Phishing websites look more legit with SSL certs from major companies

Netcraft alleges certification authorities aren't properly vetting applicants for SSL/TLS digital certificates

The Web is full of deception, and it's sometimes still hard for people to figure out if the website they're viewing really is what it says it is.

This type of cyberattack, known as phishing, is designed to elicit sensitive details from victims by creating websites that look nearly identical to services like PayPal or Bank of America.

Despite improvements in quickly detecting and taking such sites offline, it's still a huge problem.

A U.K.-based network monitoring company, Netcraft, says fraudsters are exploiting weaknesses in technology companies in order to make more convincing looking phishing sites.

Many websites use SSL/TLS (Secure Sockets Layer/Transport Layer Security) certificates to verify their domain name and encrypt communications with users.

Use of such a certificate is indicated by a green padlock in most browsers, which Web users have been advised to look for when, for example, they're logging onto an online banking service.

The digital certificates are issued by Certificate Authorities. Netcraft said fraudsters are obtaining digital certificates from several major CAs -- including Symantec, GoDaddy, Comodo and CloudFlare -- for their bogus sites, making them appear more legitimate.

phishing 1 Netscraft
Some phishing sites, like this one spoofing NatWest Bank in the U.K., appear more legitimate by using SSL/TLS certificates improperly issued by digital certificate vendors, Netcraft alleges.

Netcraft alleges that it's the fault of the companies for not more closely vetting applicants for domain names that clearly have a scammy feel, such as banskfamerica[.]com and emergencypaypal[.]net. Throughout August, the company studied certificates issued to suspicious domains.

"In just one month, certificate authorities have issued hundreds of SSL certificates for deceptive domain names used in phishing attacks," wrote Graham Edgecombe, Internet services developer with Netcraft, in a blog post.

The cheapest kind of digital certificate is called domain validated, or DV. The CAs selling that type of certificate only check that the applicant controls the domain name it is intended for. For more expensive certificates, CAs do a more thorough ID check of the applicant.

It's these DV certificates that fraudsters are obtaining. DV certificates are often free or cost less than US$10, Edgecombe wrote. They're also often issued through automated systems, which makes it easier for fraudsters to get them for phishing domains, he wrote.

According to industry rules, CAs are supposed to do further verification on potentially high-risk domain names before issuing DV certificates, Edgecombe wrote.

Many CAs only send an email to the domain administrator on record before issuing a DV certificate, said Trell Rohovit, CEO of HydrantID, a startup that sells digital certs on a subscription basis.

"So essentially a bad guy only has to beat one process/person/or email, and -- puff -- your brand just flew out proverbial Internet window," Rohovit said.

Symantec, CloudFlare and GoDaddy did not have an immediate comment.

Comodo said it has "the largest share of the problem" due to it being the largest CA, according to an email statement from CEO Melih Abdulhayoglu.

Rogue DV certificates are revoked by Comodo when the company is made aware of them, Abdulhayoglu wrote.

But certificate issuance is a complex process, and the problem with automated systems (like DV certificates) is that there are no human validation operators vetting the issued certificates," he wrote.

A spokesman for Abdulhayoglu said Comodo would not comment further on Netcraft's allegations.

Some CAs won't issue DV certificates at all because of security concerns. DigiCert, based in Lehi, Utah, believes DV certificates provide "little value" and that phishing risks could be mitigated by not issuing them, according to its website.

Entrust, based in Minneapolis, also doesn't issue DV ones, citing security concerns.

"Although the domain validated certificate supports transaction encryption, the end user cannot trust the certificate to confirm who is on the other end," its website says.

Netcraft, based in Bath, England, does have a commercial incentive to release these findings: it sells a service, called Domain Registration Risk, which scores domain names and how likely they will be used for phishing.

The service is intended for domain name registrars but also could be used by CAs prior to issuing a certificate, Edgecombe wrote.

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Jeremy Kirk

IDG News Service
Show Comments

Essentials

Lexar® JumpDrive® S57 USB 3.0 flash drive

Learn more >

Microsoft L5V-00027 Sculpt Ergonomic Keyboard Desktop

Learn more >

Mobile

Lexar® JumpDrive® S45 USB 3.0 flash drive 

Learn more >

Exec

Lexar® JumpDrive® C20c USB Type-C flash drive 

Learn more >

Audio-Technica ATH-ANC70 Noise Cancelling Headphones

Learn more >

HD Pan/Tilt Wi-Fi Camera with Night Vision NC450

Learn more >

Lexar® Professional 1800x microSDHC™/microSDXC™ UHS-II cards 

Learn more >

Budget

Back To Business Guide

Click for more ›

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?