Language Selection

English French German Italian Portuguese Spanish

Phishers Learn to Exploit VeriSign

Filed under
Security

Everyone knows not to believe everything they read on the Web. But things get sticky when a company whose main businesses is assuring the security of online transactions gives you assurances that don't hold up.

A few days ago, I received e-mail ostensibly from Bridgeport (Conn.)-based People's Bank, informing me of some security problem and asking me to click on a link and enter my account information. I get dozens of these phishing attempts, and when I see a new one, I'll often check it out. (Don't try this at home -- I use a special isolated computer to protect myself and my PC against the viruses, worms, and other nasties that these sites often attempt to download to a user's machine.)

VULNERABLE ARCHITECTURE. The e-mail had the usual giveaways to alert the wary. I'm not a customer of the bank. The link pointed to a numerical Internet address, not www.peoples.com, the bank's genuine site. And the bank's name was prominently misspelled "Peopel's" in one reference. Phishers have used the names of many banks and businesses in other phishing scams.

But the phony bank Web site the message linked to features a graphic of a VeriSign seal with the text "VeriSign Secure Site: Click to Verify." When I clicked on the seal, I got a page from a VeriSign server that announced in bold blue type: "PCB.PEOPLES.COM is a VeriSign Secure Site" and that its status was "valid." I had to read way down into the text on the page to be advised: "To ensure that this is a legitimate VeriSign Secure Site, make sure that the original URL of the site you are visiting comes from PCB.PEOPLES.COM" -- which, of course, it did not.

When I brought the matter to the attention of Mountain View (Calif.)-based VeriSign (VRSN ), Group Product Manager Tim Callan wrote in an e-mail: "This phisher has built his spoof on top of VeriSign's version 1 seal architecture. The version 1 architecture was conceived and created before phishing was a phenomenon, and so it was not designed with that attack in mind.

Full Story.

More in Tux Machines

Comparing live version upgrade methods

When I review a distribution I always begin by performing a fresh installation of the operating system. This gives the latest version of the project a chance to stand on its own without complications. However, many of us do not perform fresh installations on our operating systems each time we want to upgrade to the latest release. Some of us, in order to preserve settings or installed packages, prefer to upgrade our existing operating system without starting over from scratch. This week I decided to take five open source operating systems through an upgrade process from their penultimate release to their latest version. Read more

Porteus Kiosk 4.0 Modular Linux Web Kiosk Released, Drops Chrome 32-bit Support

Porteus Solutions' Tomasz Jokiel announced on May 30, 2016, the release of the final Porteus Kiosk 4.0.0 Web Kiosk operating system based on the latest GNU/Linux technologies and open-source software. Porteus Kiosk 4.0.0 comes three months after the release of the last maintenance build in the Porteus Kiosk 3.x series, introducing numerous new features and improvements. But first, let's take a quick look under the hood, as the OS is now powered by Linux kernel 4.4.11 LTS (Long Term Support), and it's based on the Mozilla Firefox 45.1.1 ESR and Google Chrome 50.0.2661.102 web browsers. Read more

Fresh 10-Way GeForce Linux Benchmarks With The NVIDIA 367.18 Driver

In prepping for our forthcoming GeForce GTX 1070 and GTX 1080 Linux benchmarking, I've been running fresh rounds of benchmarks on my large assortment of GPUs, beginning with the GeForce hardware supported by the NVIDIA 367.18 beta driver. Here are the first of those benchmarks with the ten Maxwell/Kepler GPUs I've tested thus far. Earlier this month I posted the With Pascal Ahead, A 16-Way Recap From NVIDIA's 9800 GTX To Maxwell but in still waiting for my GTX 1070/1080 samples to arrive, I've restarted all of those tests now using the newer 367.18 driver as well as incorporating some extra tests like the recently released F1 2015 for Linux, not having done any SHOC OpenCL tests in a while, etc. Read more

Arch Linux-Based ArchAssault Ethical Hacking Distro Changes Name to ArchStrike

The team over at ArchAssault, a GNU/Linux operating system based on the famous Arch Linux distro and designed for ethical hackers, announced a few minutes ago on their Twitter account that they are changing the OS' name to ArchStrike. Designed from the ground up as a security layer to Arch Linux, the ArchAssault project provides security researchers and hackers with one of the most powerful open source and totally free Linux kernel-based operating system for penetration testing and security auditing operations. Read more