To exchange information online, consumers and businesses need a way to ensure that credit card numbers, passwords and other personal and corporate information is kept secure. SSL is a technology that protects much of the Internet and that, in essence, enables the digital economy. It activates the lock symbol in the browser to inform the consumer that it is safe to send your credit card information to the supplier, in a way that no one but the recipient site can decipher.
All data sent via SSL are encrypted. Without SSL, your credit card information (or password, bank account, social security number, address, etc.) are sent in a very public Internet in plain text format. It's like submit bank information by mail using a postcard - and that you risk the theft of information. SSL was invented to provide encryption on the unprotected Internet. But there is a problem: encryption is only useful if you know you are sending data and if you have confidence that only the other party can decrypt them. Then the Certificates assume importance.
To enable encryption, the websites use "digital certificates" issued by organizations called "certificate authorities (CA)," eg. Symantec, Thawte and GeoTrust. A certificate authority is a trusted third party that verifies the details of a candidate using a variety of databases, telephone calls and other means. Note that a CA NOT check the reliability of a company; its role is to check if the company exists and issue credentials (digital certificates).
Currently there are three types of SSL Certificates sold by most certificate authorities: DV Certificates (validated by domain), OV (validated by organization) and EV (with extended validation).
This certificate is issued very quickly because it only requires an applicant to prove the right to use a domain name; no other commercial information is validated. For example, if someone bought the domain www.myfavoritestore.com, you could get a DV SSL Certificate to him simply by making the request to the certification authority and responding to an email sent by her. Immediately after the CA received the response, the certificate would be issued. Thus, the applicant could create a MyFavoriteStore.com site and start accepting credit cards safely. Consumers would see the padlock in the browser, indicating that all the server traffic was encrypted. The obvious problem here was that no validation was done to demonstrate that MyFavoriteStore.com was a legitimate company, rather than a fraud.
For this type of certificate, the CA validates certain business information, and the domain name to ensure that the applicant is who they say they are. For example, to acquire a certificate for the site www.amazon.com, Amazon CA to send some web server information, and proof that the company actually existed. The person who requested the certificate would also need to be validated as an employee of the company. CA validate this data and then issued the certificate for the site. Then the site going to use this certificate to enable https secure transactions using SSL.
In response to complaints from many quarters and also to strengthen authentication processes and security on the Internet, certificate authorities and browser formed in 2006, an industry association called the CA / Browser Forum that created the specifications of a new type of certificate, called "Extended Validation (EV)". In this case, the CA performs a candidate's enhanced analysis to increase the level of confidence in the company. The browser display is improved and it is easy to see the difference immediately. This is an example of EV Certificate:
- Increase the confidence of users of its site and increase the turnover of your company on the Internet;
- Hinder the creation of phishing attacks and other online identity fraud attacks using certificates;
- Help companies that might be targets of phishing attacks or online identity fraud by providing them with a tool in order to identify more accurately before users;
Compared to DV Certificates, much more information is included and validated. the Certification Authority checks before being issued an EV certificate, such as who is the company that want to get the certificate.
It is quite simple: in the previous example, MyFavoriteStore.com is not a real company. It's a fake site created by a phisher.
How is this possible?
- The fraudster purchases the domain of a domain registrar using false information and a stolen credit card. The registrar issued the domain name "myfavoritestore.com" for the fraudster.
- After acquiring rights to the domain, the fraudster requests a DV certificate from a CA. The CA verifies only that the candidate can respond to an e-mail from that domain. After receiving the response, the CA issues the certificate.
- The fraudster creates web pages that simulate sell items known to the public interest, as well as pages from shopping cart and accept credit card.
- Consumers are attracted to this site via e-mail messages or fake ads.
- By visiting the site, the consumer sees the lock and imagines that the site is valid. Thus, it provides credit card information to make the purchase.
- The fraudster steals credit card data and the consumer does not receive the goods. When it examines the SSL Certificate for more data on the site, finds nothing beyond the domain name. There is no verified address or other business information.
Due to lack of information Certificates DV and the ease of obtaining them, they have been successfully used by criminals who want to attract customers and get your personal information, such as user names and account passwords and credit card information. A recent study by Netcraft showed that 78% of SSL certificates found on servers that host fraudulent websites were DV type. Although most of these certificates had not been produced exclusively for phishing purposes, those with misleading domain only had the validation domínio6. The "targets" most interesting for fraudsters were known sites for e-commerce transactions, such as PayPal, Apple, Visa, MasterCard and several foreign banks. In recent times, an Apple ID became a subject of great value. Fraudsters create a fake Apple website using a DV certificate to attract users. With this credential, a fraudster can lock or locate a phone shop in the iTunes and collect information about the victim.
However, it is not just large companies that become targets. Small and medium-sized companies are also frequent targets due to their limited technological sophistication. User credentials obtained from a small company that has been invaded may be used to create a consumer fake profile on another site. This is because user names, passwords and other credential information are often reused by consumers, which makes it easy for hackers try to use the same passwords on different websites.
Despite the risks, a recent survey commissioned by Symantec showed that more than 1/3 of e-commerce sites are using DV Certificates (Research conducted by buySAFE, Inc. on behalf of Symantec in Hidden-Dangers Lurking-in-E -commerce).
DV certificates are easy to issue, fast and very economical because there are no manual validation procedures.
Although all CAs need to conduct a "fraud check" Basic Certificate in DV requests, fraudsters have adapted their methods to evade the checks. For example, the name "PayPal" is a common target for fraud. Therefore, the CAs have automated checks seeking similar names in the requests, such as "pay-pal", "securepaypal", "p@ypal", etc. However, recently it was issued a certificate to paypol-france.com, which was later used to initiate a phishing attack and steal user credentials. It is not clear how many users were tricked into disclosing personal details. It would be much harder for a fraudster to get a OV and EV certificate to that name.
Compare the two certificates below. On the left is the site certificate "bookairfare.com" and on the right is the certificate "ebookers.com." A consumer who review research cheap airfare on a search engine could be redirected to these two sites, but how would he know which company has been verified? Examining the Certificate to the left, there is no listed commercial information, which indicates that this is a DV certificate. Compare it with the certificate on the right which contains broad validated commercial data. While the company left is presumed authentic, the data have not been validated, which means that this could also be a fraudulent website.
Note: This website is not recognized as a fraudulent site. Source: Paper Symantec Hidden-Dangers Lurking-in-E-Commerce)
Usually, criminals create fraudulent websites in order to steal identities and accounts. To add legitimacy to the site, they add many graphics that simulate the actual site and obtain an SSL certificate, which gives users a visual indicator of security. As already mentioned, it is relatively easy to get a DV certificate. Once the fraudster acquire the rights to a domain, you may request a DV certificate and receive it in minutes. The site is activated and the fraudster starts directing unsuspecting consumers to him. Consumers see the padlock (enabled by the DV certificate) and enter private data that can be distributed throughout the criminal network. The figure below shows an example of a phishing e-mail and the associated site to which the user is taken after clicking on the embedded link.
Source: https://isc.sans.edu/forums/diary/httpsyourfakebanksupport+--+TLD+confusion+starts/18651 in Paper Symantec Hidden-Dangers Lurking-in-E-Commerce)
The fact that cybercriminals taking the trouble to get SSL certificates indicates that users have become accustomed to look for the padlock or the "https" before engaging in a transaction. Many of these fraudulent sites are active only for days or hours. This means that, unlike legitimate businesses that only need to request certificates once every few years, criminals do it regularly. They do not devote efforts and resources if it was not profitable to do so.
The SSL Blacklist site (https://sslbl.abuse.ch/) provides a list of SSL sites associated with malware or botnet activities. An evaluation of the five most recent months of data indicates that all SSL Certificates are listed DV type or self-signed (self-signed or not trusted Certificates display a warning from the browser, which fraudsters prefer to avoid). This confirms that the ease of obtaining these certificates DV attracts criminals.