In an article about phishing I commented that most exploits are initiated using an official Web site that has been subverted by attackers. Well, that’s not necessarily true.
Case in point, I subscribe to TrendLab’s e-mail security alerts and today I received an e-mail message about a fake Web site that’s phishing for useful information. Hmmm, seems like I need to revise my thinking.
Fake Vonage Web site
The fake Web site mentioned in the alert is serving up a very official-looking duplicate of Vonage’s log-in Web page. The whole purpose of the imitation Web page is to capture Vonage user names and passwords. That information allows phishers to access Vonage accounts and sensitive user profiles. The slide below (courtesy of TrendLabs) is that of the phishing Web site:
Real Vonage Web site
I was immediately impressed when I opened the official Vonage log-in page. Vonage is using Extended Validation (EV) certificates. That’s huge. If Vonage members realize that, there’s no way they’re going to get sucked in by the fake site. Oops, wait a minute; it depends on what Web browser they’re using.
I was using Firefox version three and as I explained in an article about security enhancements for Firefox, it’s very apparent when a Web site is using an EV certificate, as shown below:
That was Firefox though, if you’re still using version seven or earlier of Internet Explorer there’s no indication that the Web site is using an EV certificate. For example, the following image is how Internet Explorer version seven displays the Vonage Web site:
I’m happy to say that Microsoft fixed that in Internet Explorer version eight. The address bar turns green, alerting users to the fact that the Web site being displayed is in fact using an EV certificate:
How do EV certs help?
Phishing with fake Web sites relies on the following to be successful:
- Use an e-mail or Web site link to fool victims into going to the fake Web site.
- Obfuscate the address in the URL box to reduce suspicion.
- The victim doesn’t check for https usage or disregards the warning about an incorrect certificate if https is used.
Web sites using EV certificates prevent the above example from happening by eliminating any deception fake Web sites may have, especially if the following is in place:
- The Web browser in use will display evidence that an EV certificate is assigned to the Web site.
- The person browsing knows which Web sites use EV certificates.
First, I’d like to thank TrendLabs for publishing security alerts. Especially this notice as it gave me the opportunity to clarify several of my previous articles with a real-world example.
The use of EV certificates needs to become more prevalent. They aren’t the complete answer, but just being able to visually notify the person browsing a Web site of it’s security status is a step in the right direction.