Language Selection

English French German Italian Portuguese Spanish

Phishers Learn to Exploit VeriSign

Filed under
Security

Everyone knows not to believe everything they read on the Web. But things get sticky when a company whose main businesses is assuring the security of online transactions gives you assurances that don't hold up.

A few days ago, I received e-mail ostensibly from Bridgeport (Conn.)-based People's Bank, informing me of some security problem and asking me to click on a link and enter my account information. I get dozens of these phishing attempts, and when I see a new one, I'll often check it out. (Don't try this at home -- I use a special isolated computer to protect myself and my PC against the viruses, worms, and other nasties that these sites often attempt to download to a user's machine.)

VULNERABLE ARCHITECTURE. The e-mail had the usual giveaways to alert the wary. I'm not a customer of the bank. The link pointed to a numerical Internet address, not www.peoples.com, the bank's genuine site. And the bank's name was prominently misspelled "Peopel's" in one reference. Phishers have used the names of many banks and businesses in other phishing scams.

But the phony bank Web site the message linked to features a graphic of a VeriSign seal with the text "VeriSign Secure Site: Click to Verify." When I clicked on the seal, I got a page from a VeriSign server that announced in bold blue type: "PCB.PEOPLES.COM is a VeriSign Secure Site" and that its status was "valid." I had to read way down into the text on the page to be advised: "To ensure that this is a legitimate VeriSign Secure Site, make sure that the original URL of the site you are visiting comes from PCB.PEOPLES.COM" -- which, of course, it did not.

When I brought the matter to the attention of Mountain View (Calif.)-based VeriSign (VRSN ), Group Product Manager Tim Callan wrote in an e-mail: "This phisher has built his spoof on top of VeriSign's version 1 seal architecture. The version 1 architecture was conceived and created before phishing was a phenomenon, and so it was not designed with that attack in mind.

Full Story.

More in Tux Machines

Five Great Applications For Systems Admins

Being a systems administrator is a difficult, often thankless job. You’re one of the people responsible for keeping the entire IT infrastructure of your business up and running. What that means is that whenever something doesn’t work the way it should, all eyes immediately turn in your direction. You can hardly be blamed for looking to make your life a bit easier. I’d actually recommend that you do so, truth be told. The less time you spend slogging through all the basics of administration, the more time you can devote to improving your server. To that end, I’ve compiled a list of a few of the best sysadmin apps on the web; tools that any Linux administrator worth their salt should consider using. Read more

today's leftovers

Sdparm & ddpt Linux Disk Utilities Updated

For those out of the loop, sdparm allows for setting and getting SCSI device parameters. The ddpt utility is yet another spin-off of dd but with extra features regarding storage control. Both ddpt and sdparm work on not only Linux but also BSDs, Solaris, and even Windows. Read more

Crouton for Chromebooks: Run Ubuntu in a browser tab

Crouton is a script that lets you run Ubuntu or Debian on a Chromebook without uninstalling Chrome OS. Developed by David Schneider, the tool has been around for a few years, offering an easy way to run native desktop Linux apps such as GIMP, LibreOffice, and even Firefox on Chrome OS laptops and desktops. But up until recently you’ve had to flip back and forth between Chrome OS and Ubuntu desktop environments… now there’s an option to simply run Ubuntu in a browser tab. Read more