Information Security News mailing list archives

Previous By Date Next
Previous By Thread Next

Faked NatWest, Halifax bank sites score REAL security certs

From: InfoSec News <alerts () infosecnews org>
Date: Tue, 13 Oct 2015 07:45:55 +0000 (UTC)
http://www.theregister.co.uk/2015/10/13/faked_natwest_halifax_bank_sites_score_real_security_certs/

By Simon Sharwood
The Register
13 Oct 2015
UK Banks Halifax and NatWest are among organisations targeted by fake sites that have won SSL certificates from certification authorities (CAs).
Netcraft says certifiers who should know better – such as Symantec, Comodo, CloudFlare's certification partner GlobalSign and GoDaddy – have handed out certs to sites like natwestnwolb.co.uk. That site's a faked attempt at luring traffic away from UK bank NatWest's real online banking operation at www.nwolb.com. Another UK bank, Halifax, is flattered by the existence of fake site halifaxonline-uk.com. Someone's trying to take a bit out of Apple at itunes-security.net, PayPal has to cope with emergencypaypal.net and phishers even think someone's likely to have such fat fingers that they end up at btintranert.com.
While some of the sites above are chucklesome to a degree, Netcraft notes that “Consumers have been trained to 'look for the padlock' in their browser before submitting sensitive information to websites, such as passwords and credit card numbers.” The padlock will appear when sites have a valid certificate, so the errors made by certification authorities lend a little more authenticity to fake phishing sites, no matter how ridiculous their URLs. That authenticity will help those sites to fool punters into inadvertently handing over their internet banking credentials and other personal details, which won't end well.
Netcraft's Graham Edgecombe notes that CAs have a code of conduct that requires them to be especially careful when handing out certificates to high-risk sites like those that purport to have anything to do with online banking. Edgecombe stops short of accusing CAs of ignoring those checks, but points out that free trial certificates with short expiry times are phishers' favourites. 

[...]


--
Evident.io - Continuous Cloud Security for AWS.
Identify and mitigate risks in 5 minutes or less.
Sign up for a free trial @ https://evident.io/
Previous By Date Next
Previous By Thread Next

Current thread: