Tuesday, February 14, 2006

Phishers target Verified by Visa - as predicted!

Recent phishing scams have been noted to employ an SSL certificate as part of the scam web site. In combination with one of many patchable but unpatched and other unpatchable browser defects, these scam sites are now giving the end user the full appearance that they are engaging in a secure transaction with their bank. As reported by Brian Krebs today (see: The New Face of Phishing) as well as predicted here a couple weeks ago (see: Verified by Visa (Veriphied Phishing?)) the latest such phishing scams have begun to exploit the program by using the name recognition of the campaign as part of their social engineering. Mr. Krebs mentions a few key facts about this latest scam in his article.
  • the scam targets a small bank
  • the scam exploits the brand awareness campaign surrounding the "Verified by Visa" program
  • the scam employs the use of an SSL certificate which appears to have been obtained specifically to set up the scam web site

niche markets as targets of opportunity

The pattern of targeting smaller niche markets has been used to effect in the last couple years by worms and botnets, and it's not surprising to see phishing scams follow suit. Phishers undoubtely assume that people who bank with larger banks are growing weary of the endless flood of phishing spam they receive. Their potential victims are perhaps becoming wary. By targeting smaller banks, they probably hope to find a fresh pool of victims who are not as sophisticated because they haven't yet been educated by the school of hard knocks. Expect more phishing scams targeting the customers of small banks in the future. Small and even relatively large regional banks often rely upon 3rd party vendors to provide their online banking services. Phishing scammers appear to have a better understanding of web technology and internet security than these companies and the anonymous nature of the internet, particularly email, will serve as an avenue leading to more and increasingly sophisticated and effective phishing scams.

exploiting Verified by Visa brand

Visa has been running commercials. People have heard the phrase, Verified by Visa many times by now. When an email shows up, they probably half expect it. When that email looks just like the web site of the bank, and when the holes in their web browser make it appear as though they clicked on a link and it took them to their bank's web site, they are all primed and ready to type in their vital statistics, Social Security Number, PIN number, account name and password, credit card number, and even the magic security number on the back of the card.

use of SSL certificates on the phishing scam web site

There have been previous incidents where compromised web servers are exploited to set up phishing sites with valid SSL. The novelty of this latest phishing scam is that it appears to use an SSL certificate that was obtained specifically to use for phishing in combination with the small bank target and the social engineering of the Verified by Visa program. However, the role of the SSL certificate in phishing scams warrants further consideration. However, there is very little to stop a phisher from obtaining such a certificate. They can already set up fake web servers and email accounts that can't be traced back to a person. The money they steal using stolen identities goes somewhere, too, and that doesn't seem to be easy to trace, either, as so few are caught and credit card fraud alone remains a multiple billion dollar per year industry. Many people, to the extent that they are even aware of the issue, believe that an SSL certificate provides the user with an assurance that they are talking to their bank on the other end of the internet. It most certainly does no such thing, at least not in any meaningful way that you should bet your Social Security Number on. SSL certificates used by most banks and other online shopping sites are issued by a set of companies known collectively as the Certificate Authorities. These companies have managed to place their own "root key" into the major web browsers, so that keys issued by them (for a fee) are "recognized" and "trusted" by the browser. They make only some small pretense for marketing purposes about performing due diligence on certificate purchasers. Most of them, even the big ones, really don't do anything meaningful at all in the way of due diligence. The public perception that they do is largely due to the marketing efforts of these companies as they compete with each other by building "trusted brands". Scam is a bit of a harsh word, but there are many independent security professionals who believe that the whole Certificate marketplace is a sham, if not a scam. As a retail vendor, you must buy an SSL certificate from a Certificate Authority on the pretense that your customers will "be secure" when they are shopping at your site. In reality they only "feel secure". Most of the internet shopping public doesn't really understand SSL. It provides only an encrypted tunnel that prevents 3rd parties from listening in. It doesn't really tell you much useful about the party you are connected with. Should you trust them? Even if it *is* your bank, should you type your Social Security Number into their computer? How good is your bank at protecting your data? What about the retail shopping sites you visit on the internet? The collective record is not very good. Tens of millions of credit card numbers stolen with matching names and addresses last year. Very few people outside security professionals and systems administrators understand that anyone can generate a "self signed" certificate for free, for example. The difference between a certificate you generate yourself and one generated by a root Certificate Authority is that the CA's have a rooted cert in the major web browsers, which prevents a user warning from popping up when you connect to a site over SSL. This basically forces people to pay a small fee to get a certificate from a CA, rather than generating one, to prevent user confusion and annoyance -- not to provide "security". It's probably not entirely the fault of the Certificate Authorities that people expect more from an SSL certificate than even the wildest of their marketing claims promise. There doesn't seem to be any legal requirement for them to validate the identity of the recipient of an SSL certificate. Performing even modest due diligence on a person is fairly expensive, although the cost is now down to the neighborhood of about $9 to $12 (volume discount prices, depending on options, additional fees for additional counties and types of records checked, etc.) per person for a limited records search. That wouldn't include the costs of handling incurred by the client company buying the search, evaluating it, and making a decision to issue or refuse to issue a certificate based on the results. Of course, those checks are performed against a person's name and Social Security Number. Well, if you're a Certificate Authority and you just spent, say, $15.00 validating that indeed public records show a John Smith living at a certain address. How do you know that the person buying your certificate, who claims to be John Smith, really is that person? That's an additional set of expenses, and it's probably non trivial, given that we are dealing with potential customers who have a certain expertise in passing off stolen identities. In a competitive market, optional costs are quickly cut from the production line. Sometimes there is even a race to the bottom where services and quality are cut repeatedly as companies struggle to become the low cost producer in a market. If the Certificate Authorities only make a pretense of validating the identity of a customer seeking an SSL certificate, it's probably because the only part of the entire transaction in which they have a vested financial interest is assuring the charge to the credit card that was used to pay for the certificate. In this case, that card was almost certainly stolen, and the scammer certainly had all the identity information required to make what appeared to be a valid charge on the card. Also, this is a relatively small industry, in terms of the number of providers who can handle bulk requests efficiently and nation-wide, and the Certificate Authorities do not appear to be customers of this industry. A few perhaps might be, I haven't done an exhaustive search, but I am under the impression that none of the Certificate Authorities attempt to validate identity of an SSL customer through public records, except through the most primitive means. They sometimes will call a provided phone number, but normally rely on non-human methods like getting a response click on a link sent to the email provided by the customer. These mechanisms provide some security for the customer purchasing the SSL certificate and some to the vendor selling the certificate, during the process of purchase. They provide little or no security for the customers or victims who connect to a server using the certificate. Even if each and every certificate customer were validated in some slightly more rigorous way, those validated customers could turn out to be shell companies that exist only for the purpose of setting up the scam. Furthermore, the paradigm is fundamentally flawed. Placing the root certificate in the browser for the "convenience" of the end user means that the end user is not confronted with the expectation that they need to be involved in validating each connection they make. Sure, you were connected to a certificate that was valid when it was issued. Has it since been stolen? Are you even looking at a web site that uses the certificate that was issued to your bank? Sure, it looks like your bank, but did you check the certificate to see what it said? It might be a valid user -- a different and evil scamming valid user. It's worth noting that there have been other phishing sites which had valid SSL certificates before. They were set up on compromised web servers using certificates owned by others. However, it seems like the phishers mostly don't concern themselves too much about SSL because their victims don't always remember to check for the little tiny lock symbol or look for the "s" in "https://". I'd guess that attempts to set up phishing sites with valid SSL certificates is all about an increase in marginal profit for the phishers -- the more legitimate their phishing site appears, the more data they harvest. Finally, it's possible to buy the ability to generate a rooted certificate -- one that is detected as valid and "trusted" by most web browsers. Who knows how many of those certificate granting authorities have been sold over the years. How many of them were "lost" in corporate mergers or re-organizations and have since shown up on the black market? In any case, it is an open secret that the Certificate Authorities actually do very little to validate the legitimacy of their certificate customers, and the public has a mistaken and dangerous impression that they do.

Technorati Tags: , , , , , , , , ,

No comments: