14 DAY TRIAL // PayPal phishing scams are not uncommon. However, experts have spotted a PayPal phishing page that’s hosted on the secure website of a Malaysian government police portal (https://www.polisjohor.gov.my).
By compromising a website that uses SSL certificates, the cybercriminals can make their scheme more legitimate-looking because many PayPal users are aware of the fact that they should not enter their credentials on websites that aren’t protected by an SSL certificate.
According to Netcraft, the digital certificate for this particular Malaysian police portal was issued by Symantec’s GeoTrust back in 2011 and it’s valid for several more months.
“If Symantec wished to revoke the certificate to make the site inaccessible over HTTPS it could do so by updating its Certificate Revocation List or by providing on-demand OCSP responses noting its revocation,” Netcraft’s Raz Popescu noted.
“As examined by Netcraft recently, the current treatment of revocation in many major browsers leaves some room for improvement: this certificate does not contain an OCSP URL so is irrevocable in Firefox. Even if the CA wanted to, it could not directly prevent further use of the certificate in Firefox. Safari users are left unprotected by default as the revocation checking has to be explicitly enabled.”
Jeff Hudson, the CEO of enterprise key and certificate management solutions provider Venafi, has been a strong advocate for digital certificate security for quite some time.
“This new attack against PayPal demonstrates, once again, that trust-based compromises leveraging digital certificates have emerged as the attack vehicle of choice for cybercriminals around the globe,” Hudson told Softpedia.
“While Netcraft has positioned this attack as ‘indefensible’ in some cases, it is likely that the compromised systems, sites, browsers and issuer could have protected against it with a few simple security and management controls to address and quickly remediate the breach,” he added.
“Organizations are leaving an open door for attackers, and although they have added significant new security layers to their networks, none address the visibility and control problems with the trust instruments attackers are exploiting.”
Hudson highlights the fact that global companies usually have tens of thousands of keys and certificates and the majority don’t have an accurate inventory of these critical trust assets. They don’t know where they are deployed, who is using them, and they don’t have controls in place to secure them.
“Enterprises need to start by getting a handle on all of the certificates and keys deployed, determine anomalies in the environment based on established polices then quickly revoke and replace anything suspect or out of policy,” the expert noted.
“It is too early to estimate how much this current incident will cost PayPal, the compromised site, browsers or the phishing victims, however, a recent Ponemon study revealed that attacks on trust leveraging certificates and cryptographic keys will cost global organizations close to half a billion dollars over the next two years.”