In its first year, the Netcraft Toolbar Community has identified more than 450 confirmed phishing URLs using "https" urls to present a secure connection using the Secure Sockets Layer (SSL). The number of phishing attacks using SSL is significant for several reasons. Anti-phishing education initiatives have often urged Internet users to look for the SSL "golden lock" as an indicator of a site's legitimacy. Although phishers have been using SSL in attacks for more than a year, the trend seems to have drawn relatively little notice from users and the technology press.
Case in point: The use of SSL certificates in phishing scams made headlines in September when a security vendor issued a press release warning of a scam in which a spoofed phishing site used a self-signed certificate, presenting a gold lock icon but also triggering a browser warning that the certificate was not recognized. In this case, the phishers were banking on the likelihood that many users will trust the padlock and ignore the certificate warning. Despite the attention, the attack wasn't particularly new or novel.
The Netcraft Toolbar community has identified many similar phishing attacks in which spoof sites use a certificate that can be expected to trigger a browser warning, in hopes that some victims will view the "Do you want to proceed?" pop-up and simply click "Yes." Numerous scams have used a hosting company's generic shared server SSL certificate with a spoof site housed on a "sound-alike" URL lacking its own certificate.
The beauty of the golden lock icon has been that it simplified complex security concepts into a single symbol that non-technical users could understand and trust. Phishing scams designed to prompt security warnings raise the stakes, requiring users to understand what the browser warning is telling them, and how they should respond. Upcoming SSL-related interface changes in Internet Explorer 7 and other browers updates make a good start toward providing users with clearer information. But as we noted earlier this year, many banks are shifting their online banking logins to the unencrypted home pages of their websites, further muddling the issue of training customers to trust only SSL-enabled sites. The non-SSL presentation of these bank logins is already being incorporated into spoof pages.
As we noted earlier, phishing sites have incorporated SSL into their scams since late 2004. Some examples:
- Attacks in which SSL certificates are purchased for "sound-alike" domains, allowing sites spoofing major institutions to sport a locked icon. An example is a phishing attack from last October using the domain visa-secure.com.
- Phishes using cross-site scripting to insert content into poorly-coded financial web sites, enabling attacks to be delivered over SSL with the attacker's code being served as part of a url from the bona fide bank's own secure server.
- Attacks using frame injection attacks to insert spoofed content into bank web sites, which also run under https with a secure lock icon.
- Browser security holes, such as Firefox spoofing flaw from last July, which allowed a malicious website to use another site's SSL certificate to present a secure spoofed page with a "locked" icon.
Do Internet users pay attention to browser warnings alerting them to problems with a site's SSL certificate? The question got an unintended field test earlier this year when New Zealand's BankDirect accidentally allowed a certificate to expire. The mistake was fixed within 12 hours, during which about 300 customers were presented with a security alert when they visited the bank's website. Server logs show that all but one of 300 users dismissed the warning and logged in as usual.
Those results, coupled with the growing number of phishing scams invoking SSL, should motivate certificate authorities and browser developers to redouble efforts to educate Internet users about certificates and SSL security warnings.