September 22, 2005
New Phish Deceives With Phony CertificatesBy Gregg Keizer
A new, advanced form a phishing dubbed "secured phishing" because it relies on self-signed digital certificates, can easily fool all but the most cautious consumers, a security firm warned Thursday...
The new phish blends traditional elements with the new twist of a self-signed digital certificate, said Larson. It starts the same as most phishing attacks, with spammed e-mails urging recipients to click on a link to update a financial account. The destination is a spoofed version of a real site which requests the consumer enter his or her username and password to verify the information (supposedly because unauthorized access has been detected from an overseas IP address).
But this campaign goes above and beyond the typical. The spoofed site uses the HTTPS protocol so that the browser shows the standard "lock" icon designating a secure site. Additionally, the site serves up a self-signed SSL digital certificate (self-signed, meaning the subject of the certificate is also the signer). That's where the trouble really starts, said Larson.
"In self-signing, you become your own certificate [issuing] authority," noted Larson. "Many enterprises have their own self-signed certificates that they use to secure documents within the company. But the very scary thing here is that most people don't know that self-signed certificates exist."
When a browser encounters a signed, secure site, it checks the validity of the certificate, and puts up a dialog box under certain circumstances, including when it sees a self-signed certificate. But those warnings aren't always understood or taken seriously by users.
"When alerts like this come up, people often click 'Yes' to continue because they've seen such warnings before and believe everything is okay," Larson said. "Some people will actually examine the certificate, and see that it's self-signed. That will tip them off that it may be a phishing attack." But most won't go to the trouble. "The phishers want people to be as unsuspecting as possible," said Larson. By posing as a legitimate site that's secure -- down to a digital certificate -- they're doing just that.
