Netcraft has reported a recent phishing attack on the Malaysian Government’s secured police website. The fake PayPal site uses the valid SSL certificate from the site to trick potential victims that the site is legitimate so that they will provide sensitive information such as usernames and passwords. Most users will assume that if they see HTTPS and a green Padlock then the site is “legitimate” and “safe” without checking the URL matches the site in front of their eyes.
In fact I’ve seen and heard this specific advice given to the public on at least four occasions over the past month – if the address begins with HTTPS and has as padlock then the site is safe. However, the obvious fact that is often omitted is that you also need to check that the URL in the address bar actually corresponds to the site in question. You need the correct URL + a valid certificate for that URL.
For example if the site you think you are connecting to is Paypal, then the address needs to begin https://www.paypal and not https://www.paypalnow, or https://www.fakepaypalsite. Ok the last one is a bit too obvious, but it’s amazing how much trust people put into a URL they have clicked after being sent a phishing email.
The police website had been compromised by the criminals as this much easier than obtaining a domain and hosting the phishing site. Though choosing a law enforcement site has a beautiful irony somehow.
The SSL certificate itself was valid but the certificate authority, in this case Symantec, had not revoked the certificate through a Certificate Revocation list or by using on-demand OSCP responses. However some browsers don’t handle revocation
For example, according to Netcraft, in this instance, as the certificate does not contain an OCSP URL it is irrevocable in Firefox.
The good news is that if your Web filter includes anti-phishing protection as standard, then these phishing attacks are normally detected and blocked on the outbound URL request, thereby minimizing the risk to your network and users.