Language Selection

English French German Italian Portuguese Spanish

Phishers Learn to Exploit VeriSign

Filed under
Security

Everyone knows not to believe everything they read on the Web. But things get sticky when a company whose main businesses is assuring the security of online transactions gives you assurances that don't hold up.

A few days ago, I received e-mail ostensibly from Bridgeport (Conn.)-based People's Bank, informing me of some security problem and asking me to click on a link and enter my account information. I get dozens of these phishing attempts, and when I see a new one, I'll often check it out. (Don't try this at home -- I use a special isolated computer to protect myself and my PC against the viruses, worms, and other nasties that these sites often attempt to download to a user's machine.)

VULNERABLE ARCHITECTURE. The e-mail had the usual giveaways to alert the wary. I'm not a customer of the bank. The link pointed to a numerical Internet address, not www.peoples.com, the bank's genuine site. And the bank's name was prominently misspelled "Peopel's" in one reference. Phishers have used the names of many banks and businesses in other phishing scams.

But the phony bank Web site the message linked to features a graphic of a VeriSign seal with the text "VeriSign Secure Site: Click to Verify." When I clicked on the seal, I got a page from a VeriSign server that announced in bold blue type: "PCB.PEOPLES.COM is a VeriSign Secure Site" and that its status was "valid." I had to read way down into the text on the page to be advised: "To ensure that this is a legitimate VeriSign Secure Site, make sure that the original URL of the site you are visiting comes from PCB.PEOPLES.COM" -- which, of course, it did not.

When I brought the matter to the attention of Mountain View (Calif.)-based VeriSign (VRSN ), Group Product Manager Tim Callan wrote in an e-mail: "This phisher has built his spoof on top of VeriSign's version 1 seal architecture. The version 1 architecture was conceived and created before phishing was a phenomenon, and so it was not designed with that attack in mind.

Full Story.

More in Tux Machines

Games Leftovers

OSS Leftovers

  • Julita Inca Chiroque: Parallel Computing Talk
  • Open Source Monitoring Conference: Speakers, Agendas, and Other Details
    One of today’s leading tech conferences, the Open Source Monitoring Conference (OSMC), is back to bring together some of the brightest monitoring experts from different parts of the world. The four-day event will be held at Holiday Inn Nuremberg City Conference in Germany starting today, November 21st, until November 24th.
  • Why a Dallas-area tech startup opened a KC office
  • Open education: How students save money by creating open textbooks
    Most people consider a college education the key to future success, but for many students, the cost is insurmountable. The growing open educational resource (OER) movement is attempting to address this problem by providing a high-quality, low-cost alternative to traditional textbooks, while at the same time empowering students and educators in innovative ways. One of the leaders in this movement is Robin DeRosa, a professor at Plymouth State University in New Hampshire. I have been enthusiastically following her posts on Twitter and invited her to share her passion for open education with our readers. I am delighted to share our discussion with you.

Android Leftovers

Linux 4.10 To Linux 4.15 Kernel Benchmarks

The ThinkPad X1 Carbon has been enjoying its time on Linux 4.15. In addition to the recent boot time tests and kernel power comparison, here are some raw performance benchmarks looking at the speed from Linux 4.10 through Linux 4.15 Git. With this Broadwell-era Core i7 5600U laptop with 8GB RAM, HD Graphics, and 128GB SATA 3.0 SSD with Ubuntu 17.10 x86_64, the Linux 4.10 through 4.15 Git mainline kernels were benchmarked. Each one was tested "out of the box" and the kernel builds were obtained from the Ubuntu Mainline Kernel archive. Read more