http://www.theregister.co.uk/2015/10/13/faked_natwest_halifax_bank_sites_score_real_security_certs/
By Simon Sharwood
The Register
13 Oct 2015
UK Banks Halifax and NatWest are among organisations targeted by fake
sites that have won SSL certificates from certification authorities (CAs).
Netcraft says certifiers who should know better – such as Symantec,
Comodo, CloudFlare's certification partner GlobalSign and GoDaddy – have
handed out certs to sites like natwestnwolb.co.uk. That site's a faked
attempt at luring traffic away from UK bank NatWest's real online banking
operation at www.nwolb.com. Another UK bank, Halifax, is flattered by the
existence of fake site halifaxonline-uk.com. Someone's trying to take a
bit out of Apple at itunes-security.net, PayPal has to cope with
emergencypaypal.net and phishers even think someone's likely to have such
fat fingers that they end up at btintranert.com.
While some of the sites above are chucklesome to a degree, Netcraft notes
that “Consumers have been trained to 'look for the padlock' in their
browser before submitting sensitive information to websites, such as
passwords and credit card numbers.” The padlock will appear when sites
have a valid certificate, so the errors made by certification authorities
lend a little more authenticity to fake phishing sites, no matter how
ridiculous their URLs. That authenticity will help those sites to fool
punters into inadvertently handing over their internet banking credentials
and other personal details, which won't end well.
Netcraft's Graham Edgecombe notes that CAs have a code of conduct that
requires them to be especially careful when handing out certificates to
high-risk sites like those that purport to have anything to do with online
banking. Edgecombe stops short of accusing CAs of ignoring those checks,
but points out that free trial certificates with short expiry times are
phishers' favourites.
[...]
--
Evident.io - Continuous Cloud Security for AWS.
Identify and mitigate risks in 5 minutes or less.
Sign up for a free trial @ https://evident.io/
