Phishing toolkits, available for a small fee in the dark alleys of the Internet, are being coded by hackers to take a broader approach in tricking people into believing they are visiting a legitimate website, according to research conducted by Symantec Corp.
To get security news and tips delivered to your inbox,
The latest phishing toolkits use Secure Sockets Layer (SSL) certificates to masquerade as a legitimate website, said Symantec researcher Zahid Raza. Cybercriminals use the tools to hack into a Web server and then place their phishing pages onto the servers ensuring the certificate information identifies the page as legitimate.
The technique is troubling researchers who say it is very difficult for end users to detect the fraudulent page without examining the certificate. Symantec says fraudulent sites are easily visible when not using SSL, but the new technique makes the phishing page look completely legitimate. While attacks of this method are usually revoked quickly, attackers are getting smarter by using multiple phishing pages on a single certificate to maximize the amount of data they can collect.
EV SSL certificates:
What is most misunderstood about EV SSL certificates? Are there any calculators to help estimate log generation based on number of devices and best practices?
EV SSL certificates won't stop phishers, researchers say: Two researchers call Extended Validation (EV) SSL certificates a Band-Aid approach, and share their research of the phishing underground.
"From May to June 2009 the total number of fraudulent website URLs using VeriSign SSL certificates represented 26% of all SSL certificate attacks, while the previous six months presented only a single occurrence," Raza wrote on the Symantec Security blogs.
At first glance the technique doesn't seem new. A study by MarkMonitor Inc. has long documented phishing attacks against major brand names. The issue is particularly troublesome for the financial industry. MarkMonitor found more than 7,300 domains exploited four top U.S. and international bank brands with 16% of them registered since September 2008.
As Raza points out, cybercriminals have compromised Web servers in the past with SSL certificates so fraudulent pages display a lock icon. But in the latest spate of phishing attempts, the SSL certificates were legitimate because "they matched the URL of the fake pages that were mimicking the target brands," Raza wrote.
VeriSign Inc., which sells SSL certificates, points out that SSL certificate fraud currently represents a tiny percentage of overall phishing attacks. Only two domains, and two VeriSign certificates were compromised in the attacks identified by Symantec, which targeted seven different brands.
"This activity falls well within the normal variability you would see on a very infrequent occurrence," said Tim Callan, a product marketing executive for VeriSign's SSL business unit. "If these were the results of a coin flip, with heads yielding 1 and tails yielding 0, we wouldn't be surprised to see this sequence at all, and certainly wouldn't conclude that there's any upward trend towards heads coming up on the coin."
VeriSign is pushing the more secure Extended Validation certificates (EV SSL). Sites protected with EV SSL encryption display the familiar green icon in the URL address bar and users are vetted more carefully by the certificate authority.
But even EV SSL is coming under attack. Two white hat hackers plan to demonstrate EV SSL vulnerabilities at the Black Hat Briefings in Las Vegas later this month. Security researchers Alexander Sotirov and Mike Zusman will demonstrate new offline man-in-the-middle hacks. The researchers say they can attack an EV SSL-protected site using a SSL certificate. The researchers presented a similar demonstration earlier this year at the CanSecWest conference. VeriSign's Callan said the attacks represent a browser architecture question and ultimately need to be addressed by the browsers.
"The Anti-phishing Working Group discovers something on the order of 1000 new phishing attacks each day. These attacks aren't sitting on the cutting edge like the CSW researchers are," Callan said. "These are good, old-fashioned spoof pages linked to from spoof emails. EV is the best weapon in the fight against those attacks, which are the real scourge of online trust today."