News
New phishing attack uses phony digital certificates
Posted on September 22, 2005

SurfControl is rating this threat as 'High Risk' due to the sophisticated elements of this technique that mask the scam, and its potential to victimize everyday Internet users with limited knowledge of Web security and digital certificates.

The "secured phish" technique creates an illusion of security in order to mask the phishing attack.

This blended threat is delivered via e-mail and supported with a spoofed Web site and a self-signed digital certificate. The spoofed site is an exact copy of a legitimate site that uses the HTTPS protocol. Phishers achieve this appearance of trust through a self-issued Secure Socket Layer digital certificate.

"In self-signing, you become your own certificate [issuing] authority," noted Susan Larson, SurfControl's vice president of Global Threat Analysis & Research. "Many enterprises have their own self-signed certificates that they use to secure documents within the company. But the very scary thing here is that most people don't know that self-signed certificates exist."

When a browser encounters a signed, secure site, it checks the validity of the certificate, and puts up a dialog box under certain circumstances, including when it sees a self-signed certificate. But those warnings aren't always understood or taken seriously by users.

"When alerts like this come up, people often click 'Yes' to continue because they've seen such warnings before and believe everything is okay," Larson said. "Some people will actually examine the certificate, and see that it's self-signed. That will tip them off that it may be a phishing attack."

"Regardless of their Internet experience or familiarity with security issues, most people have come to accept the idea that if they see the lock in the corner of their browser, they are safe. This cunningly crafted technique preys on this trust," Larson said.

RELATED STORY:
SSL certificates can be used to the benefit of phishers and identity thieves
SOURCE: SurfControl