News Stay informed about the latest enterprise technology news and product updates.

Phishers' latest hook: SSL certificates

A California company warns of a new phishing attack using self-signed SSL certificates to lull victims into a false sense of security.

Most users recognize -- and sometimes disregard -- the warning box that pops up when inputting personal information like bank account codes on a trusted Web site accessed with an ironclad connection. Time to think twice about such blind trust on previously deemed safe sites, especially if it's a financial firm's Web site.

"Legitimate financial institutions will not produce an alert before you enter the Web site," Susan Larson, vice president of global threat analysis and research for Scotts Valley, Calif.-based SurfControl, warns. "If you get an alert from Windows, don't continue. Go back and navigate to the site as you would normally do. Those sites should have a digital certificate from trusted authorities and the browser knows what those trusted authorities are."

The warning came after SurfControl discovered what it called a "high-risk, secure phishing technique" in which the bad guys use a self-issued Secure Sockets Layer (SSL) digital certificate to make their Web sites look legitimate and safe.

Moreon phishing and other threats with a PH

Phanning the phlames of PHUD

Companies see surge in phishing attacks

The company noted that encryption and the use of digital certificates to validate the authenticity of a Web site are two primary security layers designed to protect people from online fraud and data theft. Encrypted Web sites are designated with https:// in front of the URL in the address bar. When a user visits a secure site, Windows checks the validity of a SSL digital certificate issued by a certificate authority. "If Windows identifies a potential issue with the Web site's SSL certificate, it will warn the user with a pop-up dialog box that lists the problematic area of the Web site's digital certificate, and provide the user with the option of either continuing to the site or not," Larson said.

The secured phishing technique provides the same user experience, but creates an illusion of security in order to mask the attack, Larson said. The threat is delivered by e-mail and supported with a spoofed site that looks legitimate because the phishers are using a self-signed digital certificate. The spoofed site is an exact copy of a legitimate one using the HTTPS protocol signified by the "lock" icon at the bottom of a browser -- a generally accepted symbol of Web site safety, she said.

Though a Windows alert will warn users if a site doesn't look completely secure, users who are either unfamiliar with the content of the dialogue box or jaded by the number of Windows warnings they get may simply click "yes" to continue visiting the page, Larson said.

SurfControl recommended users take the following steps to avoid getting scammed:

  • IT departments should issue an advisory warning employees of the potential scam and enforce their Internet use policies.
  • Individuals should scrutinize alert messages concerning digital certificates and refer to their IT department or other trusted source for assistance in identifying potential fraud.
  • Individuals should navigate to well-known online vendors for transactions and be aware that financial sites should have a valid SSL certificate issued by a Trusted Certificate Authority. These sites will not prompt an alert dialog box.
  • Individuals should never respond to e-mail requests for personal or financial information.
  • Individuals should immediately delete any unsolicited e-mail and e-mails with nonsense subjects without opening the message.

Dig Deeper on Email and Messaging Threats-Information Security Threats

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.