Recent phishing scams have been noted to employ an SSL certificate as part of the scam web site. In combination with one of many patchable but unpatched and other unpatchable browser defects, these scam sites are now giving the end user the full appearance that they are engaging in a secure transaction with their bank. As reported by Brian Krebs today (see: The New Face of Phishing) as well as predicted here a couple weeks ago (see: Verified by Visa (Veriphied Phishing?)) the latest such phishing scams have begun to exploit the Verified by Visa program by using the name recognition of the campaign as part of their social engineering. Mr. Krebs mentions a few key facts about this latest scam in his article.
- the scam targets a small bank
- the scam exploits the brand awareness campaign surrounding the "Verified by Visa" program
- the scam employs the use of an SSL certificate which appears to have been obtained specifically to set up the scam web site