Phishing Scams Incorporate SSL Certificates

dettifoss writes "Netcraft reports: `Internet "phishing" scams are incorporating the use of SSL certificates in their efforts to trick users into divulging sensitive login information for financial accounts.' Perhaps more disturbingly: `Scammers can also configure their web server so that deceptive SSL certificates won't trigger an alert in the user's browser. "One of the SSL encoding methods is 'plain text'," Neal Krawetz from Secure Science Corporation noted in the SANS post on the issue. "Most SSL servers have this disabled by default, but most browsers support it. When plain text is used, no central certificate authority is consulted and the user never sees a message asking if a certificate should be accepted.'"

Microsoft Has Got You Covered

[FiberOpPraise]

Don't worry, I make sure to type all of my URL's now including onces such as:
http://slashdot.org/comments.pl?sid=99888&threshol d=0&mode=thread&commentsort=0&op=Reply
Sometimes they take a while but it pays off!

Re:Do people even see the lock?

[gilrain]

Or, worse yet, the guy who has the credit card in his wallet goes out and buys something! Oh wait, I guess that was a step too far.

Re:Do people even see the lock?

[Anonymous Coward]

Or, still even worse, the guy with the credit card travels to Soviet Russia where his credit card spends *him*.

thanks scammers!

[BinaryJono]

finally an affordable way to use SSL certificates on our sites without "unsigned certificate" warnings or having to pay Verisign $895/year for each certificate!

Damm I wish I knew

[MajorDick]

"One of the SSL encoding methods is 'plain text'," I could have had my own certs with no browser barking for all this time ? Damm Years ago I tried the "Please install my certificate thing" It worked for a while but stupid customers kept asking questions (I am sorta joking) Now I find out I could have configured my server to avoid many of these authority issues ?

Re:Best strategy for fighting this

[Anonymous Coward]

If you doubt the authenticity of an e-mail from, say, American Express, just visit the site as you usually do, through a bookmark.

This applies to real life too. The other day, two guys wearing official-looking "police" uniforms came to arrest me. I didn't open the door, I called 911 and told them that some jokers wearing police costumes were trying to arrest me. I turns out they were the real police, but it's always best to double check.

They just want to jam.

[Jasn]

I for one object to blaming all this on Phish. I'm sure that Mr. Anastasio et al. have no connection to this illegal and extremely harmful activity.

Re:Legislation

[alfredw]

most DAs would probably rather go after child porn then something so unlikely to get there names in the paper as white collar credit card scams

Reminds me of Bowling for Columbine. Michael Moore had the brilliant idea of treating white collar criminals just like the rest... Chase them through the street, tackle 'em in the street, and bump them a few times on the hood of the cruiser. Would make for entertaining TV, and every "Average Joe" would love to see his/her boss go down.

EXTREMELY IMPORTANT CRITICAL ACCOUNT UPDATE

[Anonymous Coward]

I think the site you were looking for is here [cockeyed.com].

Re:Do people even see the lock?

[snarkh]

Or, worse yet, the guy who has the credit card in his wallet goes out and buys something!

What a disaster!

Re:Do people even see the lock?

[PD]

The warning buzzers are there by law. The auto industry lobbied to weaken the law, and the compromise was a 20 second requirement for the buzzer. It wasn't a smart auto industry. Remember, they're the ones who think your door is a jar.