Mass Phishing on Credit Card Services Brand Using Fake SSL

In February, Symantec observed a mass phishing attack on a popular credit card services brand. There were a large number of phishing URLs in the attack, which were all secured using Secure Socket Layer (SSL).

So what makes this phishing attack stand out from the rest?
Phishing websites that use SSL are uncommon and are typically seen in very small numbers. To create a phishing site that uses SSL, the phisher would either have to create a fake SSL certificate or attack a legitimate certificate to attain an encryption for the site. In both cases, Symantec has observed that phishing sites using SSL are less frequent. In this particular attack, there were over a hundred phishing URLs that used a fake SSL certificate. This was achieved by hosting the phishing site on one single IP address which resolved to several domain names. That is, although there were abundant URLs in the attack, they all resolved to a single IP address and contained the same webpage. The SSL certificate was an expired one, with its issue date of the year 2006 and an expiration date of 2007. The phisher’s primary motive behind creating an encrypted phishing site is to help the site appear authentic and to convince users that the site is safe.

 

The phishing site spoofed a credit card services brand, which targeted customers of Switzerland and its phishing pages were in French. End-users were also asked to provide login credentials of a popular e-commerce brand. Hence, phishers attempted to harvest confidential information of two brands with the same phishing attack. The phishing site was hosted on servers based in California, USA.

The phishing site asks for the confidential information in a two step process. The first step is an identity verification of the user. Here, the user is asked to enter name, date of birth, address, email with password of the e-commerce brand, and mother’s maiden name. The second step asks for banking data including bank name, bank ID, name of card holder, card type, card number, personal code, card expiration date, and CVV number. Upon entering the requested information, the phishing site redirects to a blank webpage. If users fell victim to the phishing site, phishers would have stolen their information for financial gain.

Internet users are advised to follow best practices to avoid phishing attacks, such as:

  • Do not click on suspicious links in email messages.   
  • Avoid providing any personal information when answering an email.
  • Never enter personal information in a pop-up screen.
  • Frequently update your security software, such as Norton Internet Security 2011, which protects you from online phishing.
  • Look for the  green address bar in the browser, which denotes that the transaction is secured and the site has been authenticated.

Note: Thanks to Rohan Shah for contributing to the research for this blog.