The SANS Institute’s Internet Storm Center noted the scam, and advised its users that “it is not possible to identify fake or real websites by the lock icon alone. … While you can assure that the session is encrypted, it is not possible to ensure that this is the real organization.”
Scammers can also configure their web server so that deceptive SSL certificates won’t trigger an alert in the user’s browser. “One of the SSL encoding methods is ‘plain text’,” Neal Krawetz from Secure Science Corporation noted in the SANS post on the issue. “Most SSL servers have this disabled by default, but most browsers support it. When plain text is used, no central certificate authority is consulted and the user never sees a message asking if a certificate should be accepted (because ‘plain text’ doesn’t use certificates). Keeping that in mind, the little lock icon may not even indicate an encrypted channel. The little lock only indicates an SSL connection.”
A technique called visual spoofing offers another method to present a “lock” to visitors on a Scam phishing site. The technique alters the user interface of the web browser, substituting images for parts of the browser interface that would normally help users detect the fraud. Javascript links launch a new browser window without scrollbars, menubars, toolbars and the status bar – which allows the scam artists to substitute a fake status bar containing the URL for a legitimate site, along with an image of a “lock” indicating a secure SSL site.
The evolving strategies of phishing crews underscore the need for continuing consumer education on detecting deceptive URLs, web sites and now, to discern authentic SSL certificates and relationships as well.
Netcraft has developed a service to help banks and other financial organizations identify sites which may be trying to construct frauds, identity theft and phishing attacks by pretending to be the bank, or are implying that the site has a relationship with the bank when in fact there is none.