Video Screencast Help
Security Response

Phishing Toolkit Attacks are Abusing SSL Certificates

Created: 08 Jul 2009 14:30:00 GMT • Updated: 23 Jan 2014 18:34:17 GMT
Zahid Raza's picture
+2 2 Votes
Login to vote

In the present scenario, when more people are paying attention to the risks and have taken the proper steps needed for increased security, fraudulent sites are easily visible when not using SSL. However, a recent attack spotted by Symantec was using a legitimate SSL certificate to masquerade as a legitimate site. Fraudsters continue to use these kinds of techniques to perpetuate identify theft and these particular attacks aren’t as noticeable.

Over the last thirty days, Symantec has observed the highest number of URLs abusing SSL certificates for the last year. A single compromised Web server with an SSL certificate can be used to host a broad range of phishing sites that can have a higher success rate, in that the visitors erroneously believe that they have a secure connection with their intended site.

Fraudsters have targeted the users of major brands by compromising Web servers with SSL certificates so that the fraudulent pages display the familiar lock icon. In these recent cases the certificates were legitimate because they matched the URL of the fake pages that were mimicking the target brands, but in actuality had no connection to the brands displayed. End users would only detect the deception if they reviewed the certificate or had other visual indicators, such as whether or not the site was secured with an extended validation SSL certificate. (Many brands targeted by phishers have begun to adopt the use of extended validation SSL certificates.)

Roughly 80% of browser traffic to websites is now on browsers supporting extended validation. End users utilizing old browsers should consider upgrading to a browser that enables extended validation. Extended validation provides additional security measures and visual indicators to end users, which can alert them to potential fraud when these indicators are not present.

VeriSign is considered to be a leading Secure Sockets Layer (SSL) Certificate Authority and enables the strongest SSL encryption available for every site visitor. Compromised SSL certificates are not a frequent occurrence and in general are remediated and revoked rather quickly; however, the continuing professionalization of fraudsters allows them to maximize the damage they can cause through “piggybacking” multiple phishing attacks on a single certificate.

From May to June 2009 the total number of fraudulent website URLs using VeriSign SSL certificates represented 26% of all SSL certificate attacks, while the previous six months presented only a single occurrence. Although this appears to be an exponential increase in certificate abuse, in actuality only two domains (and two VeriSign certificates) were compromised in these attacks targeting seven different brands.

Web servers using SSL certificates generally have strong security measures, so they do not tend to be compromised as frequently as non-SSL sites and in the larger picture represent a relatively small percentage of all phishing attacks. However, when one of these servers is compromised, the fraudsters have a higher probability in their success rate for defrauding individuals. Toolkit attacks such as these can target a vast number of brands while using a single certificate—all the while offering a false sense of security to the victims.

Here is one such example Symantec has observed this month:

imagebrowser image

When you look at the above SSL certificate, it appears to be legitimate. This is very critical because the SSL certificate looks extremely similar to that of the legitimate site. The only way to make out the difference is to open the legitimate website and compare the two.

imagebrowser image

The image above shows two SSL certificates—one from a legitimate bank and the other from a spoofed bank site. Please note that we have replaced all occurrences of the actual bank’s domain name in the image on the left with “legitimate-bank-name.com.” In the image on the left, the name of the organization under “Issued To” is the same as that of the legitimate brand and also matches the domain name of the targeted bank. In the case of the fraudulent page’s certificate (on the right), the organization’s name, the domain name (in the URL), and the name of the spoofed brand are all different.

Here are a few best practices to use to stay safe on the Internet:

• Change the way you're thinking about the SSL certification, since bad guys can also obtain SSL certificates through compromised Web servers. Don't simply go rushing ahead when you see a lock icon, and don’t start giving out all of your financial/personal information to some site that you navigated to from a URL received in an email.
• To spot fraud and scams, users are urged to be wary of overly long URLs that redirect to strange-looking domains, such as https://www.abcd.com:ac=adfdekuiokdfoidodecjhed@KI.... WoRlDwIdENeTwOrK.CoM/i.CgI?billing@domain.com.
• Before entering personal information on a website, users should pay close attention to details of the site's URL and look for red flags, such as an unusually long domain name that contains the "@" sign
• Make a habit of typing Web addresses directly into your address bar rather than relying upon any links.
• Scan your system with reputable antivirus software and download and install the latest security updates and patches for your operating system and other software on a regular basis.

Further information on verifying VeriSign certificates and the VeriSign secured seal can be found on their website:

http://www.VeriSign.com/ssl/secured-seal/verify/in...

VeriSign also offers extended validation certificates, providing high-security Web browser data to clearly flag the identity of a website. For example, Internet Explorer 7 will cause the URL address bar to turn green. Other popular browsers such as Firefox, Opera, Safari, Chrome, and Flock also support Extended Validation SSL, as does the Apple iPhone.

More information can be found here:

http://www.VeriSign.com/ssl/ssl-information-center...