Phishing websites look more legit with SSL certs from major companies

This is really scary guys! I usually feel much safer when I see those certs, I though those phishing sites didn't and couldn't use them... I was so wrong...




The Web is full of deception, and it's sometimes still hard for people to figure out if the website they're viewing really is what it says it is.

This type of cyberattack, known as phishing, is designed to elicit sensitive details from victims by creating websites that look nearly identical to services like PayPal or Bank of America.

Despite improvements in quickly detecting and taking such sites offline, it's still a huge problem.

A U.K.-based network monitoring company, Netcraft, says fraudsters are exploiting weaknesses in technology companies in order to make more convincing looking phishing sites.

Many websites use SSL/TLS (Secure Sockets Layer/Transport Layer Security) certificates to verify their domain name and encrypt communications with users.

Use of such a certificate is indicated by a green padlock in most browsers, which Web users have been advised to look for when, for example, they're logging onto an online banking service.

The digital certificates are issued by Certificate Authorities. Netcraft said fraudsters are obtaining digital certificates from several major CAs -- including Symantec, GoDaddy, Comodo and CloudFlare -- for their bogus sites, making them appear more legitimate.


Some phishing sites, like this one spoofing NatWest Bank in the U.K., appear more legitimate by using SSL/TLS certificates improperly issued by digital certificate vendors, Netcraft alleges.


If you want to read the rest, then please visit the site: http://www.pcworld.com/article/2992...egit-with-ssl-certs-from-major-companies.html

 

Ah man, you just can't ever feel safe using money online. I used to feel safe when I see those certificates as well on websites I know, but now I don't know what to believe anymore.

Although the only ways I see that I'd be using a fake PayPal website for example is if I clicked on a link from a fake email from PayPal, but these are usually easy to detect. Or if I had malware that redirected me to a fake PayPal site every time I entered PayPal in the address bar. (I encountered such malware before long ago, used to redirect me to ads). But other than that it's not likely that I'd be a phishing victim.

 

You never know, Lun. I for one try to avoid clicking any kind of unknown link, just some weeks ago I was receiving phishing mails asking me to enter my PayPal details. One of them was claiming my account had been limited and I had to log into it asap. I got kinda jumpy the first few seconds, like I really wanted to rush, but then I remember I had received a similar e-mail and it was fake, just like this one. Those dumb idiots don't even take care of the small details... so easy to spot those fake Paypal mails! I never click on mails that ask for log in information.

 

never trust the SSL service, lol it's just something they pay for and they get it, you just have to check the webadress when you enter a necessary informations and you'll be fine

 

You are right But I think it's so unethical of those companies to provide those people with that service, even if it's paid. Not cool at all, but thanks for the recommendation. I am always careful. I was told how to securely access my bank main page some years ago, I still do it when I am going to check my account.

 

I used to feel a bit safer seeing those icon, but I don't completely trust them. It is always a fear for me to enter personal information on websites that I don't know. I don't even feel safe enough to download banking app on my phone either yet

 

The problem is... if phishing sites (aka: sites that try to trick you into thinking the are actually your official bank site or any other site where you enter sensitive date) use that kind of certs... then it's easier to trick people into entering their sensitive data there. I was warned about this by the people of my bank, hence they advised me to always type the http:// and the rest of the address in order to be 100% sure the site I access is the legit one and not a phishing site. They told me this was done just to be extra safe.