Phishing scams are becoming ever more sophisticated - the latest are even using valid looking SSL certificates to fool people into believing they are using a legitimate secure site. According to the SANS Institute, the scam uses a carefully crafted email, with links to reasonably convincing domains and text that contains part of customers' credit card number.
With phishing it's not the ones they get wrong that matter, it's the ones that they get right. As a scammer, you need to send out as many emails as possible, and if one or two line up perfectly with your victim's situation, then you're on to a winner. Just one or two out of many thousands is enough to make the job worthwhile. In this case the phishermen were targeting a specific bank, had graphics, domains and even an SSL certificate that looked very convincing. It is unfortunate that the very trust systems supposed to protect users failed, and failed badly! The SSL certificate looked sufficiently authentic to convince all but the most sceptical. The scammer also took advantage of the fact that banks issue credit cards with the same first four digits, further helping to convincing the victim that this was a legitimate email.
This story calls in question the ease with which SSL certificates can be obtained - undoubtedly some certificate authorities undertake more rigorous checks than others. Search Google and you will find sites supplying SSL certificates for $20 or less, issued by an automatic procedure. Presumably there is no human intervention or the need to send company certificates of incorporation or similar documentation to prove the legitimacy of the person requesting the SSL certificate. SmoothWall believes that this drive for easy profit should not be allowed to destroy the trustworthiness of one of the pillars of web security.
Moral of the story? Never trust an email, I guess......
Read the entire article here,
http://www.crime-research.org/news/15.02.2006/1827/
|