Language Selection

English French German Italian Portuguese Spanish

Phishers Learn to Exploit VeriSign

Filed under
Security

Everyone knows not to believe everything they read on the Web. But things get sticky when a company whose main businesses is assuring the security of online transactions gives you assurances that don't hold up.

A few days ago, I received e-mail ostensibly from Bridgeport (Conn.)-based People's Bank, informing me of some security problem and asking me to click on a link and enter my account information. I get dozens of these phishing attempts, and when I see a new one, I'll often check it out. (Don't try this at home -- I use a special isolated computer to protect myself and my PC against the viruses, worms, and other nasties that these sites often attempt to download to a user's machine.)

VULNERABLE ARCHITECTURE. The e-mail had the usual giveaways to alert the wary. I'm not a customer of the bank. The link pointed to a numerical Internet address, not www.peoples.com, the bank's genuine site. And the bank's name was prominently misspelled "Peopel's" in one reference. Phishers have used the names of many banks and businesses in other phishing scams.

But the phony bank Web site the message linked to features a graphic of a VeriSign seal with the text "VeriSign Secure Site: Click to Verify." When I clicked on the seal, I got a page from a VeriSign server that announced in bold blue type: "PCB.PEOPLES.COM is a VeriSign Secure Site" and that its status was "valid." I had to read way down into the text on the page to be advised: "To ensure that this is a legitimate VeriSign Secure Site, make sure that the original URL of the site you are visiting comes from PCB.PEOPLES.COM" -- which, of course, it did not.

When I brought the matter to the attention of Mountain View (Calif.)-based VeriSign (VRSN ), Group Product Manager Tim Callan wrote in an e-mail: "This phisher has built his spoof on top of VeriSign's version 1 seal architecture. The version 1 architecture was conceived and created before phishing was a phenomenon, and so it was not designed with that attack in mind.

Full Story.

More in Tux Machines

PfSense 2.1.5 Is a Free and Powerful FreeBSD-Based Firewall Operating System

PfSense is a free network firewall distribution based on the FreeBSD, it comes with a custom kernel, and a few quite powerful applications that should make its users’ life a lot easier. Most of the firewall distros are Linux-based, but PfSense is a little bit different and is using FreeBSD. Regular users won't feel anything out of the ordinary, but it's an interesting choice for the base. The developers of PfSense are also saying that their distro has been successful in replacing a number of commercial firewalls such as Check Point, Cisco PIX, Cisco ASA, Juniper, Sonicwall, Netgear, Watchguard, Astar, and others. Read more

A free culture event in Pakistan

digital materials freely online. With regards to the open source community in Pakistan, the situation is analogous to that on Wikipedia. Outside of a core group of members of Mozilla Pakistan and Linux Pakistan, the majority of internet users are not familiar with the free culture and open movements. This, in all likelihood, is due to a lack of widespread awareness of the movements. Even as Pakistan is experiencing a widespread internet penetration amongst the public, unfortunately the country has not yet adapted well to the ideas of free culture and open. Copyright protection in Pakistan is a critical issue and copyright infringement and online piracy has always been a concern. With Wikimedia Pakistan, we can help to raise awareness of the advantages and benefits of having open and free platforms, and the major role this could play in developing our market and economy. We all need to play our part in ensuring a bright future for the open and free internet. I think the success of the movement globally depends on participation of people from not only the developed countries but also from the Global South. Read more

Mesa 10.3 release candidate 2

Mesa 10.3 release candidate 2 is now available for testing. The current plan of record is to have an additional release candidate each Friday until the 10.3 release on Friday, September 12th. The tag in the GIT repository for Mesa 10.3-rc2 is 'mesa-10.3-rc2'. I have verified that the tag is in the correct place in the tree. Mesa 10.3 release candidate 2 is available for download at ftp://freedesktop.org/pub/mesa/10.3/ Read more

Linux 3.17-rc3

I'm back to the usual Sunday release schedule, and -rc3 is out there now. As expected, it is larger than rc2, since people are clearly getting back from their Kernel Summit travels etc. But happily, it's not *much* larger than rc2 was, and there's nothing particularly odd going on, so I'm going to just ignore the whole "it's summer" argument, and hope that things are just going that well. Please don't prove me wrong, Linus Read more