Web Development

Phishing Update: Fake Vonage Web site and EV certs do help

People using Vonage beware there's phishing going on. Keep informed about EV certificates to make sure you don't get caught.

In an article about phishing I commented that most exploits are initiated using an official Web site that has been subverted by attackers. Well, that's not necessarily true.

Case in point, I subscribe to TrendLab's e-mail security alerts and today I received an e-mail message about a fake Web site that's phishing for useful information. Hmmm, seems like I need to revise my thinking.

Fake Vonage Web site

The fake Web site mentioned in the alert is serving up a very official-looking duplicate of Vonage's log-in Web page. The whole purpose of the imitation Web page is to capture Vonage user names and passwords. That information allows phishers to access Vonage accounts and sensitive user profiles. The slide below (courtesy of TrendLabs) is that of the phishing Web site:

Real Vonage Web site

I was immediately impressed when I opened the official Vonage log-in page. Vonage is using Extended Validation (EV) certificates. That's huge. If Vonage members realize that, there's no way they're going to get sucked in by the fake site. Oops, wait a minute; it depends on what Web browser they're using.

I was using Firefox version three and as I explained in an article about security enhancements for Firefox, it's very apparent when a Web site is using an EV certificate, as shown below:

That was Firefox though, if you're still using version seven or earlier of Internet Explorer there's no indication that the Web site is using an EV certificate. For example, the following image is how Internet Explorer version seven displays the Vonage Web site:

I'm happy to say that Microsoft fixed that in Internet Explorer version eight. The address bar turns green, alerting users to the fact that the Web site being displayed is in fact using an EV certificate:

How do EV certs help?

Phishing with fake Web sites relies on the following to be successful:

  • Use an e-mail or Web site link to fool victims into going to the fake Web site.
  • Obfuscate the address in the URL box to reduce suspicion.
  • The victim doesn't check for https usage or disregards the warning about an incorrect certificate if https is used.

Web sites using EV certificates prevent the above example from happening by eliminating any deception fake Web sites may have, especially if the following is in place:

  • The Web browser in use will display evidence that an EV certificate is assigned to the Web site.
  • The person browsing knows which Web sites use  EV certificates.
Final thoughts

First, I'd like to thank TrendLabs for publishing security alerts. Especially this notice as it gave me the opportunity to clarify several of my previous articles with a real-world example.

The use of EV certificates needs to become more prevalent. They aren't the complete answer, but just being able to visually notify the person browsing a Web site of it's security status is a step in the right direction.

About

Information is my field...Writing is my passion...Coupling the two is my mission.

19 comments
fairportfan
fairportfan

...but i have to agree with the comment posted above that points out that you can log into your Vnage account from Vonage's badly-designed/implemented website from http://vonage.com, which is *not* EV certified. Why am i not surprised, after my one-year experiment with Vonage.

Lazarus439
Lazarus439

I have to take some exceptions to your article. First, I did find anything "very apparent" in the screen shots of the browsers. A hint for those of who don't already know what's "very apparent" would be polite. However, being generous, I attributed this to the relatively low quality of the screen shots, so I opened www.vonage.com (which is Vonage's HOME PAGE after all) and still found nothing "very apparent". After carefully parsing not only the article but also all the comments, I found that the "very apparent" thing was a "green bar". I'd actually opened www.vonage.com, not once but three times, in all three browsers mentioned - IE8/Vista, Firefox 3.10/Vista and IE7/XP. No green bars anywhere. However, present in all three browsers is the opportunity to present my username and password so I could login right there on the home page. So, where is this wonderful security feature for which Vonage is being praised? Oh, it?s on the "official Vonage log-in page?. However, there is no need AT ALL to go to this wonderful protected "official Vonage log-in page", which did indeed elicit the wondrous green bar. This brings up the second issue I have. Since the user does not have to go to the "official Vonage log-in page" in order to log in, all the wonderfulness in the world is less than useless. Indeed, the only way to see this magical page is by mistyping one's login credentials. If Vonage was serious - and if it was a worthwhile example of how to do something good in security - either there would be NO login option on the main page but rather a link to the wonderful "official Vonage log-in page" or the home page itself would elicit the green bar. As it stands, however, Vonage gets no points for security in this regard.

wdewey@cityofsalem.net
wdewey@cityofsalem.net

Most people don't even know what an EV cert is much less if their site is using it or not. Most people that I run into don't check and see if a site is using HTTPS. This will need a lot of user education and prompting users to upgrade to newer version of browsers before it will be useful. Bill

seanferd
seanferd

That's excellent that Vonage is using EV certs. Particularly good since the phishing site is such a good mimic.

rschiestel
rschiestel

Actually IE version 7 does display the green bar indicating an EV certificate. IE 6 and earlier does not.

Michael Kassner
Michael Kassner

I had thought phishers were more inclined to use real Web sites for gathering personal information. It appears that some are still using fake Web sites. Don't get caught by them.

Michael Kassner
Michael Kassner

I agree it's hard to show phishing sites being similar to the real thing. I felt that I had to try though. As for the log on being available on a different Web page that is significant and something I was unaware of. I'm not a Vonage user, but I'll try and at least point this out to them. Thanks for informing us about the mistake.

fairportfan
fairportfan

...if, while "carefully perusing" the article, you had clicked on the link that reads "Extended Validation (EV) certificates", which leads to a page entitled "EV SSL Certificates: So what's the green URL all about?", you might have been saved a bit of trouble. That said, i agree with you about the stupifity of allowing a log-in from a page that doesn't have the EV certification. OTOH, having used Vonage's phone service for a year and discovering that Vonage in gheneral, and their Customer (Dis)service in particular, all same same got organ cluster up ventral orifice, i'm not surprised in the least

Michael Kassner
Michael Kassner

There are many banks that aren't using EV certs yet. Then there are companies like Vonage and LogMeIn that are, which tells me something.

Michael Kassner
Michael Kassner

I showed the outcome in the article using IE7 on a Win2003 server. Did you have to alter the default configuration? I can't check anymore as I have upgraded all of the computers to IE8.

RipVan
RipVan

I received a CitiBank phishing email at work several years ago. Our work credit cards are from there. Even though I was sure this was a phishing scam, I couldn't figure it out, so I was taking some time looking it over. It took a few seconds before I realized that the mouse change (when hovering over a link) happened immediately at the border of the message, effectively making the whole message (a picture, which got it past our spam filter at that time) a link. If you moved your mouse straight to the link on the page, you weren't supposed to notice this. I forwarded the message to our security staff with an explanation of exactly how the exploit worked. I assumed they would capture the picture from the message and forward it to our users in order to ensure that anyone else receiving the message would know exactly what it looked like. Instead, our crack (smoking) staff just forwarded my mail to all users as I had sent it to them, leaving the payload intact and fully executable. Real men of genius. "Mr Security Staff Forwarder of Viruses to All Users..."

Lazarus439
Lazarus439

Actually, you killed two birds with one stone: covered something about the EV certificates (of which I'd never heard, though I have noticed the green bar on occasion) and also provided a great example how easy it is to be one's own worst enemy in the security business. No doubt someone at Vonage was deservedly very pleased with him/herself for getting Vonage to implement EV certificates without realizing the company's home page 99% negated all the good work!

Lazarus439
Lazarus439

Good point about my not having followed the link about the EV certificates, but in all honesty, I took Mr. Kassner at his word that these are cool things and was content with that. I really wasn't intersted in finding out how it used post doctoral level math to work it's magic or where I could order my very own, either or both of which is what I expected to would be at the other end of the link. I was looking for something like his saying something like "notice the green URL is screen shot 1? It's due to the browser supporting EV certificates". That said, any remote thoughts I might have been harboring about signing up for Vonage had been roundly canceled. :)

fmdeveloper
fmdeveloper

IE7 on Vista is showing a green bar for EV Certs.

Michael Kassner
Michael Kassner

That information. I've seen similar Web pages and they can and do fake many people out. As the bad guys get more sophisticated, I'm sure the fake sites will get even better.

Michael Kassner
Michael Kassner

I appreciate the mention of needing more explicit information. I can use reminding about assuming too much once and awhile.

Michael Kassner
Michael Kassner

I'm getting several members saying that. I've retested IE7 on Win2K3 server and LogMeIn doesn't show any green in the address bar. Hmm.

Editor's Picks