CIO Asia eNewsletters.