Phishing Update: Fake Vonage Web site and EV certs do help

In an article about phishing I commented that most exploits are initiated using an official Web site that has been subverted by attackers. Well, that’s not necessarily true.

Case in point, I subscribe to TrendLab’s e-mail security alerts and today I received an e-mail message about a fake Web site that’s phishing for useful information. Hmmm, seems like I need to revise my thinking.

Fake Vonage Web site

The fake Web site mentioned in the alert is serving up a very official-looking duplicate of Vonage’s log-in Web page. The whole purpose of the imitation Web page is to capture Vonage user names and passwords. That information allows phishers to access Vonage accounts and sensitive user profiles. The slide below (courtesy of TrendLabs) is that of the phishing Web site:

Real Vonage Web site

I was immediately impressed when I opened the official Vonage log-in page. Vonage is using Extended Validation (EV) certificates. That’s huge. If Vonage members realize that, there’s no way they’re going to get sucked in by the fake site. Oops, wait a minute; it depends on what Web browser they’re using.

I was using Firefox version three and as I explained in an article about security enhancements for Firefox, it’s very apparent when a Web site is using an EV certificate, as shown below:

That was Firefox though, if you’re still using version seven or earlier of Internet Explorer there’s no indication that the Web site is using an EV certificate. For example, the following image is how Internet Explorer version seven displays the Vonage Web site:

I’m happy to say that Microsoft fixed that in Internet Explorer version eight. The address bar turns green, alerting users to the fact that the Web site being displayed is in fact using an EV certificate:

How do EV certs help?

Phishing with fake Web sites relies on the following to be successful:

Use an e-mail or Web site link to fool victims into going to the fake Web site.
Obfuscate the address in the URL box to reduce suspicion.
The victim doesn’t check for https usage or disregards the warning about an incorrect certificate if https is used.

Web sites using EV certificates prevent the above example from happening by eliminating any deception fake Web sites may have, especially if the following is in place:

The Web browser in use will display evidence that an EV certificate is assigned to the Web site.
The person browsing knows which Web sites use EV certificates.

Final thoughts

First, I’d like to thank TrendLabs for publishing security alerts. Especially this notice as it gave me the opportunity to clarify several of my previous articles with a real-world example.

The use of EV certificates needs to become more prevalent. They aren’t the complete answer, but just being able to visually notify the person browsing a Web site of it’s security status is a step in the right direction.

TechRepublic Premium editorial calendar: IT policies, checklists, toolkits and research for download

TechRepublic Premium content helps you solve your toughest IT issues and jump-start your career or next project.

Payroll

The Best Human Resources Payroll Software of 2023

With a lot of choices in the market, we have highlighted the top six HR and payroll software options for 2023.

A computer running Windows 11. — Image: Microsoft.

Software

Windows 11 update brings Bing Chat into the taskbar

Microsoft's latest Windows 11 allows enterprises to control some of these new features, which also include Notepad, iPhone and Android news.

A software engineer works from home. — Image: tanatat/Adobe Stock

CXO

Tech jobs: No rush back to the office for software developers as salaries reach $180,000

Salaries for remote roles in software development were higher than location-bound jobs in 2022, Hired finds.

Project management process to manage and develop with resources to deliver quality product, agile development cycle, businessman project manager balance on clock juggling project management elements. — Image: Nuthawut/Adobe Stock

Software

The 10 best agile project management software for 2023

With so many agile project management software tools available, it can be overwhelming to find the best fit for you. We've compiled a list of 10 tools you can use to take advantage of agile within your organization.

A user typing a password. — Image: Song_about_summer/Adobe Stock

Security

1Password is looking to a password-free future. Here’s why

With phishing-based credentials theft on the rise, 1Password CPO Steve Won explains why the endgame is to 'eliminate’ passwords entirely.

PURPOSE This Media disposal policy from TechRepublic Premium provides specific instructions for ensuring organization data is properly protected when disposing of old storage media. From the policy: POLICY DETAILS When disposing of damaged, unusable, obsolete, off-lease, decommissioned, old, or end-of-service-life equipment and media, the organization requires that the guidelines outlined herein be followed: Hard drives, ...

PURPOSE To take some of the effort out of writing (and rewriting) emails to share with company staff and executives, TechRepublic Premium has assembled basic templates to handle the most common types of communications. Simply copy the text into your favorite word processor and customize it to fit your needs. Then, paste it into an ...

PURPOSE The purpose of this policy from TechRepublic Premium is to provide guidelines for developing mobile applications from a security, procedural and best practices standpoint. While it contains technical guidelines, it is not intended to serve as a programming guide but as a framework for operations. This policy can be customized as needed to fit ...

Phishing Update: Fake Vonage Web site and EV certs do help