Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Website Security Solutions
Showing posts tagged with phishing
Showing posts in English
Tim Callan | 15 Jul 2009 | 9 comments

We're seeing active discussion online about the possibility of hijacking a single frame in a production site to steal logins or PII. The scenario is that a criminal gang would redirect this frame (through DNS poisoning, let's say) and populate it with its own content from servers under its control. Presumably this content would involve form fields asking for information the criminals want to receive and which you would be willing to share in this context (such as your bank account login or social security number).

Now, the recent dialog is around the scenario where this proposed attack happens on a site with an Extended Validation SSL Certificate. The certificate identifies the controller of the top-level frame and does not report on the sources of any internal frames in that page. That is in keeping with near-ubiquitous practices in consumer...

Bob Angus | 15 Jun 2009 | 0 comments

Visit VeriSign (booth #1043) at Internet Retailer 2009 this week for your chance at winning several big contests. Of course, you will also want to get the scoop on why 90% of the 2008 Internet Retailer 500 trust VeriSign to secure their sites and how those leading online retailers are increasing transactions as a result.

Now about those contests...

Everybody wins - Take the Phish or No Phish Challenge at the booth. You will get to test your knowledge of phishing scams in a fun interactive game and you receive a "Trust This" t-shirt. Here's an online version of the Phish or No Phish Challenge to hone your skills in advance.

VeriSign is also partnering...

Tim Callan | 29 Apr 2009 | 4 comments

Here's a cool Advertising Age article about how businesses view online crime and brand damage and what they do about it.

Tim Callan | 14 Apr 2009 | 0 comments

A new report from Gartner states that the number of phishing incidents rose 39.8% with an average loss per incident of $351. This article summarizes Gartner's recommended response for online businesses,

Gartner recommends that enterprises continue to deploy and improve security solutions that protect accounts and customers against attacks. Enterprises that are custodians of customer accounts should also consider site authentication or assurance to confirm to a customer that he or she is on a legitimate Web site and not a spoof site.

Gartner analyst Avivah Latan goes on to suggest a layered security approach as the best response to phishing.

Tim Callan | 06 Nov 2008 | 0 comments

The IRS has published draft 2 of a requirement that will require all e-file tax sites to use Extended Validation SSL Certificates starting January 1, 2009. States the guideline in part,

This requirement applies to Authorized IRS e-file Providers participating in Online Filing of individual income tax returns that collect taxpayer information via the Internet. These Providers shall possess a valid and current Extended Validation Secure Socket Layer (SSL) certificate using SSL 3.0 / TLS 1.0 or later, and minimum 1024-bit RSA / 128-bit AES.

This passage refers to the service that may be offered by sites whereby you can file your taxes directly online from your own computer. The e-file program offers free filing to individual taxpayers...

Tim Callan | 14 Oct 2008 | 0 comments

We know that the practice of phishing, when done effectively, involves surprising the victim, taking him out of his normal context, and creating a sense of urgency through fear. What better opportunity to use all three of these principles than by sending phishing e-mails that are hand-crafted with the current financial crisis in mind.'s Brian Krebs gives us a great summary of some of the new attacks the prey on targets' financial concerns.

Tim Callan | 13 Aug 2008 | 0 comments

Consumer Reports recently joined the ranks of those criticizing Apple for the lack of proper security measures in the Safari browser. The consumer protection magazine specifically refers to the lack of support for Extended Validation SSL as one of the reasons for its recommendation against using the browser.

Tim Callan | 02 Jun 2008 | 0 comments

I recently wrote an entry in which I stated that EV SSL is a powerful mitigator against the classic phishing attack. I have received an e-mail asking me to explain how I know that to be the case. Happy to oblige.

If you were a reader of The SSL Blog a little over a year ago when VeriSign premiered the Extended Validation SSL Certificate, you know about the Tec-Ed research. For newer readers or in case we all don't exactly remember how it went, here's a recap.

Tim Callan | 06 Mar 2008 | 0 comments

As someone who focuses most of his work hours on SSL and related technologies, I read a lot of what is written on that subject in the press and the blogosphere and social media sites. I've grown used to a certain amount of misinformation floating around out there and typically view it as a hazard of the online medium.

It happens right now that the dialog around SSL is having a particular problem with information being misinterpreted or taken out of context, or occasionally appearing out of thin air. I'm going to dedicate a few postings to explaining what these misinterpretations are and shining a light on the associated facts.

Let's start with this article that appeared last week from Netcraft. This article discusses the cross-site scripting attack (XSS) and its presence on sites featuring...